Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627554 - net-misc/icaclient: still depends on net-libs/webkit-gtk:2
Summary: net-misc/icaclient: still depends on net-libs/webkit-gtk:2
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Lars Wendler (Polynomial-C)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727, CVE-2016-1728
  Show dependency tree
 
Reported: 2017-08-11 16:44 UTC by Andrea De Pasquale
Modified: 2018-02-13 13:42 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrea De Pasquale 2017-08-11 16:44:35 UTC
icaclient-13.6.0.10243651.ebuild contains RDEPEND="net-libs/webkit-gtk:2"

glsa-check reports net-libs/webkit-gtk-2.4.11-r200:2 as having multiple vulnerabilities (GLSA 201706-15 https://security.gentoo.org/glsa/201706-15)

I tried to change RDEPEND to use latest net-libs/webkit-gtk:4 and it works just fine.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-11 17:06:04 UTC

https://github.com/gentoo/gentoo/pull/5391

for the ebuild updates

Thanks,

Gentoo Security Padawan
ChrisADR
Comment 2 Mart Raudsepp gentoo-dev 2017-08-12 03:40:22 UTC
There is no way webkit-gtk:4 can be correct, as there is a gtk+:2 dependency, not gtk+:3 dependency. Either that is wrong too, or it just happens to work due to webkit-gtk:2 being optional in the binary, as already concluded in bug 580974 and 579722. selfservice component won't work without webkit-gtk:2 or something; it also won't work with webkit-gtk:4, as you can't mix webkit-gtk:4 and gtk+:2.
Comment 3 Mart Raudsepp gentoo-dev 2017-08-13 09:02:00 UTC
Why is this a security@ bug btw? webkit-gtk:2 cleanup is already tracked in bug 577068 by security@
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-13 16:46:13 UTC
(In reply to Mart Raudsepp from comment #3)
> Why is this a security@ bug btw? webkit-gtk:2 cleanup is already tracked in
> bug 577068 by security@

Indeed the cleanup is being in bug 577068 and I'm adding this report to the list.

The main reason is that the ebuild contains a vulnerable RDEP (even if it is optional for most of the users) this means that we need to either inform the users that they are installing a package with vulnerable RDEPS or remove that additional feature from the ebuild in order to have a vulnerability free package.

Thanks,

Gentoo Security Padawan
ChrisADR
Comment 5 Pacho Ramos gentoo-dev 2017-12-03 14:46:14 UTC
This would also indicate this can work without webkit-gtk
https://forums.fedoraforum.org/showthread.php?316157-Citrix-Receiver-(ICAClient)-in-Fedora-27
Comment 6 Mart Raudsepp gentoo-dev 2017-12-05 10:45:35 UTC
Yes, it will work fine without webkit-gtk. But probably not the selfservice component.
That fedora thread still can't possibly be right about webkit-gtk:4 being useful for it.
Maybe just please remove the dependency, if the main functionality then still works, and deal with any fallout (from unusable selfservice component if so, or anything else) by pointing reporters to complain to the binary package upstream
Comment 7 Pacho Ramos gentoo-dev 2018-02-13 13:42:18 UTC
this was fixed one month ago and old versions removed