Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package webkit2gtk Upstream WebKitGTK has recently stopped supporting i386 CPUs without SSE2 extensions, as other browsers (Chromium, Firefox) already did a few years ago. There is at least one bug report (#930932, opened two days ago) from a user that cannot run Zenity on a machine with an Athlon XP CPU because of this, and some hours ago bug #930935 was filed against webkit2gtk. WebKit generates SSE2 instructions with its JIT compiler, and the build scripts also force gcc to pass the -msse2 compilation flags. This upload disables the JIT compiler and enables the CLoop JavaScript interpreter, which is slower but works on all CPUs. It also removes the gcc SSE2 flags. Only the i386 build is affected by these changes. Debdiff attached. Note: the changelog includes the list of CVEs from the latest security advisory, published shortly after the previous release. This is purely informative and has no effects on the package. unblock webkit2gtk/2.24.2-2 -- System Information: Debian Release: 9.9 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru webkit2gtk-2.24.2/debian/changelog webkit2gtk-2.24.2/debian/changelog --- webkit2gtk-2.24.2/debian/changelog 2019-05-17 17:40:52.000000000 +0300 +++ webkit2gtk-2.24.2/debian/changelog 2019-06-24 16:34:09.000000000 +0300 @@ -1,3 +1,26 @@ +webkit2gtk (2.24.2-2) unstable; urgency=high + + * The WebKitGTK security advisory WSA-2019-0003 lists the following + security fixes in the latest versions of WebKitGTK+: + + CVE-2019-8571, CVE-2019-8583, CVE-2019-8586, CVE-2019-8594, + CVE-2019-8609, CVE-2019-8611, CVE-2019-8622 and CVE-2019-8623 + (fixed in 2.24.0). + + CVE-2019-6237, CVE-2019-8584, CVE-2019-8587, CVE-2019-8596, + CVE-2019-8597, CVE-2019-8601, CVE-2019-8608, CVE-2019-8610 and + CVE-2019-8619 (fixed in 2.24.1). + + CVE-2019-8595, CVE-2019-8607 and CVE-2019-8615 (fixed in 2.24.2). + * Use the CLoop Javascript interpreter in i386 and stop telling gcc to + use SSE2 instructions (Closes: #930935). + + debian/rules: + - Build with -DENABLE_JIT=OFF -DENABLE_C_LOOP=ON and stop using + -msse2 -mfpmath=sse. + + debian/patches/dont-detect-sse2.patch: + - Don't check for SSE2 support. + + debian/NEWS: + - Remove item about the requirement to have an SSE2-capable CPU. + + -- Alberto Garcia <be...@igalia.com> Mon, 24 Jun 2019 16:34:09 +0300 + webkit2gtk (2.24.2-1) unstable; urgency=medium * New upstream release. diff -Nru webkit2gtk-2.24.2/debian/NEWS webkit2gtk-2.24.2/debian/NEWS --- webkit2gtk-2.24.2/debian/NEWS 2019-05-17 17:40:52.000000000 +0300 +++ webkit2gtk-2.24.2/debian/NEWS 2019-06-24 16:34:09.000000000 +0300 @@ -1,12 +1,3 @@ -webkit2gtk (2.24.1-2) unstable; urgency=high - - Since version 2.24.0, i386 builds of WebKitGTK require an SSE2-capable - CPU. This instruction set was first introduced with the Pentium 4 in - year 2000. Support for older processors was dropped in WebKitGTK - upstream and is unfortunately not expected to come back. - - -- Alberto Garcia <be...@igalia.com> Fri, 10 May 2019 15:40:28 +0300 - webkit2gtk (2.20.0-2) unstable; urgency=medium webkit2gtk 2.20.0 contains a security feature named Gigacage that diff -Nru webkit2gtk-2.24.2/debian/patches/dont-detect-sse2.patch webkit2gtk-2.24.2/debian/patches/dont-detect-sse2.patch --- webkit2gtk-2.24.2/debian/patches/dont-detect-sse2.patch 1970-01-01 02:00:00.000000000 +0200 +++ webkit2gtk-2.24.2/debian/patches/dont-detect-sse2.patch 2019-06-24 16:34:09.000000000 +0300 @@ -0,0 +1,24 @@ +From: Alberto Garcia <be...@igalia.com> +Subject: Don't check for SSE2 support on i386 +Bug-Debian: https://bugs.debian.org/930935 +Forwarded: no +Index: webkitgtk/Source/cmake/WebKitCompilerFlags.cmake +=================================================================== +--- webkitgtk.orig/Source/cmake/WebKitCompilerFlags.cmake ++++ webkitgtk/Source/cmake/WebKitCompilerFlags.cmake +@@ -144,15 +144,6 @@ if (COMPILER_IS_GCC_OR_CLANG) + if (CMAKE_COMPILER_IS_GNUCXX) + WEBKIT_PREPEND_GLOBAL_COMPILER_FLAGS(-Wno-expansion-to-defined) + endif () +- +- # Force SSE2 fp on x86 builds. +- if (WTF_CPU_X86 AND NOT CMAKE_CROSSCOMPILING) +- WEBKIT_PREPEND_GLOBAL_COMPILER_FLAGS(-msse2 -mfpmath=sse) +- include(DetectSSE2) +- if (NOT SSE2_SUPPORT_FOUND) +- message(FATAL_ERROR "SSE2 support is required to compile WebKit") +- endif () +- endif () + endif () + + if (COMPILER_IS_GCC_OR_CLANG AND NOT MSVC) diff -Nru webkit2gtk-2.24.2/debian/patches/series webkit2gtk-2.24.2/debian/patches/series --- webkit2gtk-2.24.2/debian/patches/series 2019-05-17 17:40:52.000000000 +0300 +++ webkit2gtk-2.24.2/debian/patches/series 2019-06-24 16:34:09.000000000 +0300 @@ -7,3 +7,4 @@ detect-woff.patch user-agent-branding.patch prefer-pthread.patch +dont-detect-sse2.patch diff -Nru webkit2gtk-2.24.2/debian/rules webkit2gtk-2.24.2/debian/rules --- webkit2gtk-2.24.2/debian/rules 2019-05-17 17:40:52.000000000 +0300 +++ webkit2gtk-2.24.2/debian/rules 2019-06-24 16:34:09.000000000 +0300 @@ -23,9 +23,10 @@ CFLAGS := $(CFLAGS:-g=-g1) endif -# The 32-bit x86 build requires SSE2 +# Use the CLoop Javascript interpreter and disable the JIT. This is +# slow but it is the most compatible solution for old (non-SSE2) CPUs. ifneq (,$(filter $(DEB_HOST_ARCH),i386)) - CFLAGS += -msse2 -mfpmath=sse + EXTRA_CMAKE_ARGUMENTS += -DENABLE_JIT=OFF -DENABLE_C_LOOP=ON endif # See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81426
