205683 – www/webkit-gtk2 - Multiple vulnerabilities

Bug 205683 - www/webkit-gtk2 - Multiple vulnerabilities

Summary: www/webkit-gtk2 - Multiple vulnerabilities

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Koop Mast

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-12-29 03:10 UTC by Sevan Janiyan
Modified:	2016-02-04 11:15 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (gnome)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sevan Janiyan 2015-12-29 03:10:29 UTC

http://webkitgtk.org/security/WSA-2015-0002.html

Comment 1 Mark Felder freebsd_committer

2016-01-08 18:51:37 UTC

adding ports-secteam to CC

Comment 2 Koop Mast freebsd_committer

2016-01-31 22:36:47 UTC

I took a look at the massive list, and only are patches of two or three CVE's. The rest are all about apple iOS/xOS with no patches.

The question I have for the port-secteam are:
1) I can't really patch these... but if they are apple CVE's should we care?
2) So should I list them in the vuxml?

Comment 3 Mark Felder freebsd_committer

2016-02-03 16:29:53 UTC

we should only add entries to vuxml that actually affect FreeBSD

Comment 4 commit-hook freebsd_committer

2016-02-04 11:04:36 UTC

A commit references this bug:

Author: kwm
Date: Thu Feb  4 11:03:34 UTC 2016
New revision: 408023
URL: https://svnweb.freebsd.org/changeset/ports/408023

Log:
  Document webkit CVE-2014-1748.

  If people look at the announcement, CVE-2014-3192 is already fixed. This
  CVE was against chromium, and the same code in 2.4.9 is in webkit trunk
  so I assume it already fixed.

  CVE-2013-6663 is for webkit < 2.4.0, and the rest of the CVE's are for
  apple products without any attached patches.

  PR:		205683
  Obtained from:	http://webkitgtk.org/security/WSA-2015-0002.html

Changes:
  head/security/vuxml/vuln.xml

Comment 5 commit-hook freebsd_committer

2016-02-04 11:10:38 UTC

A commit references this bug:

Author: kwm
Date: Thu Feb  4 11:09:49 UTC 2016
New revision: 408024
URL: https://svnweb.freebsd.org/changeset/ports/408024

Log:
  Fix CVE-2014-1748.

  PR:		205683
  Security:	1091d2d1-cb2e-11e5-b14b-bcaec565249c

Changes:
  head/www/webkit-gtk2/Makefile
  head/www/webkit-gtk2/files/patch-CVE-2014-1748
  head/www/webkit-gtk3/Makefile
  head/www/webkit-gtk3/files/patch-CVE-2014-1748

Comment 6 Koop Mast freebsd_committer

2016-02-04 11:15:08 UTC

Fix, thanks for the headup!