Control: tags -1 patch pending On Mon, Jun 24, 2019 at 10:29:56AM +0200, Alberto Garcia wrote: > 2) Build with SSE2 completely disabled (using WTF_CPU_UNKNOWN, or > somethig else, I'm still discussing this with the team).
Ok, this patch disables SSE2 and forces Webkit to use CLoop, the C-based JavaScript interpreter (instead of using JIT or the asm-based intepreter). That's the one used when the CPU is unknown or not supported. If no one has anything to say I'll upload it today. This should work on all i386 CPUs, and we can later discuss if it's worth thinking of a solution for SSE2-capable machines. Berto
diff --git a/debian/NEWS b/debian/NEWS index 8b5be11c238..72ce8c9fdd9 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,12 +1,3 @@ -webkit2gtk (2.24.1-2) unstable; urgency=high - - Since version 2.24.0, i386 builds of WebKitGTK require an SSE2-capable - CPU. This instruction set was first introduced with the Pentium 4 in - year 2000. Support for older processors was dropped in WebKitGTK - upstream and is unfortunately not expected to come back. - - -- Alberto Garcia <be...@igalia.com> Fri, 10 May 2019 15:40:28 +0300 - webkit2gtk (2.20.0-2) unstable; urgency=medium webkit2gtk 2.20.0 contains a security feature named Gigacage that diff --git a/debian/changelog b/debian/changelog index e5224cae539..6ddef67d1b8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,26 @@ +webkit2gtk (2.24.2-2) unstable; urgency=high + + * The WebKitGTK security advisory WSA-2019-0003 lists the following + security fixes in the latest versions of WebKitGTK+: + + CVE-2019-8571, CVE-2019-8583, CVE-2019-8586, CVE-2019-8594, + CVE-2019-8609, CVE-2019-8611, CVE-2019-8622 and CVE-2019-8623 + (fixed in 2.24.0). + + CVE-2019-6237, CVE-2019-8584, CVE-2019-8587, CVE-2019-8596, + CVE-2019-8597, CVE-2019-8601, CVE-2019-8608, CVE-2019-8610 and + CVE-2019-8619 (fixed in 2.24.1). + + CVE-2019-8595, CVE-2019-8607 and CVE-2019-8615 (fixed in 2.24.2). + * Use the CLoop Javascript interpreter in i386 and stop telling gcc to + use SSE2 instructions (Closes: #930935). + + debian/rules: + - Build with -DENABLE_JIT=OFF -DENABLE_C_LOOP=ON and stop using + -msse2 -mfpmath=sse. + + debian/patches/dont-detect-sse2.patch: + - Don't check for SSE2 support. + + debian/NEWS: + - Remove item about the requirement to have an SSE2-capable CPU. + + -- Alberto Garcia <be...@igalia.com> Mon, 24 Jun 2019 16:34:09 +0300 + webkit2gtk (2.24.2-1) unstable; urgency=medium * New upstream release. diff --git a/debian/patches/dont-detect-sse2.patch b/debian/patches/dont-detect-sse2.patch new file mode 100644 index 00000000000..59b3650f6b6 --- /dev/null +++ b/debian/patches/dont-detect-sse2.patch @@ -0,0 +1,24 @@ +From: Alberto Garcia <be...@igalia.com> +Subject: Don't check for SSE2 support on i386 +Bug-Debian: https://bugs.debian.org/930935 +Forwarded: no +Index: webkitgtk/Source/cmake/WebKitCompilerFlags.cmake +=================================================================== +--- webkitgtk.orig/Source/cmake/WebKitCompilerFlags.cmake ++++ webkitgtk/Source/cmake/WebKitCompilerFlags.cmake +@@ -144,15 +144,6 @@ if (COMPILER_IS_GCC_OR_CLANG) + if (CMAKE_COMPILER_IS_GNUCXX) + WEBKIT_PREPEND_GLOBAL_COMPILER_FLAGS(-Wno-expansion-to-defined) + endif () +- +- # Force SSE2 fp on x86 builds. +- if (WTF_CPU_X86 AND NOT CMAKE_CROSSCOMPILING) +- WEBKIT_PREPEND_GLOBAL_COMPILER_FLAGS(-msse2 -mfpmath=sse) +- include(DetectSSE2) +- if (NOT SSE2_SUPPORT_FOUND) +- message(FATAL_ERROR "SSE2 support is required to compile WebKit") +- endif () +- endif () + endif () + + if (COMPILER_IS_GCC_OR_CLANG AND NOT MSVC) diff --git a/debian/patches/series b/debian/patches/series index 1bcc251ee09..12740b1f4e3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ detect-gstreamer-gl.patch detect-woff.patch user-agent-branding.patch prefer-pthread.patch +dont-detect-sse2.patch diff --git a/debian/rules b/debian/rules index b1e8caeb46f..ae93d5e38f8 100755 --- a/debian/rules +++ b/debian/rules @@ -23,9 +23,10 @@ ifeq (,$(filter $(DEB_HOST_ARCH),amd64 ppc64 ppc64el)) CFLAGS := $(CFLAGS:-g=-g1) endif -# The 32-bit x86 build requires SSE2 +# Use the CLoop Javascript interpreter and disable the JIT. This is +# slow but it is the most compatible solution for old (non-SSE2) CPUs. ifneq (,$(filter $(DEB_HOST_ARCH),i386)) - CFLAGS += -msse2 -mfpmath=sse + EXTRA_CMAKE_ARGUMENTS += -DENABLE_JIT=OFF -DENABLE_C_LOOP=ON endif # See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81426
