Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 699156 (CVE-2019-8625, CVE-2019-8674, CVE-2019-8707, CVE-2019-8710, CVE-2019-8719, CVE-2019-8720, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8743, CVE-2019-8763, CVE-2019-8764, CVE-2019-8765, CVE-2019-8766, CVE-2019-8768, CVE-2019-8769, CVE-2019-8771, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8821, CVE-2019-8822, CVE-2019-8823, WSA-2019-0005, WSA-2019-0006) - <net-libs/webkit-gtk-2.26.2: multiple vulnerabilities (WSA-2019-{0005,0006})
Summary: <net-libs/webkit-gtk-2.26.2: multiple vulnerabilities (WSA-2019-{0005,0006})
Status: IN_PROGRESS
Alias: CVE-2019-8625, CVE-2019-8674, CVE-2019-8707, CVE-2019-8710, CVE-2019-8719, CVE-2019-8720, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8743, CVE-2019-8763, CVE-2019-8764, CVE-2019-8765, CVE-2019-8766, CVE-2019-8768, CVE-2019-8769, CVE-2019-8771, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8821, CVE-2019-8822, CVE-2019-8823, WSA-2019-0005, WSA-2019-0006
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [stable cve]
Keywords: STABLEREQ
: 698438 (view as bug list)
Depends on: 704182 704438
Blocks: 705264
  Show dependency tree
 
Reported: 2019-11-02 13:12 UTC by Haelwenn Monnier
Modified: 2020-02-06 10:01 UTC (History)
7 users (show)

See Also:
Package list:
gui-libs/libwpe-1.4.0.1 gui-libs/wpebackend-fdo-1.4.0 sys-apps/xdg-dbus-proxy-0.1.2 net-libs/webkit-gtk-2.26.2
Runtime testing required: ---
stable-bot: sanity-check-


Attachments
webkit-gtk-2.26.2 with Evolution and Geary compatibility patch (0001-net-libs-webkit-gtk-bump-to-2.26.2-with-evolution-pa.patch,17.07 KB, patch)
2019-12-23 14:33 UTC, Jason Lethbridge
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Haelwenn Monnier 2019-11-02 13:12:41 UTC
Listed in the title are the security vulnerabilities which affect webkit-gtk before 2.26.0 as the current version in the tree is 2.24.4 and they are unpatched.

Reproducible: Always
Comment 1 Haelwenn Monnier 2019-11-10 08:22:21 UTC
https://webkitgtk.org/security/WSA-2019-0006.html adds: CVE-2019-8710, CVE-2019-8743, CVE-2019-8764, CVE-2019-8766, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8820.
Comment 2 Mart Raudsepp gentoo-dev 2019-11-17 19:34:26 UTC
The problems the bump would cause as explained in https://mail.gnome.org/archives/distributor-list/2019-October/msg00000.html need to be addressed first
Comment 3 Mart Raudsepp gentoo-dev 2019-11-17 22:08:54 UTC
*** Bug 698438 has been marked as a duplicate of this bug. ***
Comment 4 Haelwenn Monnier 2019-11-18 04:50:11 UTC
Well what about at least getting it under a mask explaining the issue so that there is at least a possibility for users to have a secure version (without using an overlay, like I do)?
Comment 5 Alex Xu (Hello71) 2019-12-21 04:32:24 UTC
pretty sad that this is still sitting here. even friggin debian upgraded stable to 2.26.2 on Tue, 12 Nov 2019. it's been more than 5 weeks since then and absolutely no progress here, no patched package, no package with blockers, no masked package, no bug dependency changes. if there is need to have revdeps patched for whatever reason, then fine, get that done. it's unbefitting to sit around and wait for them to be exploited.
Comment 6 Jason Lethbridge 2019-12-23 14:33:38 UTC
Created attachment 600536 [details, diff]
webkit-gtk-2.26.2 with Evolution and Geary compatibility patch

Here's my solution to the bug. I've been using it in a local overlay from quite some time now.

Adds webkit-gtk-2.26.2 with a 'evo' useflag. When it's enabled, the patch Gnome put out to maintain compatibility with older versions of Evolution and Geary will be applied (https://mail.gnome.org/archives/distributor-list/2019-October/txtjJmNLXFcOQ.txt). The Evolution or Geary ebuilds will force this useflag on but if you have no interest in either mail client then you can disable the useflag and the patch wont be applied.

First time I've attempted a patch against the main Gentoo repository so I apologize in advance if I haven't followed proper procedure.

Tested on a amd64 machine

Signed-off-by: Jason Lethbridge <lethbridgejason@gmail.com>
Comment 7 Larry the Git Cow gentoo-dev 2019-12-29 14:45:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a846e963e87ae6a37a037c447326831d003ad9b

commit 0a846e963e87ae6a37a037c447326831d003ad9b
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-12-29 13:50:40 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-12-29 14:39:13 +0000

    mail-client/evolution: make compatible with webkit-gtk-2.26
    
    Bug: https://bugs.gentoo.org/699156
    Package-Manager: Portage-2.3.79, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 mail-client/evolution/evolution-3.32.5-r1.ebuild   | 155 +++++++++++++++++++++
 .../files/3.32.5-webkitgtk-2.26-compat.patch       |  26 ++++
 2 files changed, 181 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24be9040864532714aeeb3b5b35d73e7aa03db33

commit 24be9040864532714aeeb3b5b35d73e7aa03db33
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-12-29 12:24:02 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-12-29 14:34:44 +0000

    net-libs/webkit-gtk: security bump to 2.26.2
    
    * Add unconditional sandboxing support, if available for the arch.
    * Switch IUSE=gles2 to IUSE=gles2-only, as it is an alternative to
      USE=opengl, not a co-existing one.
    * USE=wayland now requires wpebackend-fdo and co for
      accelerated compositing under wayland, if opengl is enabled.
    * Re-enable IUSE=+jumbo-build for unified source builds - it was
      unconditionally enabled before, but with 2.26 disabling it
      finally seems to work. Disabling it seems to result in a 2MB
      larger library and over twice the compile time, but it may be
      crucial to low RAM systems to be able to even build webkit-gtk
      at all.
    * gtk2 plugin process is now dropped upstream - no more
      adobe-flash support.
    * geoclue is a runtime-only depend now (dbus interface).
    * GCC/clang checks updated to the best of my understanding.
    * Added ruby:2.7 support for the build-time depend on it.
    
    Bug: https://bugs.gentoo.org/699156
    Package-Manager: Portage-2.3.79, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/metadata.xml             |   2 +
 net-libs/webkit-gtk/webkit-gtk-2.26.2.ebuild | 301 +++++++++++++++++++++++++++
 profiles/base/package.use.force              |   1 +
 4 files changed, 305 insertions(+)
Comment 8 Mart Raudsepp gentoo-dev 2019-12-29 14:58:40 UTC
The stable target is 2.26.2, it may fix various other security bugs than originally reported here for 2.26.0.
Basically WSA-2019-0006 is out by now as well: https://webkitgtk.org/security/WSA-2019-0006.html
That includes security bugs that are fixed by 2.26.1 and 2.26.2
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-30 15:19:22 UTC
amd64 stable
Comment 10 Thomas Deutschmann gentoo-dev Security 2020-01-10 01:47:29 UTC
x86 stable
Comment 11 Haelwenn Monnier 2020-01-24 02:21:44 UTC
https://webkitgtk.org/security/WSA-2020-0001.html Came out ~today, I guess it should be filed in another ticket?
Comment 12 Stabilization helper bot gentoo-dev 2020-02-06 10:01:28 UTC
An automated check of this bug failed - the following atom is unknown:

net-libs/webkit-gtk-2.26.2

Please verify the atom list.