Bug 208192 - www/webkit-gtk3: multiple vulnerabilities
Summary: www/webkit-gtk3: multiple vulnerabilities
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-gnome mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-22 00:31 UTC by Sevan Janiyan
Modified: 2019-07-05 09:53 UTC (History)
10 users (show)

See Also:
rakuco: maintainer-feedback? (gnome)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2016-03-22 00:31:01 UTC
applies to the other www/webkit*-gtk* packages
http://webkitgtk.org/security/WSA-2016-0002.html
Comment 1 Raphael Kubo da Costa freebsd_committer 2016-03-22 16:21:44 UTC
Over to maintainer.
Comment 2 commit-hook freebsd_committer 2016-05-05 16:08:24 UTC
A commit references this bug:

Author: rm
Date: Thu May  5 16:08:09 UTC 2016
New revision: 414649
URL: https://svnweb.freebsd.org/changeset/ports/414649

Log:
  www/webkit-gtk[23]: update to 2.4.11

  - update to 2.4.11
  - fix build with Ruby 2.2 default version (ruby symlink doesn't exist anymore)
  - replace CPPFLAGS and LDFLAGS by USES= localbase
  - fix couple of whitespace bugs

  PR:		208961
  PR:     208192
  Submitted by:	olivierd
  Reviewed by:	kwm
  With hat:	gnome
  MFH:		2016Q2 (along with r414478)

  - fix build of webkit-gtk2 on ARM platforms

  PR:     208569
  Reported by:    otacilio.neto@bsd.com.br
  Submitted by:   mikael.urankar@gmail.com

  - fix build of webkit-gtk[23] when GNU binutils is installed

  PR:     195500
  PR:     196333
  Submitted by:   Christoph Moench-Tegeder <cmt@burggraben.net>

Changes:
  head/www/webkit-gtk2/Makefile
  head/www/webkit-gtk2/distinfo
  head/www/webkit-gtk2/files/patch-Source_WTF_wtf_Platform.h
  head/www/webkit-gtk2/pkg-plist
  head/www/webkit-gtk3/Makefile
  head/www/webkit-gtk3/distinfo
  head/www/webkit-gtk3/pkg-plist
Comment 3 Ruslan Makhmatkhanov freebsd_committer 2016-05-05 16:21:24 UTC
Please note, that 2.4.11 doesn't resolve the CVE's, that mentioned on OP's link as far I understand. 

We also have updated webkit2-gtk3 port in gnome development repository: https://github.com/freebsd/freebsd-ports-gnome/tree/gnome-3.20/www/webkit2-gtk3
It works just fine in -head and 10.x, but there _may be_ some problems in FreeBSD 9.3 with this version, that should be checked out before going to main ports tree.
Comment 4 commit-hook freebsd_committer 2016-05-05 16:43:37 UTC
A commit references this bug:

Author: rm
Date: Thu May  5 16:42:57 UTC 2016
New revision: 414650
URL: https://svnweb.freebsd.org/changeset/ports/414650

Log:
  MFH: r414478 r414649

  www/webkit-gtk[23]: update to 2.4.10

  Merged from freebsd-ports-gnome development repo.

  Reviewed by:	kwm
  With hat:       gnome

  www/webkit-gtk[23]: update to 2.4.11

  - update to 2.4.11
  - fix build with Ruby 2.2 default version (ruby symlink doesn't exist anymore)
  - replace CPPFLAGS and LDFLAGS by USES= localbase
  - fix couple of whitespace bugs

  PR:		208961
  PR:     208192
  Submitted by:	olivierd
  Reviewed by:	kwm
  With hat:	gnome

  - fix build of webkit-gtk2 on ARM platforms

  PR:     208569
  Reported by:    otacilio.neto@bsd.com.br
  Submitted by:   mikael.urankar@gmail.com

  - fix build of webkit-gtk[23] when GNU binutils is installed

  PR:     195500
  PR:     196333
  Submitted by:   Christoph Moench-Tegeder <cmt@burggraben.net>

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/www/webkit-gtk2/Makefile
  branches/2016Q2/www/webkit-gtk2/distinfo
  branches/2016Q2/www/webkit-gtk2/files/patch-CVE-2014-1748
  branches/2016Q2/www/webkit-gtk2/files/patch-Source_WTF_wtf_Platform.h
  branches/2016Q2/www/webkit-gtk2/pkg-plist
  branches/2016Q2/www/webkit-gtk3/Makefile
  branches/2016Q2/www/webkit-gtk3/distinfo
  branches/2016Q2/www/webkit-gtk3/files/patch-CVE-2014-1748
  branches/2016Q2/www/webkit-gtk3/pkg-plist
Comment 5 Walter Schwarzenfeld freebsd_triage 2018-01-13 03:40:52 UTC
I think this is solved, or overcome by events.
Comment 6 Ting-Wei Lan 2018-01-13 07:58:05 UTC
WebKitGTK+ 2.4.x no longer receives security updates, so all applications depending on www/webkit-gtk2) and www/webkit-gtk3 ports are vulnerable unless they switch to the latest version provided by www/webkit2-gtk3.

However, www/webkit2-gtk3 in FreeBSD ports is also out of date. The latest release is 2.18.5, but ports still use 2.16.6.
Comment 7 Walter Schwarzenfeld freebsd_triage 2018-01-13 08:09:57 UTC
Okay, thank you!
Comment 8 Jochen Neumeister freebsd_committer 2019-02-15 18:15:41 UTC
what is the current status?
Does ports-secteam have to be active here?
Comment 9 commit-hook freebsd_committer 2019-02-24 20:13:33 UTC
A commit references this bug:

Author: kwm
Date: Sun Feb 24 20:13:11 UTC 2019
New revision: 493807
URL: https://svnweb.freebsd.org/changeset/ports/493807

Log:
  Start deorbit burn for old webkit-gtk ports.

  PR:		208192

Changes:
  head/www/webkit-gtk2/Makefile
  head/www/webkit-gtk3/Makefile
Comment 10 rkoberman 2019-02-25 01:49:01 UTC
(In reply to commit-hook from comment #9)
Doesn't this mean that graphics/gimp and audio/audacity? I think this might cause a bit of upset.
Comment 11 Piotr Kubaj freebsd_committer 2019-02-25 05:15:13 UTC
(In reply to rkoberman from comment #10)
I can't say for Audacity, but I have Gimp installed.

ppkubaj@KGPE-D16:$~$ doas pkg delete webkit-gtk2
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 3 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        webkit-gtk2-2.4.11_19
        wx30-gtk2-3.0.4_5
        0ad-0.0.23b

Number of packages to be removed: 3

The operation will free 2 GiB.

Proceed with deinstalling packages? [y/N]: ^C

So Gimp won't be removed from ports, yay. Still, the loss of 0ad is also something I don't like.
Comment 12 rkoberman 2019-02-25 06:26:57 UTC
(In reply to Piotr Kubaj from comment #11)

I see that it is only needed for the HELPBROWSER option, though, so I guess you don't have it selected. It is not default, but I'd hate to have to learn gimp without it.

Audacity requires wx30-gtk2 which,in turn, requires webkit-gtk2. No options on that one.
Comment 13 Ruslan Makhmatkhanov freebsd_committer 2019-02-25 09:29:49 UTC
For a long time I had these two in my poudriere configuration:

x11-toolkits_wxgtk30_UNSET=WEBKIT
graphics_gimp-app_UNSET=HELPBROWSER

I also used to play 0ad for a long time and absence of webkit-powered wxgtk doesn't affect 0ad in any way (I only played with local AI, no network games).
Comment 14 Guido Falsi freebsd_committer 2019-02-25 11:43:07 UTC
(In reply to Piotr Kubaj from comment #11)
> (In reply to rkoberman from comment #10)
> I can't say for Audacity, but I have Gimp installed.
> 
> ppkubaj@KGPE-D16:$~$ doas pkg delete webkit-gtk2
> Updating database digests format: 100%
> Checking integrity... done (0 conflicting)
> Deinstallation has been requested for the following 3 packages (of 0
> packages in the universe):
> 
> Installed packages to be REMOVED:
>         webkit-gtk2-2.4.11_19
>         wx30-gtk2-3.0.4_5
>         0ad-0.0.23b
> 
> Number of packages to be removed: 3
> 
> The operation will free 2 GiB.
> 
> Proceed with deinstalling packages? [y/N]: ^C
> 
> So Gimp won't be removed from ports, yay. Still, the loss of 0ad is also
> something I don't like.

(0ad maintainer here)

0ad depends on wx30, that's why it is being removed.

I will check if it can work fine with wxgtk31, which is gtk3 based and links to newer webkit.

I also have other ports to fix regarding to this and they are all heavy on dependencies. The poudriere machines I have access to are all busy testing various things, so I will need a little time to test all the fixes properly.
Comment 15 Guido Falsi freebsd_committer 2019-02-25 11:55:20 UTC
(In reply to Guido Falsi from comment #14)

> (0ad maintainer here)
> 
> 0ad depends on wx30, that's why it is being removed.
> 
> I will check if it can work fine with wxgtk31, which is gtk3 based and links
> to newer webkit.

Looking at the Makefiles, I notice while we do have a x11-toolkits/wxgtk31 we don't have support for it(from bsd.wx.mk):

_WX_VERS_ALL=           2.8 3.0
_WX_VERS_UC_ALL=        2.8 3.0

aren't we missing a 3.1 option there?

Should it be there? could it be added or there is some reason I'm not aware of?
Comment 16 Charlie Li 2019-02-25 12:33:49 UTC
wxWidgets 3.1 is a development branch. 3.0 is still the stable. Audacity (and probably others) do not work with 3.1 due to ABI breakage.

The WEBKIT option should probably be toggled off by default.
Comment 17 Guido Falsi freebsd_committer 2019-02-25 14:02:52 UTC
(In reply to Charlie Li from comment #16)
> wxWidgets 3.1 is a development branch. 3.0 is still the stable. Audacity
> (and probably others) do not work with 3.1 due to ABI breakage.
> 
> The WEBKIT option should probably be toggled off by default.

I see.

Anyway it looks like r493853 addresses this and fixes 0ad and other wxgtk dependent ports for the issue at hand.
Comment 18 Tobias Kortkamp freebsd_committer 2019-07-05 09:53:20 UTC
Port was removed in ports r496768.