Bug 205683 - www/webkit-gtk2 - Multiple vulnerabilities
Summary: www/webkit-gtk2 - Multiple vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Koop Mast
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-29 03:10 UTC by Sevan Janiyan
Modified: 2016-02-04 11:15 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (gnome)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2015-12-29 03:10:29 UTC
http://webkitgtk.org/security/WSA-2015-0002.html
Comment 1 Mark Felder freebsd_committer 2016-01-08 18:51:37 UTC
adding ports-secteam to CC
Comment 2 Koop Mast freebsd_committer 2016-01-31 22:36:47 UTC
I took a look at the massive list, and only are patches of two or three CVE's. The rest are all about apple iOS/xOS with no patches.

The question I have for the port-secteam are:
1) I can't really patch these... but if they are apple CVE's should we care?
2) So should I list them in the vuxml?
Comment 3 Mark Felder freebsd_committer 2016-02-03 16:29:53 UTC
we should only add entries to vuxml that actually affect FreeBSD
Comment 4 commit-hook freebsd_committer 2016-02-04 11:04:36 UTC
A commit references this bug:

Author: kwm
Date: Thu Feb  4 11:03:34 UTC 2016
New revision: 408023
URL: https://svnweb.freebsd.org/changeset/ports/408023

Log:
  Document webkit CVE-2014-1748.

  If people look at the announcement, CVE-2014-3192 is already fixed. This
  CVE was against chromium, and the same code in 2.4.9 is in webkit trunk
  so I assume it already fixed.

  CVE-2013-6663 is for webkit < 2.4.0, and the rest of the CVE's are for
  apple products without any attached patches.

  PR:		205683
  Obtained from:	http://webkitgtk.org/security/WSA-2015-0002.html

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer 2016-02-04 11:10:38 UTC
A commit references this bug:

Author: kwm
Date: Thu Feb  4 11:09:49 UTC 2016
New revision: 408024
URL: https://svnweb.freebsd.org/changeset/ports/408024

Log:
  Fix CVE-2014-1748.

  PR:		205683
  Security:	1091d2d1-cb2e-11e5-b14b-bcaec565249c

Changes:
  head/www/webkit-gtk2/Makefile
  head/www/webkit-gtk2/files/patch-CVE-2014-1748
  head/www/webkit-gtk3/Makefile
  head/www/webkit-gtk3/files/patch-CVE-2014-1748
Comment 6 Koop Mast freebsd_committer 2016-02-04 11:15:08 UTC
Fix, thanks for the headup!