Bug 259362 - www/webkit2-gtk3: update to 2.34.1
Summary: www/webkit2-gtk3: update to 2.34.1
Status: Closed Not Accepted
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-gnome (Nobody)
URL: https://webkitgtk.org/2021/10/21/webk...
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2021-10-22 18:00 UTC by Evgeniy Khramtsov
Modified: 2021-11-12 20:32 UTC (History)
2 users (show)

See Also:
evgeniy: maintainer-feedback-
evgeniy: merge-quarterly?


Attachments
v1 ("git am") (3.15 KB, patch)
2021-10-22 18:00 UTC, Evgeniy Khramtsov
evgeniy: maintainer-approval? (gnome)
Details | Diff
VuXML entry ("git am") (1.50 KB, patch)
2021-10-31 17:34 UTC, Evgeniy Khramtsov
evgeniy: maintainer-approval? (gnome)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Evgeniy Khramtsov 2021-10-22 18:00:03 UTC
Created attachment 228950 [details]
v1 ("git am")

libwpe, wpebackend-fdo, webkit2-gtk3 updates were tested with all three patches
applied together. Tested via 12.2/amd64 jail with passed /dev for x11-wm/cage
DRM backend.

Note: I am waiting for inverted options build to pass. Requesting approval
because there is no way to request it after posting PR, AFAIK.
Comment 1 Evgeniy Khramtsov 2021-10-22 18:51:17 UTC
(In reply to Evgeniy Khramtsov from comment #0)

Build with inverted OPTIONS passed.

"Changes" field for www/libwpe and www/wpebackend-fdo can be replaced with links from Bugzilla URL field, because when updating from 1.10.1 -> 1.12.0 upstream announcement is incomplete (lacks changes from older versions that ports skipped).

On an unrelated note, I plan to create upstream PRs about libc++ build issues (ports 895bc805a and ports f73bc57ac) this week.

Another note, upstream is known to publish a release [1] first, then a security advisory [2] days after:

1: https://webkitgtk.org/2021/09/17/webkitgtk2.32.4-released.html
2: https://webkitgtk.org/security/WSA-2021-0005.html
Dates "17 SEPTEMBER 2021" and "20 SEPTEMBER 2021" available in the news section:
https://webkitgtk.org/news.html
Comment 2 Evgeniy Khramtsov 2021-10-22 18:52:03 UTC
(In reply to Evgeniy Khramtsov from comment #1)

> f73bc57ac

Likely not, I can't edit comments on Bugzilla.
Comment 3 Evgeniy Khramtsov 2021-10-23 17:52:33 UTC
https://cgit.freebsd.org/ports/commit/?id=cfd3cae26ce21f6

nc@, maybe at least reference the PR?
Comment 4 Neel Chauhan freebsd_committer 2021-10-23 18:23:24 UTC
Sorry.

I committed without even knowing of your PR (all my work). Extremely sorry again.
Comment 5 Evgeniy Khramtsov 2021-10-27 02:38:32 UTC
WebKit <2.34.1 is vulnerable: https://webkitgtk.org/security/WSA-2021-0006.html

Merge-quarterly was requested 4 days before the disclosure but 2.34.1 didn't land into 2021Q4. VuXML entry is needed now, but I don't have time until weekend, so it would be nice if someone else fills it.
Comment 6 Evgeniy Khramtsov 2021-10-31 17:34:37 UTC
Created attachment 229177 [details]
VuXML entry ("git am")
Comment 7 Evgeniy Khramtsov 2021-11-01 16:26:53 UTC
(In reply to Evgeniy Khramtsov from comment #6)

Ping! Don't leave quarterly users using vulnerable WebKit without knowing!
Comment 8 Evgeniy Khramtsov 2021-11-12 20:32:45 UTC
(In reply to Evgeniy Khramtsov from comment #7)

I decided I don't care.