https://webkitgtk.org/security/WSA-2019-0006.html adds: CVE-2019-8710, CVE-2019-8743, CVE-2019-8764, CVE-2019-8766, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8820.

Comment 2 Mart Raudsepp 2019-11-17 19:34:26 UTC

The problems the bump would cause as explained in https://mail.gnome.org/archives/distributor-list/2019-October/msg00000.html need to be addressed first

Comment 3 Mart Raudsepp 2019-11-17 22:08:54 UTC

*** Bug 698438 has been marked as a duplicate of this bug. ***

Well what about at least getting it under a mask explaining the issue so that there is at least a possibility for users to have a secure version (without using an overlay, like I do)?

pretty sad that this is still sitting here. even friggin debian upgraded stable to 2.26.2 on Tue, 12 Nov 2019. it's been more than 5 weeks since then and absolutely no progress here, no patched package, no package with blockers, no masked package, no bug dependency changes. if there is need to have revdeps patched for whatever reason, then fine, get that done. it's unbefitting to sit around and wait for them to be exploited.

Created attachment 600536 [details, diff]
webkit-gtk-2.26.2 with Evolution and Geary compatibility patch

Here's my solution to the bug. I've been using it in a local overlay from quite some time now.

Adds webkit-gtk-2.26.2 with a 'evo' useflag. When it's enabled, the patch Gnome put out to maintain compatibility with older versions of Evolution and Geary will be applied (https://mail.gnome.org/archives/distributor-list/2019-October/txtjJmNLXFcOQ.txt). The Evolution or Geary ebuilds will force this useflag on but if you have no interest in either mail client then you can disable the useflag and the patch wont be applied.

First time I've attempted a patch against the main Gentoo repository so I apologize in advance if I haven't followed proper procedure.

Tested on a amd64 machine

Signed-off-by: Jason Lethbridge <lethbridgejason@gmail.com>

Comment 7 Larry the Git Cow 2019-12-29 14:45:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a846e963e87ae6a37a037c447326831d003ad9b

commit 0a846e963e87ae6a37a037c447326831d003ad9b
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-12-29 13:50:40 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-12-29 14:39:13 +0000

    mail-client/evolution: make compatible with webkit-gtk-2.26
    
    Bug: https://bugs.gentoo.org/699156
    Package-Manager: Portage-2.3.79, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 mail-client/evolution/evolution-3.32.5-r1.ebuild   | 155 +++++++++++++++++++++
 .../files/3.32.5-webkitgtk-2.26-compat.patch       |  26 ++++
 2 files changed, 181 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24be9040864532714aeeb3b5b35d73e7aa03db33

commit 24be9040864532714aeeb3b5b35d73e7aa03db33
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-12-29 12:24:02 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-12-29 14:34:44 +0000

    net-libs/webkit-gtk: security bump to 2.26.2
    
    * Add unconditional sandboxing support, if available for the arch.
    * Switch IUSE=gles2 to IUSE=gles2-only, as it is an alternative to
      USE=opengl, not a co-existing one.
    * USE=wayland now requires wpebackend-fdo and co for
      accelerated compositing under wayland, if opengl is enabled.
    * Re-enable IUSE=+jumbo-build for unified source builds - it was
      unconditionally enabled before, but with 2.26 disabling it
      finally seems to work. Disabling it seems to result in a 2MB
      larger library and over twice the compile time, but it may be
      crucial to low RAM systems to be able to even build webkit-gtk
      at all.
    * gtk2 plugin process is now dropped upstream - no more
      adobe-flash support.
    * geoclue is a runtime-only depend now (dbus interface).
    * GCC/clang checks updated to the best of my understanding.
    * Added ruby:2.7 support for the build-time depend on it.
    
    Bug: https://bugs.gentoo.org/699156
    Package-Manager: Portage-2.3.79, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/metadata.xml             |   2 +
 net-libs/webkit-gtk/webkit-gtk-2.26.2.ebuild | 301 +++++++++++++++++++++++++++
 profiles/base/package.use.force              |   1 +
 4 files changed, 305 insertions(+)

Comment 8 Mart Raudsepp 2019-12-29 14:58:40 UTC

The stable target is 2.26.2, it may fix various other security bugs than originally reported here for 2.26.0.
Basically WSA-2019-0006 is out by now as well: https://webkitgtk.org/security/WSA-2019-0006.html
That includes security bugs that are fixed by 2.26.1 and 2.26.2

Comment 9 Agostino Sarubbo 2019-12-30 15:19:22 UTC

amd64 stable

Comment 10 Thomas Deutschmann (RETIRED) 2020-01-10 01:47:29 UTC

x86 stable

https://webkitgtk.org/security/WSA-2020-0001.html Came out ~today, I guess it should be filed in another ticket?

Comment 12 Stabilization helper bot 2020-02-06 10:01:28 UTC

An automated check of this bug failed - the following atom is unknown:

net-libs/webkit-gtk-2.26.2

Please verify the atom list.

Comment 13 Mart Raudsepp 2020-03-12 20:09:41 UTC

2.26.4 stable on arm64

Comment 14 Mart Raudsepp 2020-03-12 20:10:27 UTC

cleanup can't be done due to pending keywording bug 704182

Comment 15 Thomas Deutschmann (RETIRED) 2020-03-15 04:36:49 UTC

Added to an existing GLSA.

Comment 16 GLSAMaker/CVETool Bot 2020-03-15 04:44:35 UTC

This issue was resolved and addressed in
 GLSA 202003-22 at https://security.gentoo.org/glsa/202003-22
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 17 Sam James 2020-05-07 00:58:53 UTC

Reopening because cleanup was not completed.

Comment 18 NATTkA bot 2020-05-07 01:00:44 UTC

Unable to check for sanity:

> no match for package: net-libs/webkit-gtk-2.26.2

Comment 19 Larry the Git Cow 2020-07-19 06:00:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5006f73937044695f6a1317de58ef80d12b19b7a

commit 5006f73937044695f6a1317de58ef80d12b19b7a
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-07-19 05:58:49 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-07-19 05:59:37 +0000

    net-libs/webkit-gtk: remove old
    
    Bug: https://bugs.gentoo.org/699156
    Bug: https://bugs.gentoo.org/712260
    Bug: https://bugs.gentoo.org/732104
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                       |   3 -
 .../files/2.26.2-fix-arm-non-unified-build.patch   |  27 --
 net-libs/webkit-gtk/files/2.26.3-fix-gtk-doc.patch |  27 --
 .../webkit-gtk/files/2.28.2-fix-ppc64-JSC.patch    |  59 -----
 .../files/2.28.2-fix-yelp-desktopless-build.patch  |  53 ----
 .../files/2.28.2-use-gst-audiointerleave.patch     |  55 ----
 .../files/webkit-gtk-2.24.4-icu-65.patch           |  53 ----
 net-libs/webkit-gtk/metadata.xml                   |   4 -
 net-libs/webkit-gtk/webkit-gtk-2.24.4.ebuild       | 283 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.26.4-r1.ebuild    | 286 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.28.2.ebuild       | 293 ---------------------
 11 files changed, 1143 deletions(-)

Comment 20 Sam James 2020-07-19 11:26:19 UTC

All done, thanks. Closing.