Bug 208192
| Summary: | www/webkit-gtk3: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Sevan Janiyan <venture37> |
| Component: | Individual Port(s) | Assignee: | freebsd-gnome (Nobody) <gnome> |
| Status: | Closed Overcome By Events | ||
| Severity: | Affects Only Me | CC: | gnome, joneum, lantw44, madpilot, pkubaj, ports-secteam, rkoberman, rm, vishwin, w.schwarzenfeld |
| Priority: | --- | Flags: | rakuco:
maintainer-feedback?
(gnome) |
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Sevan Janiyan
2016-03-22 00:31:01 UTC
Over to maintainer. A commit references this bug: Author: rm Date: Thu May 5 16:08:09 UTC 2016 New revision: 414649 URL: https://svnweb.freebsd.org/changeset/ports/414649 Log: www/webkit-gtk[23]: update to 2.4.11 - update to 2.4.11 - fix build with Ruby 2.2 default version (ruby symlink doesn't exist anymore) - replace CPPFLAGS and LDFLAGS by USES= localbase - fix couple of whitespace bugs PR: 208961 PR: 208192 Submitted by: olivierd Reviewed by: kwm With hat: gnome MFH: 2016Q2 (along with r414478) - fix build of webkit-gtk2 on ARM platforms PR: 208569 Reported by: otacilio.neto@bsd.com.br Submitted by: mikael.urankar@gmail.com - fix build of webkit-gtk[23] when GNU binutils is installed PR: 195500 PR: 196333 Submitted by: Christoph Moench-Tegeder <cmt@burggraben.net> Changes: head/www/webkit-gtk2/Makefile head/www/webkit-gtk2/distinfo head/www/webkit-gtk2/files/patch-Source_WTF_wtf_Platform.h head/www/webkit-gtk2/pkg-plist head/www/webkit-gtk3/Makefile head/www/webkit-gtk3/distinfo head/www/webkit-gtk3/pkg-plist Please note, that 2.4.11 doesn't resolve the CVE's, that mentioned on OP's link as far I understand. We also have updated webkit2-gtk3 port in gnome development repository: https://github.com/freebsd/freebsd-ports-gnome/tree/gnome-3.20/www/webkit2-gtk3 It works just fine in -head and 10.x, but there _may be_ some problems in FreeBSD 9.3 with this version, that should be checked out before going to main ports tree. A commit references this bug: Author: rm Date: Thu May 5 16:42:57 UTC 2016 New revision: 414650 URL: https://svnweb.freebsd.org/changeset/ports/414650 Log: MFH: r414478 r414649 www/webkit-gtk[23]: update to 2.4.10 Merged from freebsd-ports-gnome development repo. Reviewed by: kwm With hat: gnome www/webkit-gtk[23]: update to 2.4.11 - update to 2.4.11 - fix build with Ruby 2.2 default version (ruby symlink doesn't exist anymore) - replace CPPFLAGS and LDFLAGS by USES= localbase - fix couple of whitespace bugs PR: 208961 PR: 208192 Submitted by: olivierd Reviewed by: kwm With hat: gnome - fix build of webkit-gtk2 on ARM platforms PR: 208569 Reported by: otacilio.neto@bsd.com.br Submitted by: mikael.urankar@gmail.com - fix build of webkit-gtk[23] when GNU binutils is installed PR: 195500 PR: 196333 Submitted by: Christoph Moench-Tegeder <cmt@burggraben.net> Approved by: ports-secteam (feld) Changes: _U branches/2016Q2/ branches/2016Q2/www/webkit-gtk2/Makefile branches/2016Q2/www/webkit-gtk2/distinfo branches/2016Q2/www/webkit-gtk2/files/patch-CVE-2014-1748 branches/2016Q2/www/webkit-gtk2/files/patch-Source_WTF_wtf_Platform.h branches/2016Q2/www/webkit-gtk2/pkg-plist branches/2016Q2/www/webkit-gtk3/Makefile branches/2016Q2/www/webkit-gtk3/distinfo branches/2016Q2/www/webkit-gtk3/files/patch-CVE-2014-1748 branches/2016Q2/www/webkit-gtk3/pkg-plist I think this is solved, or overcome by events. WebKitGTK+ 2.4.x no longer receives security updates, so all applications depending on www/webkit-gtk2) and www/webkit-gtk3 ports are vulnerable unless they switch to the latest version provided by www/webkit2-gtk3. However, www/webkit2-gtk3 in FreeBSD ports is also out of date. The latest release is 2.18.5, but ports still use 2.16.6. Okay, thank you! what is the current status? Does ports-secteam have to be active here? A commit references this bug: Author: kwm Date: Sun Feb 24 20:13:11 UTC 2019 New revision: 493807 URL: https://svnweb.freebsd.org/changeset/ports/493807 Log: Start deorbit burn for old webkit-gtk ports. PR: 208192 Changes: head/www/webkit-gtk2/Makefile head/www/webkit-gtk3/Makefile (In reply to commit-hook from comment #9) Doesn't this mean that graphics/gimp and audio/audacity? I think this might cause a bit of upset. (In reply to rkoberman from comment #10) I can't say for Audacity, but I have Gimp installed. ppkubaj@KGPE-D16:$~$ doas pkg delete webkit-gtk2 Updating database digests format: 100% Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 3 packages (of 0 packages in the universe): Installed packages to be REMOVED: webkit-gtk2-2.4.11_19 wx30-gtk2-3.0.4_5 0ad-0.0.23b Number of packages to be removed: 3 The operation will free 2 GiB. Proceed with deinstalling packages? [y/N]: ^C So Gimp won't be removed from ports, yay. Still, the loss of 0ad is also something I don't like. (In reply to Piotr Kubaj from comment #11) I see that it is only needed for the HELPBROWSER option, though, so I guess you don't have it selected. It is not default, but I'd hate to have to learn gimp without it. Audacity requires wx30-gtk2 which,in turn, requires webkit-gtk2. No options on that one. For a long time I had these two in my poudriere configuration: x11-toolkits_wxgtk30_UNSET=WEBKIT graphics_gimp-app_UNSET=HELPBROWSER I also used to play 0ad for a long time and absence of webkit-powered wxgtk doesn't affect 0ad in any way (I only played with local AI, no network games). (In reply to Piotr Kubaj from comment #11) > (In reply to rkoberman from comment #10) > I can't say for Audacity, but I have Gimp installed. > > ppkubaj@KGPE-D16:$~$ doas pkg delete webkit-gtk2 > Updating database digests format: 100% > Checking integrity... done (0 conflicting) > Deinstallation has been requested for the following 3 packages (of 0 > packages in the universe): > > Installed packages to be REMOVED: > webkit-gtk2-2.4.11_19 > wx30-gtk2-3.0.4_5 > 0ad-0.0.23b > > Number of packages to be removed: 3 > > The operation will free 2 GiB. > > Proceed with deinstalling packages? [y/N]: ^C > > So Gimp won't be removed from ports, yay. Still, the loss of 0ad is also > something I don't like. (0ad maintainer here) 0ad depends on wx30, that's why it is being removed. I will check if it can work fine with wxgtk31, which is gtk3 based and links to newer webkit. I also have other ports to fix regarding to this and they are all heavy on dependencies. The poudriere machines I have access to are all busy testing various things, so I will need a little time to test all the fixes properly. (In reply to Guido Falsi from comment #14) > (0ad maintainer here) > > 0ad depends on wx30, that's why it is being removed. > > I will check if it can work fine with wxgtk31, which is gtk3 based and links > to newer webkit. Looking at the Makefiles, I notice while we do have a x11-toolkits/wxgtk31 we don't have support for it(from bsd.wx.mk): _WX_VERS_ALL= 2.8 3.0 _WX_VERS_UC_ALL= 2.8 3.0 aren't we missing a 3.1 option there? Should it be there? could it be added or there is some reason I'm not aware of? wxWidgets 3.1 is a development branch. 3.0 is still the stable. Audacity (and probably others) do not work with 3.1 due to ABI breakage. The WEBKIT option should probably be toggled off by default. (In reply to Charlie Li from comment #16) > wxWidgets 3.1 is a development branch. 3.0 is still the stable. Audacity > (and probably others) do not work with 3.1 due to ABI breakage. > > The WEBKIT option should probably be toggled off by default. I see. Anyway it looks like r493853 addresses this and fixes 0ad and other wxgtk dependent ports for the issue at hand. Port was removed in ports r496768. |
