Re: Bug#1057755: Qt WebEngine Security Support In Stable
On Wed, Dec 13, 2023 at 08:49:55PM -0700, Soren Stoutner wrote: > Currently there is no real security support for Qt WebEngine in > stable, which is an oversight that might surprise many Debian users. > The purpose of this discussion is to figure out the best way to > change that. Hello, I would like to offer my (outsider) perspective as the Debian WebKitGTK / WPE WebKit maintainer. I'm not too familiar with the Qt, KDE or Chromium release cycles, but having that in mind I think that although I welcome the efforts to provide security support to the Qt WebEngine I also share Adrian's concerns that this is probably not going to be an easy task. For reference, in the case of WebKitGTK, and as it was correctly pointed out, Debian didn't provide security support for a long time. We started talking about it ages ago but it took years of work before it finally happened. Off the top of my head: - The project created a policy to support Debian and Ubuntu LTS by not bumping the dependencies: https://docs.webkit.org/Ports/WebKitGTK%20and%20WPE%20WebKit/DependenciesPolicy.html We had the explicit goal to support those distros, I was part of those conversations. This was coordinated with Apple so they e.g. would not start using too recent C++ features that would require us to use a new compiler. In practice WebKitGTK would continue working for a while after the officially supported period (we were still providing security updates for buster during H1 2023). - Strong API / ABI stability. Although we don't have LTS releases any stable WebKitGTK build works with any app linked against an earlier version. If some of the basic dependencies have a major API / ABI break (soup2 -> soup3, gtk3 -> gtk4) we keep supporting the old versions for as long as it's feasible. We currently have three different sets of binary packages from the same sources so older apps can still use the latest WebKitGTK packages. - WebKitGTK and WPE publish security advisories, thanks also to the good relationship that we have with Apple, which allows us to have up-to-date information about the CVEs that affect us. - Before having official security support in Debian we were providing stable updates via backports starting from jessie. It wasn't until buster (3-4 years later) that WebKitGTK got officially supported, thanks also to the good track record of security updates that Ubuntu had due to the great work of Jeremy Bicha. - And even with all that in our favor, keeping WebKitGTK up-to-date and properly supported is not a trivial amount of work, and we could also not avoid having the occasional regression, sometimes our fault (#1035469) and sometimes due to problems in other packages (#1054150). If you still want to give it a go maybe try updating the Qt WebEngine via backports first, although if that requires that the Qt / KDE maintainers stick to a specific LTE branch then you need to coordinate that with them first. One last thing: when you say "When the LTS in stable is no longer supported, security patches can be backported from the current LTS to the one in stable" I think you might be underestimating the complexity of doing that. Web engines are extremely active projects (WebKit has some 50 commits per day, and if I'm reading GitHub's numbers correctly Chromium has 10 times more). Identifying and backporting the security fixes (of which Chromium has a lot) is not a joke. And I think that's all from my side, I hope this was useful. Regards, Berto
Bug#1034872: unblock: wpewebkit/2.38.6-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package wpewebkit [ Reason ] Fix five CVEs, one of them reported to have been actively exploited. [ Impact ] wpewebkit, like all other major browser engines, is affected by a constant stream of security bugs so it's not recommended to browse the web using an outdated version of the package. For this reason the security team has been providing wpewebkit updates using the upstream stable releases sice Debian bullseye. 2.38.6 is the next stable point release after 2.38.5 (already in bookworm). It contains fixes for several bugs including 5 CVEs: CVE-2022-0108 Impact: An HTML document may be able to render iframes with sensitive user information. CVE-2022-32885 Impact: Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2023-27932 Impact: Processing maliciously crafted web content may bypass Same Origin Policy. CVE-2023-27954 Impact: A website may be able to track sensitive user information. CVE-2023-28205 Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. [ Tests ] Tested manually using the cog web browser. [ Risks ] WPE WebKit evolves very fast and its stable releases contain other fixes apart from the security ones. Because of this the chance of regressions is higher than with other packages. That said, upstream has had a good track record of publishing updates with no major issues. In addition to that, WPE WebKit is also a niche browser engine with few reverse dependencies so the impact of any possible regression is very low and the risk is therefore much more controlled. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] This new version also works in bullseye and the the corresponding security update is also being prepared. Note that I only include the debian/ part of the debdiff since the changes to the source itself are larger due to the nature of the release. unblock wpewebkit/2.38.6-1 diff -Nru wpewebkit-2.38.5/debian/changelog wpewebkit-2.38.6/debian/changelog --- wpewebkit-2.38.5/debian/changelog 2023-02-15 22:52:14.0 +0100 +++ wpewebkit-2.38.6/debian/changelog 2023-04-25 09:17:43.0 +0200 @@ -1,3 +1,13 @@ +wpewebkit (2.38.6-1) unstable; urgency=high + + * New upstream release. + * The WPE WebKit security advisory WSA-2023-0003 lists the following +security fixes in the latest versions of WPE WebKit: +- CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, + CVE-2023-28205 (fixed in 2.38.6 and 2.40.1). + + -- Alberto Garcia Tue, 25 Apr 2023 09:17:43 +0200 + wpewebkit (2.38.5-1) unstable; urgency=high * New upstream release.
Bug#1034870: unblock: webkit2gtk/2.40.1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk [ Reason ] Fix five CVEs, one of them reported to have been actively exploited. [ Impact ] webkit2gtk, like all other major browser engines, is affected by a constant stream of security bugs so it's not recommended to browse the web using an outdated version of the package. For this reason the security team has been providing webkit2gtk updates using the upstream stable releases sice Debian buster. 2.40.1 is the first stable point release after 2.40.0 (already in bookworm). It contains fixes for several bugs including 5 CVEs: CVE-2022-0108 Impact: An HTML document may be able to render iframes with sensitive user information. CVE-2022-32885 Impact: Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2023-27932 Impact: Processing maliciously crafted web content may bypass Same Origin Policy. CVE-2023-27954 Impact: A website may be able to track sensitive user information. CVE-2023-28205 Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This new version also works in bullseye and the the corresponding security update is also being prepared. [ Tests ] Tested manually using the Epiphany web browser for several days. [ Risks ] WebKitGTK evolves very fast and its stable releases contain other fixes apart from the security ones. Because of this the chance of regressions is higher than with other packages. That said, upstream has had a good track record of publishing updates with no major issues. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing Note that I only include the debian/ part of the debdiff since the changes to the source itself are larger due to the nature of the release. unblock webkit2gtk/2.40.1-1 diff -Nru webkit2gtk-2.40.0/debian/changelog webkit2gtk-2.40.1/debian/changelog --- webkit2gtk-2.40.0/debian/changelog 2023-03-21 18:11:48.0 +0100 +++ webkit2gtk-2.40.1/debian/changelog 2023-04-20 14:29:23.0 +0200 @@ -1,3 +1,15 @@ +webkit2gtk (2.40.1-1) unstable; urgency=high + + * New upstream release. + * debian/rules: +- Build with -DUSE_GBM=OFF in the Hurd (Closes: #1033999). + * Drop fix-script-message-received-marshaller.patch and +fix-gst-crash.patch. Refresh all other patches. + * debian/copyright: +- Update copyright information of all files. + + -- Alberto Garcia Thu, 20 Apr 2023 14:29:23 +0200 + webkit2gtk (2.40.0-3) unstable; urgency=medium * debian/{rules,control.in}: diff -Nru webkit2gtk-2.40.0/debian/copyright webkit2gtk-2.40.1/debian/copyright --- webkit2gtk-2.40.0/debian/copyright 2023-03-21 18:11:48.0 +0100 +++ webkit2gtk-2.40.1/debian/copyright 2023-04-20 14:29:23.0 +0200 @@ -1923,8 +1923,6 @@ Source/WebCore/rendering/RenderTextInlines.h Source/WebCore/rendering/RenderTheme.cpp Source/WebCore/rendering/RenderTheme.h - Source/WebCore/rendering/RenderThemeGtk.cpp - Source/WebCore/rendering/RenderThemeGtk.h Source/WebCore/rendering/RenderThemeMac.h Source/WebCore/rendering/RenderThemeWin.cpp Source/WebCore/rendering/RenderThemeWin.h diff -Nru webkit2gtk-2.40.0/debian/patches/fix-ftbfs-m68k.patch webkit2gtk-2.40.1/debian/patches/fix-ftbfs-m68k.patch --- webkit2gtk-2.40.0/debian/patches/fix-ftbfs-m68k.patch 2023-03-21 18:11:48.0 +0100 +++ webkit2gtk-2.40.1/debian/patches/fix-ftbfs-m68k.patch 2023-04-20 14:29:23.0 +0200 @@ -158,7 +158,7 @@ namespace JSC { template -@@ -5497,3 +5502,6 @@ void printInternal(PrintStream& out, JSC +@@ -5499,3 +5504,6 @@ void printInternal(PrintStream& out, JSC } // namespace WTF diff -Nru webkit2gtk-2.40.0/debian/patches/fix-gst-crash.patch webkit2gtk-2.40.1/debian/patches/fix-gst-crash.patch --- webkit2gtk-2.40.0/debian/patches/fix-gst-crash.patch2023-03-21 18:11:48.0 +0100 +++ webkit2gtk-2.40.1/debian/patches/fix-gst-crash.patch1970-01-01 01:00:00.0 +0100 @@ -1,65 +0,0 @@ -From: Philippe Normand -Subject: Fix crash in webkit_media_stream_src_class_init() -Bug: https://bugs.webkit.org/show_bug.cgi?id=254025 -Origin: https://github.com/WebKit/WebKit/commit/358ce3a4bd7353c8edaa5720c949301f31c9a5e9 -Index: webkitgtk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp -=== webkitgtk.orig/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp -+++ webkitgtk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp -@@ -2647,6 +2647,9 @@ MediaPlayer::SupportsType MediaP
Bug#1033568: unblock: gnome-calendar/43.1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package gnome-calendar [ Reason ] If the user tries to add a new calendar manually, the version of gnome-calendar currently in testing crashes while the user is typing the URI. This happens while the URI is incomplete because it is not validated before proceeding. [ Impact ] The application crashes suddenly and must be restarted with no clue about why the crash happened. [ Tests ] Tested manually, the bug is very easy to reproduce, simply typing 'https://' on the URL entry is enough. The new package also provides a test case. [ Risks ] Very low, this is the upstream patch for this bug and is very straightforward. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock gnome-calendar/43.1-2 diff -Nru gnome-calendar-43.1/debian/changelog gnome-calendar-43.1/debian/changelog --- gnome-calendar-43.1/debian/changelog2022-10-18 16:09:27.0 +0200 +++ gnome-calendar-43.1/debian/changelog2023-03-20 18:25:22.0 +0100 @@ -1,3 +1,14 @@ +gnome-calendar (43.1-2) unstable; urgency=high + + [ Alberto Garcia ] + * debian/patches/validate-uri.patch: +- Fix crash when adding an url manually (Closes: #1033239) + + [ Jeremy Bicha ] + * Branch for bookworm + + -- Alberto Garcia Mon, 20 Mar 2023 18:25:22 +0100 + gnome-calendar (43.1-1) unstable; urgency=high * New upstream release (LP: #1993308) diff -Nru gnome-calendar-43.1/debian/control gnome-calendar-43.1/debian/control --- gnome-calendar-43.1/debian/control 2022-10-18 16:09:27.0 +0200 +++ gnome-calendar-43.1/debian/control 2023-03-20 18:25:22.0 +0100 @@ -6,7 +6,7 @@ Section: gnome Priority: optional Maintainer: Debian GNOME Maintainers -Uploaders: Iain Lane , Jeremy Bicha , Laurent Bigonville +Uploaders: Jeremy Bicha Build-Depends: appstream-util, debhelper-compat (= 13), dh-sequence-gnome, @@ -29,8 +29,8 @@ xvfb , Standards-Version: 4.6.0 Rules-Requires-Root: no -Vcs-Browser: https://salsa.debian.org/gnome-team/gnome-calendar -Vcs-Git: https://salsa.debian.org/gnome-team/gnome-calendar.git +Vcs-Browser: https://salsa.debian.org/gnome-team/gnome-calendar/tree/debian/bookworm +Vcs-Git: https://salsa.debian.org/gnome-team/gnome-calendar.git -b debian/bookworm Homepage: https://wiki.gnome.org/Apps/Calendar Package: gnome-calendar diff -Nru gnome-calendar-43.1/debian/control.in gnome-calendar-43.1/debian/control.in --- gnome-calendar-43.1/debian/control.in 2022-10-18 16:09:27.0 +0200 +++ gnome-calendar-43.1/debian/control.in 2023-03-20 18:25:22.0 +0100 @@ -25,8 +25,8 @@ xvfb , Standards-Version: 4.6.0 Rules-Requires-Root: no -Vcs-Browser: https://salsa.debian.org/gnome-team/gnome-calendar -Vcs-Git: https://salsa.debian.org/gnome-team/gnome-calendar.git +Vcs-Browser: https://salsa.debian.org/gnome-team/gnome-calendar/tree/debian/bookworm +Vcs-Git: https://salsa.debian.org/gnome-team/gnome-calendar.git -b debian/bookworm Homepage: https://wiki.gnome.org/Apps/Calendar Package: gnome-calendar diff -Nru gnome-calendar-43.1/debian/gbp.conf gnome-calendar-43.1/debian/gbp.conf --- gnome-calendar-43.1/debian/gbp.conf 2022-10-18 16:09:27.0 +0200 +++ gnome-calendar-43.1/debian/gbp.conf 2023-03-20 18:25:22.0 +0100 @@ -1,6 +1,6 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master +debian-branch = debian/bookworm upstream-branch = upstream/latest [buildpackage] diff -Nru gnome-calendar-43.1/debian/patches/series gnome-calendar-43.1/debian/patches/series --- gnome-calendar-43.1/debian/patches/series 2022-10-18 16:09:27.0 +0200 +++ gnome-calendar-43.1/debian/patches/series 2023-03-20 18:25:22.0 +0100 @@ -0,0 +1 @@ +validate-uri.patch diff -Nru gnome-calendar-43.1/debian/patches/validate-uri.patch gnome-calendar-43.1/debian/patches/validate-uri.patch --- gnome-calendar-43.1/debian/patches/validate-uri.patch 1970-01-01 01:00:00.0 +0100 +++ gnome-calendar-43.1/debian/patches/validate-uri.patch 2023-03-20 18:25:22.0 +0100 @@ -0,0 +1,121 @@ +From: Georges Basile Stavracas Neto +Subject: Test URI before discovery +Bug: https://gitlab.gnome.org/GNOME/gnome-calendar/-/issues/794 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033239 +Origin: https://gitlab.gnome.org/GNOME/gnome-calendar/-/commit/0322bcf54cf1fc37ff74b87fd36e282dc1cf7863 +Index: gnome-calendar-43.1/src/utils/gcal-source-discoverer.c +=== +--- gnome-calendar-43.1.orig/src/utils/gcal-source-discoverer.c gnome-calendar-43.1/src/utils/gcal-source-discoverer.c +@@ -183,6 +183,26 @@ is_authentication_error (gint code) + return FALSE
Bug#1029206: [pre-approval] unblock: webkit2gtk 2.40.0-2
On Wed, Mar 08, 2023 at 09:36:23PM +, Alberto Garcia wrote: > Upstream has just confirmed that the new WebKit API for GTK4 is > final[1] so this is effectively a release candidate for WebKitGTK > 2.40.0, to be released in ~10 days. 2.40.0-2 has been in unstable for a while, I had to upload 2.40.0-3 because of a missing dependency in arm that was causing an autopkgtest to fail, all tests run fine now (mipsel is still missing but it worked fine in 2.40.0-2 with no changes affecting mipsel since then). This is tagged as 'moreinfo', is there anything else that I can provide? Berto diff -Nru webkit2gtk-2.40.0/debian/changelog webkit2gtk-2.40.0/debian/changelog --- webkit2gtk-2.40.0/debian/changelog 2023-03-18 11:41:32.0 +0100 +++ webkit2gtk-2.40.0/debian/changelog 2023-03-21 18:11:48.0 +0100 @@ -1,3 +1,10 @@ +webkit2gtk (2.40.0-3) unstable; urgency=medium + + * debian/{rules,control.in}: +- Add dependency on libgles2 on arm (Closes: #1033230). + + -- Alberto Garcia Tue, 21 Mar 2023 18:11:48 +0100 + webkit2gtk (2.40.0-2) unstable; urgency=medium * debian/patches/fix-script-message-received-marshaller.patch: diff -Nru webkit2gtk-2.40.0/debian/control webkit2gtk-2.40.0/debian/control --- webkit2gtk-2.40.0/debian/control 2023-03-18 11:41:32.0 +0100 +++ webkit2gtk-2.40.0/debian/control 2023-03-21 18:11:48.0 +0100 @@ -180,6 +180,7 @@ gstreamer1.0-plugins-good, ${bwrap:Depends}, ${shlibs:Depends}, + ${gles:Depends}, ${misc:Depends} Recommends: gstreamer1.0-gl, libgl1-mesa-dri, @@ -311,6 +312,7 @@ gstreamer1.0-plugins-good, ${bwrap:Depends}, ${shlibs:Depends}, + ${gles:Depends}, ${misc:Depends} Recommends: gstreamer1.0-gl, libgl1-mesa-dri, @@ -442,6 +444,7 @@ gstreamer1.0-plugins-good, ${bwrap:Depends}, ${shlibs:Depends}, + ${gles:Depends}, ${misc:Depends} Recommends: gstreamer1.0-gl, libgl1-mesa-dri, diff -Nru webkit2gtk-2.40.0/debian/control-common.in webkit2gtk-2.40.0/debian/control-common.in --- webkit2gtk-2.40.0/debian/control-common.in 2023-03-18 11:41:32.0 +0100 +++ webkit2gtk-2.40.0/debian/control-common.in 2023-03-21 18:11:48.0 +0100 @@ -61,6 +61,7 @@ gstreamer1.0-plugins-good, ${bwrap:Depends}, ${shlibs:Depends}, + ${gles:Depends}, ${misc:Depends} Recommends: gstreamer1.0-gl, libgl1-mesa-dri, diff -Nru webkit2gtk-2.40.0/debian/rules webkit2gtk-2.40.0/debian/rules --- webkit2gtk-2.40.0/debian/rules 2023-03-18 11:41:32.0 +0100 +++ webkit2gtk-2.40.0/debian/rules 2023-03-21 18:11:48.0 +0100 @@ -148,6 +148,11 @@ DH_GENCONTROL_ARGS += -Vgst:Recommends="gstreamer1.0-libav, gstreamer1.0-plugins-bad" endif +# This is loaded at runtime using libepoxy so add an explicit dependency (#1033230) +ifneq (,$(filter $(DEB_HOST_ARCH),arm64 armel armhf)) + DH_GENCONTROL_ARGS += -Vgles:Depends="libgles2" +endif + CXXFLAGS=$(CFLAGS) # Disable commands and binary packages of the builds that we don't want
Bug#1033315: unblock: evolution-data-server/3.46.4-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Control: block -1 by 1029206 Please unblock package evolution-data-server. Note that this has to happen together with #1029206: either both packages migrate or none will. [ Reason ] The new upstream stable branch of WebKitGTK has replaced the 5.0 version of the API (for GTK4 users) with version 6.0. The older API was experimental but it was nevertheless used by a few packages, which need to switch to the new API. In Debian this affects three packages: evolution-data-server, gnome-builder (#1033290) and gnome-initial-setup (#1033249). [ Impact ] Future security updates of WebKitGTK won't provide the 5.0 API so it won't be possible to provide them if these packages don't switch to the 6.0 API. [ Tests ] Tested manually with a test case provided by the upstream developer of evolution-data-server. [ Risks ] >From this package's point of view the risks are small because we're only doing the switch to the new WebKit API, which already happened upstream. I don't think this functionality is even used in practice by any current desktop app, since both evolution and gnome-online-accounts have their own gtk3-based oauth2 wizards. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock evolution-data-server/3.46.4-2 diff -Nru evolution-data-server-3.46.4/debian/changelog evolution-data-server-3.46.4/debian/changelog --- evolution-data-server-3.46.4/debian/changelog 2023-02-10 13:07:22.0 +0100 +++ evolution-data-server-3.46.4/debian/changelog 2023-03-16 01:41:30.0 +0100 @@ -1,3 +1,10 @@ +evolution-data-server (3.46.4-2) unstable; urgency=medium + + * Cherry-pick build fixes for latest webkitgtk + * Build against webkitgtk 6.0 instead of 5.0 + + -- Jeremy Bicha Wed, 15 Mar 2023 20:41:30 -0400 + evolution-data-server (3.46.4-1) unstable; urgency=medium * New upstream release diff -Nru evolution-data-server-3.46.4/debian/control evolution-data-server-3.46.4/debian/control --- evolution-data-server-3.46.4/debian/control 2023-02-10 13:07:22.0 +0100 +++ evolution-data-server-3.46.4/debian/control 2023-03-16 01:41:30.0 +0100 @@ -35,7 +35,7 @@ libsoup-3.0-dev (>= 3.1.1), libsqlite3-dev (>= 3.7.17), libwebkit2gtk-4.1-dev [!ia64 !kfreebsd-any], - libwebkit2gtk-5.0-dev [!ia64 !kfreebsd-any], + libwebkitgtk-6.0-dev [!ia64 !kfreebsd-any], libxml2-dev (>= 2.0.0), gtk-doc-tools (>= 1.14), gperf, diff -Nru evolution-data-server-3.46.4/debian/control.in evolution-data-server-3.46.4/debian/control.in --- evolution-data-server-3.46.4/debian/control.in 2023-02-10 13:07:22.0 +0100 +++ evolution-data-server-3.46.4/debian/control.in 2023-03-16 01:41:30.0 +0100 @@ -31,7 +31,7 @@ libsoup-3.0-dev (>= 3.1.1), libsqlite3-dev (>= 3.7.17), libwebkit2gtk-4.1-dev [!ia64 !kfreebsd-any], - libwebkit2gtk-5.0-dev [!ia64 !kfreebsd-any], + libwebkitgtk-6.0-dev [!ia64 !kfreebsd-any], libxml2-dev (>= 2.0.0), gtk-doc-tools (>= 1.14), gperf, diff -Nru evolution-data-server-3.46.4/debian/patches/M-107-Use-webkitgtk-6.0-API-version.patch evolution-data-server-3.46.4/debian/patches/M-107-Use-webkitgtk-6.0-API-version.patch --- evolution-data-server-3.46.4/debian/patches/M-107-Use-webkitgtk-6.0-API-version.patch 1970-01-01 01:00:00.0 +0100 +++ evolution-data-server-3.46.4/debian/patches/M-107-Use-webkitgtk-6.0-API-version.patch 2023-03-16 01:41:30.0 +0100 @@ -0,0 +1,26 @@ +From: Michael Catanzaro +Date: Tue, 15 Nov 2022 08:58:38 + +Subject: M!107 - Use webkitgtk-6.0 API version + +In WebKitGTK 2.39.1, the GTK 4 API version has been renamed from webkit2gtk-5.0 to webkitgtk-6.0. + +Closes https://gitlab.gnome.org/GNOME/evolution-data-server/-/merge_requests/107 + +(cherry picked from commit cdb16f26f63f5093479a43cab32012845bcf33ed) +--- + CMakeLists.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 0eaa9b2..b99beb6 100644 +--- a/CMakeLists.txt b/CMakeLists.txt +@@ -424,7 +424,7 @@ if(ENABLE_GTK4) + + if(ENABLE_OAUTH2_WEBKITGTK4) + pkg_check_modules_for_option(ENABLE_OAUTH2_WEBKITGTK4 "WebKitGTK gtk4 for built-in OAuth2 authentications" OAUTH2_WEBKITGTK4 +- webkit2gtk-5.0>=${webkit2gtk4_minimum_version} ++ webkitgtk-6.0>=${webkit2gtk4_minimum_version} + ) + endif(ENABLE_OAUTH2_WEBKITGTK4) + endif(ENABLE_GTK4) diff -Nru evolution-data-server-3.46.4/debian/patches/M-108-Try-harder-to-support-webkitgtk-6.0.patch
Bug#1029206: [pre-approval] unblock: webkit2gtk 2.40.0-2
I have a slightly related question for the release team, and apologies in advance if I'm hijacking this thread. WPE WebKit, the other major port of WebKit in Debian is also introducing a new API in 2.40.0, although in this case the old API will still be available (but deprecated) for a time. Unlike WebKitGTK, WPE WebKit only has two reverse dependencies: cog (a mini browser developed by the same upstream team) and a GStreamer plugin (gstreamer1.0-wpe, part of the -plugins-bad set). None of these packages plays a prominent role in the distribution so I think a transition could be handled with very low risk. However I also realize that we're quite late in the freeze period, so I would like to ask: is it a good idea that I try to handle a transition for WPE WebKit? I will understand if the answer is negative. Thanks! Berto
Bug#1029206: [pre-approval] unblock: webkit2gtk 2.40.0-2
Upstream has just confirmed that the new WebKit API for GTK4 is final[1] so this is effectively a release candidate for WebKitGTK 2.40.0, to be released in ~10 days. I just uploaded the packages, the GTK4 ones are in the NEW queue. Jeremy, you can start testing the reverse dependencies whenever you want. Berto [1] https://discourse.gnome.org/t/webkitgtk-for-gtk-4-is-now-api-stable/14378
Bug#1029206: [pre-approval] unblock: webkit2gtk 2.40.0-2
On Mon, Mar 06, 2023 at 12:29:05PM +, Alberto Garcia wrote: > > It's been a while. Any progress? It's getting late in the freeze > > already. > upstream confirmed that there are some last minutes changes to > the API so the final soname will happen with the official 2.40.0 > release, which is planned on the weekend of the 18th of March: Update: 2.39.91 has just been published, and upstream told me that no more API changes are expected before 2.40.0, so I'll enable the gtk4 packages and upload them to experimental now. Berto
Bug#1029206: [pre-approval] unblock: webkit2gtk 2.40.0-2
On Sat, Mar 04, 2023 at 05:24:04PM +0100, Paul Gevers wrote: > > All build scripts are ready and the new GTK4 packages can > > already be enabled by simply flipping the value of a variable in > > debian/rules. We are just waiting to know the final SONAME. > > It's been a while. Any progress? It's getting late in the freeze > already. Hi, upstream confirmed that there are some last minutes changes to the API so the final soname will happen with the official 2.40.0 release, which is planned on the weekend of the 18th of March: https://wiki.gnome.org/FortyFour Berto
Bug#1029206: [pre-approval] unblock: webkit2gtk 2.40.0-2
On Sat, Mar 04, 2023 at 05:24:04PM +0100, Paul Gevers wrote: > > All build scripts are ready and the new GTK4 packages can > > already be enabled by simply flipping the value of a variable in > > debian/rules. We are just waiting to know the final SONAME. > > It's been a while. Any progress? It's getting late in the freeze > already. I just contacted upstream to ask about this, I'll give you an answer asap. Berto
Bug#1031405: unblock: webkit2gtk/2.38.5-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock the package webkit2gtk The webkit2gtk and wpewebkit packages are updated regularly with security fixes (every month or two). The last one (2.38.5-1, same version for both packages) is special because it contains a fix for a zero-day CVE that is known by Apple to have been actively exploited: https://support.apple.com/en-us/HT213635 https://security-tracker.debian.org/tracker/CVE-2023-23529 Both packages have already been uploaded to bullseye-security and I'm planning to publish the DSA soon, but the transition from sid to bookworm will take 10 days. It would be great if it was possible to speed up this process. Please tell me if you need a separate unblock request for wpewebkit. unblock webkit2gtk/2.38.5-1
Bug#1029206: [pre-approval] unblock: webkit2gtk 2.40.0-2
On Sat, Jan 21, 2023 at 05:43:11PM +0100, Sebastian Ramacher wrote: > > [ Other Info ] > > webkit2gtk generally follows the GNOME release schedule. [5] A beta > > (2.39.90) is expected in February. A release candidate (2.39.91) > > around March 6, and the first stable release (2.40.0) around March 20. > > We intend to do a test build in experimental first. I think it makes > > the most sense to wait for the 2.40.0 release and not push a prelease > > to Unstable/Testing. > > > > Ubuntu 23.04 will also switch to the 2.40 series by February or early > > March. Ubuntu 22.10 will need to do this transition as stable release > > updates. > > > > I don't have a ben file since the final soname isn't known yet. > > As soon as the new SONAME is known, an upload to experimental would > be appreciated to go through NEW. Please let us know once it's > available in experimental and the test builds have been performed. Yes, that's the plan. All build scripts are ready and the new GTK4 packages can already be enabled by simply flipping the value of a variable in debian/rules. We are just waiting to know the final SONAME. Berto
Bug#1006752: bullseye-pu: package epiphany-browser/3.38.2-1+deb11u2
On Fri, Mar 04, 2022 at 11:43:41AM +0100, Alberto Garcia wrote: > [ Reason ] > There is an open bug in GLib[1] that is crashing the Epiphany web > browser (debian bug #1005810). > > While the GLib bug itself hasn't been solved yet this has been worked > around in Epiphany: > > > https://gitlab.gnome.org/GNOME/epiphany/-/commit/ff8ecbf673cd25f8ed34d4ccb29cc5d3d13cd683 Hello, I see that the next bullseye point release (11.3) is scheduled for March 26: https://lists.debian.org/debian-release/2022/03/msg00264.html I wonder if we're still on time to include this fix, or if there's anything that I can do to help. Regards, Berto
Bug#1006752: bullseye-pu: package epiphany-browser/3.38.2-1+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] There is an open bug in GLib[1] that is crashing the Epiphany web browser (debian bug #1005810). While the GLib bug itself hasn't been solved yet this has been worked around in Epiphany: https://gitlab.gnome.org/GNOME/epiphany/-/commit/ff8ecbf673cd25f8ed34d4ccb29cc5d3d13cd683 [ Impact ] Renders the package unusable for some users. [ Tests ] Tests passed, no new checks. [ Risks ] Low, trivial patch already in all versions of Epiphany starting from 41.0 (including the ones currently in testing and unstable). [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Berto [1] https://gitlab.gnome.org/GNOME/glib/-/issues/1346 diff -Nru epiphany-browser-3.38.2/debian/changelog epiphany-browser-3.38.2/debian/changelog --- epiphany-browser-3.38.2/debian/changelog2022-01-12 18:33:21.0 +0100 +++ epiphany-browser-3.38.2/debian/changelog2022-03-04 11:17:26.0 +0100 @@ -1,3 +1,11 @@ +epiphany-browser (3.38.2-1+deb11u2) bullseye; urgency=medium + + * d/p/glib-bug-workaround.patch: +- Cherry pick upstream patch ff8ecbf6. This works around a bug in GLib + and fixes a UI process crash (Closes: #1005810). + + -- Alberto Garcia Fri, 04 Mar 2022 11:17:26 +0100 + epiphany-browser (3.38.2-1+deb11u1) bullseye-security; urgency=medium * d/p/encode-untrusted-data.patch: diff -Nru epiphany-browser-3.38.2/debian/patches/glib-bug-workaround.patch epiphany-browser-3.38.2/debian/patches/glib-bug-workaround.patch --- epiphany-browser-3.38.2/debian/patches/glib-bug-workaround.patch 1970-01-01 01:00:00.0 +0100 +++ epiphany-browser-3.38.2/debian/patches/glib-bug-workaround.patch 2022-03-04 11:16:58.0 +0100 @@ -0,0 +1,30 @@ +From: Michael Catanzaro +Subject: remove user data from task to workaround glib bug +Origin: https://gitlab.gnome.org/GNOME/epiphany/-/commit/ff8ecbf673cd25f8ed34d4ccb29cc5d3d13cd683 +Bug-Debian: https://bugs.debian.org/1005810 +Index: epiphany-browser-3.38.2/src/ephy-session.c +=== +--- epiphany-browser-3.38.2.orig/src/ephy-session.c epiphany-browser-3.38.2/src/ephy-session.c +@@ -844,6 +844,12 @@ save_session_in_thread_finished_cb (GObj + gpointer user_data) + { + g_application_release (G_APPLICATION (ephy_shell_get_default ())); ++ ++ /* FIXME: this is a workaround for https://gitlab.gnome.org/GNOME/glib/-/issues/1346. ++ * After this GLib issue is fixed, we should instead pass save_data_free() as the ++ * GDestroyNotify parameter to g_task_set_task_data(). ++ */ ++ save_data_free (g_task_get_task_data (G_TASK (res))); + } + + static gboolean +@@ -1026,7 +1032,7 @@ ephy_session_save_idle_cb (EphySession * + session->save_cancellable = g_cancellable_new (); + task = g_task_new (session, session->save_cancellable, + save_session_in_thread_finished_cb, NULL); +- g_task_set_task_data (task, data, (GDestroyNotify)save_data_free); ++ g_task_set_task_data (task, data, NULL); + g_task_run_in_thread (task, save_session_sync); + g_object_unref (task); + diff -Nru epiphany-browser-3.38.2/debian/patches/series epiphany-browser-3.38.2/debian/patches/series --- epiphany-browser-3.38.2/debian/patches/series 2022-01-12 18:33:21.0 +0100 +++ epiphany-browser-3.38.2/debian/patches/series 2022-03-04 11:16:58.0 +0100 @@ -3,3 +3,4 @@ dont-make-compulsory.patch build-Allow-libportal-support-to-be-disabled.patch encode-untrusted-data.patch +glib-bug-workaround.patch
Bug#991555: unblock: wpewebkit/2.32.3-1
Control: tags -1 -moreinfo Control: retitle -1 unblock: wpewebkit/2.32.3-2 On Mon, Aug 02, 2021 at 04:53:09PM +0200, Alberto Garcia wrote: > I think I can simply rebuild wpewebkit to force disabling that > extension and then it should work with the wpebackend-fdo package in > testing. I'll try to do it tonight. I uploaded 2.32.3-2 that can be installed in bullseyed with the current version of wpebackend-fdo Berto
Bug#991555: unblock: wpewebkit/2.32.3-1
On Sun, Aug 01, 2021 at 07:59:58PM +0200, Paul Gevers wrote: > > Please unblock package wpewebkit > > wpewebkit is blocked behind wpebackend-fdo which was NACK'ed already > due to build system changes. Can the upload be done in such a way > that that dependency doesn't show up? Can wpebackend-fdo be reverted > to unblock wpewebkit? I think that this is because wpewebkit uses (when available) an extension that is available in the most recent wpebackend-fdo but not in the one in testing. I think I can simply rebuild wpewebkit to force disabling that extension and then it should work with the wpebackend-fdo package in testing. I'll try to do it tonight. Berto
Bug#991555: unblock: wpewebkit/2.32.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package wpewebkit Starting from bullseye we are providing security updates to wpewebkit, in the same way that we are already doing it for webkit2gtk. wpewebkit 2.32.3 is the most recent stable point release and contains fixes for 13 security bugs. See #991554 for more details because the list of bugs is the same one, as both wpewebkit and webkit2gtk share most of the code and the same comments apply. The only difference is that there won't be a security update for buster because wpewebkit is not covered by security support in that distribution. unblock wpewebkit/2.32.3-1 diff -Nru wpewebkit-2.32.1/debian/changelog wpewebkit-2.32.3/debian/changelog --- wpewebkit-2.32.1/debian/changelog 2021-05-08 16:53:58.0 +0200 +++ wpewebkit-2.32.3/debian/changelog 2021-07-25 00:45:03.0 +0200 @@ -1,3 +1,28 @@ +wpewebkit (2.32.3-1) unstable; urgency=high + + * New upstream release. + * The WPE WebKit security advisory WSA-2021-0004 lists the following +security fixes in the latest versions of WPE WebKit: ++ CVE-2021-30666, CVE-2021-30761 (fixed in 2.26.0). ++ CVE-2021-30762 (fixed in 2.28.0). ++ CVE-2021-1817, CVE-2021-1820, CVE-2021-1825, CVE-2021-1826, + CVE-2021-30661 (fixed in 2.30.0). ++ CVE-2021-21806 (fixed in 2.30.6). ++ CVE-2021-30682 (fixed in 2.32.0). ++ CVE-2021-30758 (fixed in 2.32.2). ++ CVE-2021-21775, CVE-2021-21779, CVE-2021-30663, CVE-2021-30665, + CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, + CVE-2021-30749, CVE-2021-30795, CVE-2021-30797, CVE-2021-30799 + (fixed in 2.32.3). + + -- Alberto Garcia Sun, 25 Jul 2021 00:45:03 +0200 + +wpewebkit (2.32.2-1) unstable; urgency=medium + + * New upstream release. + + -- Alberto Garcia Mon, 12 Jul 2021 22:06:41 +0200 + wpewebkit (2.32.1-1) unstable; urgency=medium * New upstream release. diff -Nru wpewebkit-2.32.1/debian/patches/fix-ftbfs-m68k.patch wpewebkit-2.32.3/debian/patches/fix-ftbfs-m68k.patch --- wpewebkit-2.32.1/debian/patches/fix-ftbfs-m68k.patch2021-05-08 16:53:58.0 +0200 +++ wpewebkit-2.32.3/debian/patches/fix-ftbfs-m68k.patch2021-07-25 00:45:03.0 +0200 @@ -196,3 +196,19 @@ bool CSSValue::isImplicitInitialValue() const { +Index: webkitgtk/Source/WebCore/rendering/InlineFlowBox.cpp +=== +--- webkitgtk.orig/Source/WebCore/rendering/InlineFlowBox.cpp webkitgtk/Source/WebCore/rendering/InlineFlowBox.cpp +@@ -53,7 +53,11 @@ struct SameSizeAsInlineFlowBox : public + void* pointers[5]; + }; + ++#if defined(__m68k__) ++COMPILE_ASSERT(sizeof(InlineFlowBox) >= sizeof(SameSizeAsInlineFlowBox), InlineFlowBox_should_stay_small); ++#else + COMPILE_ASSERT(sizeof(InlineFlowBox) == sizeof(SameSizeAsInlineFlowBox), InlineFlowBox_should_stay_small); ++#endif + + #if !ASSERT_WITH_SECURITY_IMPLICATION_DISABLED +
Bug#991554: unblock: webkit2gtk/2.32.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk Starting from buster webkit2gtk has been receiving security updates, with a dozen DSAs published so far, at a pace of once every month or two. These updates follow the upstream stable releases. webkit2gtk 2.32.3 is the most recent stable point release. It was published on the 23rd of July, and contains fixes for 13 security bugs: CVE-2021-21775, CVE-2021-21779, CVE-2021-30663, CVE-2021-30665, CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, CVE-2021-30749, CVE-2021-30758, CVE-2021-30795, CVE-2021-30797 and CVE-2021-30799 See the upstream security advisory for more details: https://webkitgtk.org/security/WSA-2021-0004.html (note that it includes bugs that were fixed in earlier WebKitGTK releases) The debian part of the debdiff (attached) contains no changes other than an update for a m68k-specific patch that fixes the build in that architecture. After this is unblocked I'll prepare a security update for buster. unblock webkit2gtk/2.32.3-1 diff -Nru webkit2gtk-2.32.1/debian/changelog webkit2gtk-2.32.3/debian/changelog --- webkit2gtk-2.32.1/debian/changelog 2021-06-07 10:39:51.0 +0200 +++ webkit2gtk-2.32.3/debian/changelog 2021-07-25 00:25:47.0 +0200 @@ -1,3 +1,30 @@ +webkit2gtk (2.32.3-1) unstable; urgency=high + + * New upstream release. + * The WebKitGTK security advisory WSA-2021-0004 lists the following +security fixes in the latest versions of WebKitGTK: ++ CVE-2021-30666, CVE-2021-30761 (fixed in 2.26.0). ++ CVE-2021-30762 (fixed in 2.28.0). ++ CVE-2021-1817, CVE-2021-1820, CVE-2021-1825, CVE-2021-1826, + CVE-2021-30661 (fixed in 2.30.0). ++ CVE-2021-21806 (fixed in 2.30.6). ++ CVE-2021-30682 (fixed in 2.32.0). ++ CVE-2021-30758 (fixed in 2.32.2). ++ CVE-2021-21775, CVE-2021-21779, CVE-2021-30663, CVE-2021-30665, + CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, + CVE-2021-30749, CVE-2021-30795, CVE-2021-30797, CVE-2021-30799 + (fixed in 2.32.3). + + -- Alberto Garcia Sun, 25 Jul 2021 00:25:47 +0200 + +webkit2gtk (2.32.2-1) unstable; urgency=medium + + * New upstream release. + * debian/patches/fix-ftbfs-m68k.patch: ++ Update patch. + + -- Alberto Garcia Fri, 09 Jul 2021 13:41:26 +0200 + webkit2gtk (2.32.1-2) unstable; urgency=high * debian/control: diff -Nru webkit2gtk-2.32.1/debian/patches/fix-ftbfs-m68k.patch webkit2gtk-2.32.3/debian/patches/fix-ftbfs-m68k.patch --- webkit2gtk-2.32.1/debian/patches/fix-ftbfs-m68k.patch 2021-06-07 10:39:51.0 +0200 +++ webkit2gtk-2.32.3/debian/patches/fix-ftbfs-m68k.patch 2021-07-25 00:25:47.0 +0200 @@ -196,3 +196,19 @@ bool CSSValue::isImplicitInitialValue() const { +Index: webkitgtk/Source/WebCore/rendering/InlineFlowBox.cpp +=== +--- webkitgtk.orig/Source/WebCore/rendering/InlineFlowBox.cpp webkitgtk/Source/WebCore/rendering/InlineFlowBox.cpp +@@ -53,7 +53,11 @@ struct SameSizeAsInlineFlowBox : public + void* pointers[5]; + }; + ++#if defined(__m68k__) ++COMPILE_ASSERT(sizeof(InlineFlowBox) >= sizeof(SameSizeAsInlineFlowBox), InlineFlowBox_should_stay_small); ++#else + COMPILE_ASSERT(sizeof(InlineFlowBox) == sizeof(SameSizeAsInlineFlowBox), InlineFlowBox_should_stay_small); ++#endif + + #if !ASSERT_WITH_SECURITY_IMPLICATION_DISABLED +
Bug#990754: unblock: wpewebkit/2.32.1-1
On Thu, Jul 15, 2021 at 09:32:42PM +0200, Sebastian Ramacher wrote: > > We synced up with this before; wpewebkit is closely related to > > webkit and Alberto will keep both updated in stable. > > Is this also the plan for cog, wpebackend-fdo and libwpe? I don't think those _require_ stable updates. If there is a situation in which a new wpewebkit requires a newer wpebackend-fdo or libwpe then we would need to handle that in a case-by-case basis (as far as I'm aware that only happened once in the history of the WPE WebKit project). Then again all those packages are part of the same project and developed by the same team upstream, so keeping them up-to-date is probably not a bad idea, but that we can handle in point releases if we think it's a good idea. For bullseye and since we just unblocked wpewebkit it would be nice to start with the most recent versions of the other three packages, but I realize we're very close to the release date so I'm not going to insist very strongly :-) Berto
Bug#990945: unblock: cog/0.10.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package cog I filed a separate bug report (#990754) requesting to unblock wpewebkit so it is up-to-date in order to provide security releases for bullseye. To that end and for the same reasons I would also like to request the unblocking of cog, a simple, single-window web browser that uses wpewebkit. Cog is the main user of WPE WebKit in Debian and is developed by the same upstream team. The reason why I think that it is interesting to have the latest version in bullseye is its low risk (it has no reverse dependencies) and the fact that it provides two additional platform plugins: DRM (for the Linux Direct Rendering Manager) and headless (a plugin that does not produce output and can be used without any graphics hardware). The version currently in testing only supports Wayland output. See #990754 for more details. unblock cog/0.10.0-2 diff --git a/debian/changelog b/debian/changelog index beecb16..c8eaa3d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,28 @@ +cog (0.10.0-2) unstable; urgency=medium + + * debian/control: +- Build with libwpebackend-fdo-1.0-dev 1.10.0. This enables SHM buffer + exports. + + -- Alberto Garcia Wed, 16 Jun 2021 15:31:16 +0200 + +cog (0.10.0-1) experimental; urgency=medium + + * New upstream release. + * debian/control: +- Add build dependencies on libdrm-dev, libgbm-dev and libinput-dev. + * debian/install: +- Install all platform plugins (this version builds two new ones: drm + and headless). + * debian/cog.lintian-overrides: +- Override sharedobject-in-library-directory-missing-soname in all + plugins +- Override library-not-linked-against-libc in the headless plugin + (this is a false positive, this plugin does not use libc symbols) + * Drop use-fdo-backend.patch. + + -- Alberto Garcia Tue, 18 May 2021 23:25:25 +0200 + cog (0.8.1-1) unstable; urgency=medium * New upstream release. diff --git a/debian/cog.lintian-overrides b/debian/cog.lintian-overrides index 0023111..b7be197 100644 --- a/debian/cog.lintian-overrides +++ b/debian/cog.lintian-overrides @@ -1,2 +1,3 @@ -cog: sharedobject-in-library-directory-missing-soname usr/lib/*/libcogplatform-fdo.so +cog: library-not-linked-against-libc usr/lib/*/libcogplatform-headless.so +cog: sharedobject-in-library-directory-missing-soname usr/lib/*/libcogplatform-*.so cog: package-name-doesnt-match-sonames libcogcore1 diff --git a/debian/control b/debian/control index c29a56f..91b5b38 100644 --- a/debian/control +++ b/debian/control @@ -5,8 +5,11 @@ Maintainer: Alberto Garcia Build-Depends: debhelper-compat (= 12), cmake, libcairo-dev, + libdrm-dev, + libgbm-dev, + libinput-dev, libwayland-dev, - libwpebackend-fdo-1.0-dev, + libwpebackend-fdo-1.0-dev (>= 1.10.0), libwpewebkit-1.0-dev, wayland-protocols Standards-Version: 4.5.1 diff --git a/debian/install b/debian/install index dec1194..bd32724 100644 --- a/debian/install +++ b/debian/install @@ -1,4 +1,4 @@ usr/bin/* usr/lib/*/*.so.* -usr/lib/*/libcogplatform-fdo.so +usr/lib/*/libcogplatform-*.so usr/share/man diff --git a/debian/patches/series b/debian/patches/series deleted file mode 100644 index 2368f97..000 --- a/debian/patches/series +++ /dev/null @@ -1 +0,0 @@ -use-fdo-backend.patch diff --git a/debian/patches/use-fdo-backend.patch b/debian/patches/use-fdo-backend.patch deleted file mode 100644 index 5e138fb..000 --- a/debian/patches/use-fdo-backend.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Alberto Garcia -Subject: Default to the fdo backend if none is specified -diff --git a/cog.c b/cog.c -index 6f30bb7..f9d164d 100644 a/cog.c -+++ b/cog.c -@@ -309,11 +309,12 @@ platform_setup (CogShell *shell) - * a given platform. - */ - -+if (!s_options.platform_name) { -+s_options.platform_name = g_strdup("fdo"); -+} -+ - g_debug ("%s: Platform name: %s", __func__, s_options.platform_name); - --if (!s_options.platform_name) --return FALSE; -- - g_autofree char *platform_soname = - g_strdup_printf ("libcogplatform-%s.so", s_options.platform_name); - g_clear_pointer (_options.platform_name, g_free);
Bug#990754: unblock: wpewebkit/2.32.1-1
On Wed, Jul 07, 2021 at 11:53:16AM +0200, Moritz Muehlenhoff wrote: > > The concern also extends to web rendering engines not explicitly > > mentioned here, with the exception of > role="source">webkit2gtk. > > Good point wrt the releases notes part. I guess we should simply > make this "with the exception of webkit2gtk/wpewebkit". Alberto, > could you file a bug against the release notes? Done, #990940 Berto
Bug#990810: unblock: libwpe/1.10.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libwpe I filed a separate bug report (#990754) requesting to unblock wpewebkit so it is up-to-date in order to provide security releases for bullseye. To that end and for the same reasons I would also like to request the unblocking of libwpe, a library developed by the same team as part of the WPE WebKit project that defines a set of interfaces used by wpewebkit. See #990754 for more details. unblock libwpe/1.10.0-2 -- System Information: Debian Release: 10.10 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-17-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru libwpe-1.6.0/debian/changelog libwpe-1.10.0/debian/changelog --- libwpe-1.6.0/debian/changelog 2020-03-12 00:32:32.0 +0100 +++ libwpe-1.10.0/debian/changelog 2021-06-15 19:01:32.0 +0200 @@ -1,3 +1,24 @@ +libwpe (1.10.0-2) unstable; urgency=medium + + * Upload to unstable. + + -- Alberto Garcia Tue, 15 Jun 2021 19:01:32 +0200 + +libwpe (1.10.0-1) experimental; urgency=medium + + * New upstream release. + * debian/copyright: ++ Update copyright years. + * debian/libwpe-1.0-1.symbols: ++ Update symbols + * debian/control: ++ Update Standards-Version to 4.5.1 (no changes). + * debian/watch: ++ Set version to 4 (fixes older-debian-watch-file-standard) ++ Scan stable releases only. + + -- Alberto Garcia Sat, 27 Mar 2021 23:08:25 +0100 + libwpe (1.6.0-1) unstable; urgency=medium * New upstream release. diff -Nru libwpe-1.6.0/debian/control libwpe-1.10.0/debian/control --- libwpe-1.6.0/debian/control 2020-03-12 00:32:32.0 +0100 +++ libwpe-1.10.0/debian/control2021-06-15 19:01:32.0 +0200 @@ -8,7 +8,7 @@ libegl1-mesa-dev, libxkbcommon-dev, cmake -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Rules-Requires-Root: no Vcs-Browser: https://salsa.debian.org/webkit-team/libwpe Vcs-Git: https://salsa.debian.org/webkit-team/libwpe.git diff -Nru libwpe-1.6.0/debian/copyright libwpe-1.10.0/debian/copyright --- libwpe-1.6.0/debian/copyright 2020-03-12 00:32:32.0 +0100 +++ libwpe-1.10.0/debian/copyright 2021-06-15 19:01:32.0 +0200 @@ -3,7 +3,7 @@ Source: https://wpewebkit.org/releases/ Files: * -Copyright: © 2018-2020 Igalia, S.L. +Copyright: © 2018-2021 Igalia, S.L. License: BSD-2-clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions diff -Nru libwpe-1.6.0/debian/libwpe-1.0-1.symbols libwpe-1.10.0/debian/libwpe-1.0-1.symbols --- libwpe-1.6.0/debian/libwpe-1.0-1.symbols2020-03-12 00:32:32.0 +0100 +++ libwpe-1.10.0/debian/libwpe-1.0-1.symbols 2021-06-15 19:01:32.0 +0200 @@ -1,7 +1,5 @@ libwpe-1.0.so.1 libwpe-1.0-1 #MINVER# * Build-Depends-Package: libwpe-1.0-dev - (optional)_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPKcEEvT_S8_St20forward_iterator_tag@Base 1.3.0 - (optional)_ZNSt8_Rb_treeINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt4pairIKS5_S5_ESt10_Select1stIS8_ESt4lessIS5_ESaIS8_EE8_M_eraseEPSt13_Rb_tree_nodeIS8_E@Base 1.3.0 wpe_backend_get_major_version@Base 1.3.0 wpe_backend_get_micro_version@Base 1.3.0 wpe_backend_get_minor_version@Base 1.3.0 @@ -38,6 +36,7 @@ wpe_renderer_backend_egl_offscreen_target_get_native_window@Base 1.3.0 wpe_renderer_backend_egl_offscreen_target_initialize@Base 1.3.0 wpe_renderer_backend_egl_target_create@Base 1.3.0 + wpe_renderer_backend_egl_target_deinitialize@Base 1.10.0 wpe_renderer_backend_egl_target_destroy@Base 1.3.0 wpe_renderer_backend_egl_target_dispatch_frame_complete@Base 1.3.0 wpe_renderer_backend_egl_target_frame_rendered@Base 1.3.0 diff -Nru libwpe-1.6.0/debian/watch libwpe-1.10.0/debian/watch --- libwpe-1.6.0/debian/watch 2020-03-12 00:32:32.0 +0100 +++ libwpe-1.10.0/debian/watch 2021-06-15 19:01:32.0 +0200 @@ -1,3 +1,3 @@ -version=3 +version=4 opts=pgpsigurlmangle=s/$/.asc/ \ -https://wpewebkit.org/releases/ libwpe-(.*).tar.xz +https://wpewebkit.org/releases/ libwpe-(\d+\.\d*[02468]\.\d+).tar.xz
Bug#990809: unblock: wpebackend-fdo/1.10.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package wpebackend-fdo I filed a separate bug report (#990754) requesting to unblock wpewebkit so it is up-to-date in order to provide security releases for bullseye. To that end and for the same reasons I would also like to request the unblocking of wpebackend-fdo, a Wayland backend required by wpewebkit and developed by the same WPE WebKit team. See #990754 for more details. unblock wpebackend-fdo/1.10.0-2 -- System Information: Debian Release: 10.10 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-17-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru wpebackend-fdo-1.8.0/debian/changelog wpebackend-fdo-1.10.0/debian/changelog --- wpebackend-fdo-1.8.0/debian/changelog 2020-09-12 23:48:20.0 +0200 +++ wpebackend-fdo-1.10.0/debian/changelog 2021-06-16 11:29:41.0 +0200 @@ -1,3 +1,59 @@ +wpebackend-fdo (1.10.0-2) unstable; urgency=medium + + * Upload to unstable. + + -- Alberto Garcia Wed, 16 Jun 2021 11:29:41 +0200 + +wpebackend-fdo (1.10.0-1) experimental; urgency=medium + + * New upstream release. + * debian/watch: ++ Fix regular expression to scan stable releases. + * debian/control: ++ Replace build dependency on cmake with meson. ++ Remove build dependency on libegl1-mesa-dev. + * debian/libwpebackend-fdo-1.0-1.symbols: ++ Update symbols. + * debian/copyright: ++ Remove deleted files. + + -- Alberto Garcia Mon, 07 Jun 2021 23:57:03 +0200 + +wpebackend-fdo (1.8.4-1) experimental; urgency=medium + + * New upstream release. + * debian/libwpebackend-fdo-1.0-1.symbols: ++ Update symbols. + + -- Alberto Garcia Wed, 12 May 2021 21:23:59 +0200 + +wpebackend-fdo (1.8.3-1) experimental; urgency=medium + + * New upstream release. + * debian/control: ++ Update Standards-Version to 4.5.1 (no changes). + + -- Alberto Garcia Wed, 31 Mar 2021 01:08:01 +0200 + +wpebackend-fdo (1.8.2-1) unstable; urgency=medium + + * New upstream release. + * debian/copyright: ++ Update copyright years. + + -- Alberto Garcia Thu, 18 Mar 2021 17:05:26 +0100 + +wpebackend-fdo (1.8.1-1) unstable; urgency=medium + + * New upstream release. + * debian/control: ++ Explain how WebKitGTK uses this package. + * debian/watch: ++ Track stable releases only. ++ Set version to 4 (fixes older-debian-watch-file-standard) + + -- Alberto Garcia Wed, 10 Mar 2021 14:59:13 +0100 + wpebackend-fdo (1.8.0-1) unstable; urgency=medium * New upstream release. diff -Nru wpebackend-fdo-1.8.0/debian/control wpebackend-fdo-1.10.0/debian/control --- wpebackend-fdo-1.8.0/debian/control 2020-09-12 23:48:20.0 +0200 +++ wpebackend-fdo-1.10.0/debian/control2021-06-16 11:29:41.0 +0200 @@ -4,13 +4,12 @@ Maintainer: Debian WebKit Maintainers Uploaders: Alberto Garcia Build-Depends: debhelper-compat (= 12), - cmake, - libegl1-mesa-dev, + meson, libepoxy-dev, libglib2.0-dev, libwayland-dev, libwpe-1.0-dev (>= 1.5.90) -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Rules-Requires-Root: no Vcs-Browser: https://salsa.debian.org/webkit-team/wpebackend-fdo Vcs-Git: https://salsa.debian.org/webkit-team/wpebackend-fdo.git @@ -33,6 +32,9 @@ FreeDesktop.org technologies (Wayland protocol and the Wayland EGL platform) to enable integration into the WPE WebKit process model. . + In addition to WPE WebKit, wpebackend-fdo is also used by WebKitGTK + to implement hardware-accelerated rendering under Wayland. + . This package contains the development files. Package: libwpebackend-fdo-1.0-1 @@ -48,4 +50,7 @@ FreeDesktop.org technologies (Wayland protocol and the Wayland EGL platform) to enable integration into the WPE WebKit process model. . + In addition to WPE WebKit, wpebackend-fdo is also used by WebKitGTK + to implement hardware-accelerated rendering under Wayland. + . This package contains the shared libraries. diff -Nru wpebackend-fdo-1.8.0/debian/copyright wpebackend-fdo-1.10.0/debian/copyright --- wpebackend-fdo-1.8.0/debian/copyright 2020-09-12 23:48:20.0 +0200 +++ wpebackend-fdo-1.10.0/debian/copyright 2021-06-16 11:29:41.0 +0200 @@ -3,7 +3,7 @@ Source: https://wpewebkit.org/releases/ Files: * -Copyright: © 2017-2020 Igalia, S.L. +Copyright: © 2017-2021 Igalia, S.L. License: BSD-2-clause Files: src/bridge/wpe-bridge.xml @@ -15,12 +15,8 @@ © 2014, 2015 Collabora, Ltd. License: Expat -Files: cmake/FindGLIB.cmake -Copyright: © 2012 Raphael Kubo
Bug#990754: unblock: wpewebkit/2.32.1-1
On Wed, Jul 07, 2021 at 06:40:39PM +0200, Sebastian Ramacher wrote: > > At the moment doing an additional security release for wpewebkit > > is going to be little more than adapting the webkit2gtk advisory. > > ACK, then please send a (filtered) debdiff for wpewebkit to the bug > report so that we can look at unblocking it. Attached. Berto diff -Nru wpewebkit-2.30.6/debian/changelog wpewebkit-2.32.1/debian/changelog --- wpewebkit-2.30.6/debian/changelog 2021-03-19 20:17:01.0 +0100 +++ wpewebkit-2.32.1/debian/changelog 2021-05-08 16:53:58.0 +0200 @@ -1,3 +1,39 @@ +wpewebkit (2.32.1-1) unstable; urgency=medium + + * New upstream release. + * debian/patches/revert-soname-change.patch: ++ Drop this patch, this is now upstream. + * debian/patches/fix-ftbfs-m68k.patch: ++ Update patch. + + -- Alberto Garcia Sat, 08 May 2021 16:53:58 +0200 + +wpewebkit (2.32.0-2) unstable; urgency=medium + + * debian/patches/fix-ftbfs-m68k.patch: ++ Compile BytecodeGenerator.cpp without optimizations on m68k and sh4, + otherwise the build fails due to gcc bugs. + + -- Alberto Garcia Thu, 22 Apr 2021 15:24:36 +0200 + +wpewebkit (2.32.0-1) experimental; urgency=medium + + * New upstream release. + * debian/gbp.conf: ++ Update upstream branch name. + * Use -DFORCE_32BIT on 32-bit builds. ++ This replaces debian/patches/fix-ftbfs-x86.patch. + * Refresh all patches. + * Update copyright information of all files. + * debian/control: ++ Add build dependencies on libglib2.0-doc and libsoup2.4-doc. + * debian/libwpewebkit-1.0-3.symbols: ++ Update symbols. + * debian/patches/revert-soname-change.patch: ++ Revert upstream soname change. + + -- Alberto Garcia Tue, 06 Apr 2021 11:20:35 +0200 + wpewebkit (2.30.6-1) unstable; urgency=high * New upstream release. diff -Nru wpewebkit-2.30.6/debian/control wpewebkit-2.32.1/debian/control --- wpewebkit-2.30.6/debian/control 2021-03-19 20:17:01.0 +0100 +++ wpewebkit-2.32.1/debian/control 2021-05-08 16:53:58.0 +0200 @@ -35,7 +35,9 @@ ninja-build, ruby:native, wayland-protocols -Build-Depends-Indep: gtk-doc-tools +Build-Depends-Indep: gtk-doc-tools, + libglib2.0-doc, + libsoup2.4-doc Standards-Version: 4.5.1 Rules-Requires-Root: no Vcs-Browser: https://salsa.debian.org/webkit-team/webkit diff -Nru wpewebkit-2.30.6/debian/copyright wpewebkit-2.32.1/debian/copyright --- wpewebkit-2.30.6/debian/copyright 2021-03-19 20:17:01.0 +0100 +++ wpewebkit-2.32.1/debian/copyright 2021-05-08 16:53:58.0 +0200 @@ -8,14 +8,14 @@ 1999-2000 Lars Knoll 2001 Dirk Mueller 2002-2013 Vivek Thampi - 2003-2020 Apple Inc + 2003-2021 Apple Inc 2004-2006 Rob Buis 2004-2008 Nikolas Zimmermann - 2005 Alexey Proskuryakov 2005 Frerich Raabe 2005 Maksim Orlovich - 2005, 2007-2013, 2015, 2017-2020 Google Inc + 2005, 2007-2013, 2015, 2017-2021 Google Inc 2005, 2008-2013 Nokia + 2005-2006 Alexey Proskuryakov 2005-2006 Kimmo Kinnunen 2005-2008 Eric Seidel 2006 Alexander Kellett @@ -46,7 +46,7 @@ 2009-2010 Holger Hans Peter Freyther 2009-2011 Brent Fulgham 2009-2015 University of Szeged - 2009-2020 Igalia S.L. + 2009-2021 Igalia S.L. 2010 Andras Becsi , University of Szeged 2010 Mozilla Corporation 2010 Peter Varga , University of Szeged @@ -70,7 +70,7 @@ 2011 Peter Varga , University of Szeged 2011 ProFUSION embedded systems 2011 Renata Hodovan - 2011, 2015-2017 The Chromium Authors + 2011, 2014-2017 The Chromium Authors 2011-2012, 2014-2015 Ericsson AB 2011-2013 Intel Corporation 2011-2013 Samsung Electronics @@ -111,14 +111,14 @@ 2015, 2018 Andy VanWagoner 2015-2016 Sukolsak Sakshuwong 2015-2017 Canon Inc - 2015-2017 Devin Rousso + 2015-2020 Devin Rousso 2016 Caitlin Potter 2016 Konstantin Tokavev 2016 Yusuke Suzuki 2016-2018 Akamai Technologies Inc 2016-2019 Oleksandr Skachkov - 2016-2020 Metrological Group B.V - 2016-2020 Sony Interactive Entertainment + 2016-2021 Metrological Group B.V + 2016-2021 Sony Interactive Entertainment 2017 Caio Lima 2017 Endless Mobile Inc 2017 Oleksandr Skachkov @@ -126,7 +126,8 @@ 2018 Yusuke Suzuki 2018 mce sys Ltd 2019 Carlos Eduardo Ramalho - 2019-2020 Alexey Shvayka + 2019-2021 Alexey Shvayka + 2020 Cloudinary Inc 2020 Darryl Pogue
Bug#990754: unblock: wpewebkit/2.32.1-1
On Wed, Jul 07, 2021 at 11:53:16AM +0200, Moritz Muehlenhoff wrote: > > What's the security team's take on this? Will browsers other than > > firefox, chromium and webkit2gtk itself be security supported > > throughout bullseye's lifetime? > > We synced up with this before; wpewebkit is closely related to > webkit and Alberto will keep both updated in stable. As I said wpewebkit and webkit2gtk releases are made almost in parallel, the numbering scheme, etc., is almost identical and they have joint security advisories[1]. A longer term upstream goal would be to merge both projects and make the GTK API a layer on top of wpewebkit, but this is not currently on the roadmap. At the moment doing an additional security release for wpewebkit is going to be little more than adapting the webkit2gtk advisory. > > The concern also extends to web rendering engines not explicitly > > mentioned here, with the exception of > role="source">webkit2gtk. > > Good point wrt the releases notes part. I guess we should simply > make this "with the exception of webkit2gtk/wpewebkit". Alberto, > could you file a bug against the release notes? Yes, but thinking about it there is something new in bullseye and I would like to discuss it because it affects webkit2gtk as well. The WPE WebKit project has a couple of additional libraries called libwpe and wpebackend-fdo. They are used by wpewebkit and, since a couple of years ago, also by webkit2gtk to implement hardware-accelerated rendering under Wayland. In the case of webkit2gtk this dependency is optional but recommended. The buster builds of webkit2gtk are made with all wpe libraries disabled because those packages were never available in buster in the first place. In bullseye they are enabled so any security update for bullseye would need to have them enabled as well. Both libwpe and wpebackend-fdo are projects with little activity and generally few and small changes. I don't expect that building the latest version of webkit2gtk or wpewebkit for a security update requires updating any of those libraries, but I think it can theoretically happen. Is there a way to handle that in Debian? Berto [1] https://lists.webkit.org/pipermail/webkit-gtk/2021-March/003689.html
Bug#990754: unblock: wpewebkit/2.32.1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package wpewebkit webkit2gtk was unblocked last month, testing has the most recent stable version and we will provide security updates during the lifetime of bullseye, as we already did during buster. wpewebkit is another official port of webkit. It's maintained by the same team, follows a very similar release schedule and numbering system, shares most of the code and almost all CVEs fixes apply to both ports. Because of this it won't take me too much effort to prepare security updates for wpewebkit so the Debian security team is proposing that we also provide them. If we do this we should unblock the package and put the latest stable version in testing. At the moment the only user of wpewebkit in Debian is cog, which is a simple, single-window web browser, developed and released by the same team. So we should also unblock cog and the two other libraries that are part of the wpewebkit releases: libwpe and wpebackend-fdo (I don't know if you need separate bugs to unblock those). If we don't do this then it's probably a good idea to mention in the release notes that wpewebkit is not covered by security updates. unblock wpewebkit/2.32.1-1
Bug#989595: unblock: webkit2gtk/2.32.1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk webkit2gtk has always used (and recommended) gstreamer1.0-plugins-good for media playback, but since 2.32.x it will crash (assert) if a suitable plugin is not found. gstreamer1.0-plugins-good is one of the most installed packages in Debian and is used by many multimedia apps so the chances of it being missing are low, but they are still there. See #989332 for an example and #989198 (message 29) for more details on the problem. This upload changes gstreamer1.0-plugins-good from a recommendation to a dependency and also recommends plugins-bad (needed for e.g. YouTube videos). Debdiff attached. Regards, Berto unblock webkit2gtk/2.32.1-2 diff -Nru webkit2gtk-2.32.1/debian/changelog webkit2gtk-2.32.1/debian/changelog --- webkit2gtk-2.32.1/debian/changelog 2021-05-10 12:20:44.0 +0200 +++ webkit2gtk-2.32.1/debian/changelog 2021-06-07 10:39:51.0 +0200 @@ -1,3 +1,14 @@ +webkit2gtk (2.32.1-2) unstable; urgency=high + + * debian/control: ++ Update the dependencies on GStreamer plugins (Closes: #989332): + - WebKitGTK really expects at least the -base and -good sets. + - For video playback (e.g YouTube) -bad is also recommended. + - The pulseaudio plugin was merged into the -good package so it will +be always be available now. Move -alsa to Suggests. + + -- Alberto Garcia Mon, 07 Jun 2021 10:39:51 +0200 + webkit2gtk (2.32.1-1) unstable; urgency=medium * New upstream release. diff -Nru webkit2gtk-2.32.1/debian/control webkit2gtk-2.32.1/debian/control --- webkit2gtk-2.32.1/debian/control2021-05-10 12:20:44.0 +0200 +++ webkit2gtk-2.32.1/debian/control2021-06-07 10:39:51.0 +0200 @@ -138,16 +138,18 @@ Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: libjavascriptcoregtk-4.0-18 (= ${binary:Version}), + gstreamer1.0-plugins-base, + gstreamer1.0-plugins-good, ${bwrap:Depends}, ${shlibs:Depends}, ${misc:Depends} -Recommends: gstreamer1.0-plugins-good, -gstreamer1.0-pulseaudio | gstreamer1.0-alsa, +Recommends: gstreamer1.0-plugins-bad, gstreamer1.0-gl, libgl1-mesa-dri, ${bwrap:Recommends}, ${gst:Recommends} -Suggests: ${gst:Suggests} +Suggests: ${gst:Suggests}, + gstreamer1.0-alsa Breaks: evolution (<< 3.34.1) Description: Web content engine library for GTK WebKit is a web content engine, derived from KHTML and KJS from KDE, and
Bug#989198: unblock: webkit2gtk/2.32.1-1
On Fri, May 28, 2021 at 11:18:00AM +0200, Alberto Garcia wrote: > unblock webkit2gtk/2.32.1-1 This upload introduced a regression (#989332) that should probably be fixed for bullseye. WebKitGTK has always used GStreamer internally but the Debian package only _recommends_ the GStreamer plugins because in theory you can use the web without them (but forget about audio and video). This has changed recently and now WebKit assumes that at least the -base and -good sets of plugins are available, and will abort with an assertion if e.g there is no audio plugin installed. In practice I think that the vast majority of users won't hit this problem because a) those plugins are recommended and apt installs them by default and b) they are amongst the most common packages on a desktop environment and required by many other programs. But it turns out that some people do browse the web with Epiphany and don't have those plugins installed, so we should probably try to avoid similar situations. I would like to move gstreamer1.0-plugins-good from Recommends to Depends. See the attached patch, in which I also get rid of the gstreamer1.0-pulseaudio recommendation (now part of plugins-good), explicity depend on plugins-base (which are implicitly installed anyway by plugins-good) and recommend plugins-bad (which is needed for many common video formats). An alternative would be to patch WebKit (downstream or upstream) to remove the assertion, or perhaps to use a dummy plugin ('fakesink') if no other is available. But this change is not necessarily trivial (WebKit uses many plugins in different places) and I'm not sure that upstream would be so happy to support that use case (considering that one can disable several media options at build time). So if you are ok with the change of dependencies I will upload it to unstable and request a new unblock. Regards, Berto diff --git a/debian/changelog b/debian/changelog index 8bc5c0a2183f..7556456f9097 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +webkit2gtk (2.32.1-2) unstable; urgency=high + + * debian/control: ++ Update the dependencies on GStreamer plugins (Closes: #989332): + - WebKitGTK really expects at least the -base and -good sets. + - For video playback (e.g YouTube) -bad is also recommended. + - The pulseaudio plugin was merged into the -good package. + + -- Alberto Garcia Fri, 04 Jun 2021 21:10:02 +0200 + webkit2gtk (2.32.1-1) unstable; urgency=medium * New upstream release. diff --git a/debian/control b/debian/control index 7c0b3218f92d..8b1c4197e740 100644 --- a/debian/control +++ b/debian/control @@ -138,11 +138,13 @@ Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: libjavascriptcoregtk-4.0-18 (= ${binary:Version}), + gstreamer1.0-plugins-base, + gstreamer1.0-plugins-good, ${bwrap:Depends}, ${shlibs:Depends}, ${misc:Depends} -Recommends: gstreamer1.0-plugins-good, -gstreamer1.0-pulseaudio | gstreamer1.0-alsa, +Recommends: gstreamer1.0-plugins-bad, +gstreamer1.0-alsa, gstreamer1.0-gl, libgl1-mesa-dri, ${bwrap:Recommends},
Bug#989198: unblock: webkit2gtk/2.32.1-1
Control: tags -1 - moreinfo On Fri, May 28, 2021 at 10:44:27PM +0200, Sebastian Ramacher wrote: > libwebkit2gtk-4.0.so.37 libwebkit2gtk-4.0-37 #MINVER# > * Build-Depends-Package: libwebkit2gtk-4.0-dev > (c++)"WebKit::NetworkProcessMain(int, char**)@Base" 2.27.90 > - (c++)"WebKit::PluginProcessMain(int, char**)@Base" 2.27.90 > (c++)"WebKit::WebProcessMain(int, char**)@Base" 2.27.90 > (c++)"WebKit::WebKitExtensionManager::initialize(WebKit::InjectedBundle*, > API::Object*)@Base" 2.17.5 > (c++)"WebKit::WebKitExtensionManager::singleton()@Base" 2.17.5 > > Is that an internal symbol or why is it safe to remove it without a > SONAME bump? This is actually not part of the library API. The plugin process is (was) a separate binary used to load NPAPI plugins, but those are no longer supported by any major browser: https://salsa.debian.org/webkit-team/webkit/-/commit/73f555da9678842191a904b41ca17d7aee84a8e4 The last important user was Adobe Flash, which reached eol in December 2020. Berto
Bug#989198: unblock: webkit2gtk/2.32.1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk Starting from buster webkit2gtk has been receiving security updates, with a dozen DSAs published so far, at a pace of once every month or two. These updates follow the upstream stable releases. webkit2gtk 2.32.1 was published on the 10th of May and it belongs to the new 2.32.x stable branch (which started on the 26th of March with the 2.32.0 release). This fixes three security bugs: CVE-2021-1871, CVE-2021-1844 and CVE-2021-1788. You can see the details here: https://webkitgtk.org/security/WSA-2021-0003.html According to the CVE description, Apple is aware that the first of those bugs may have been actively exploited. Since this is a new stable branch (2.30.x -> 2.32.x) I wanted to give it more time than usual before proposing an unblock to detect possible regressions. We found two: - https://bugs.debian.org/987448 The titles of articles of RSS feeds have wrong colors due to broken CSS. This is due to upstream changes in WebKitGTK and required changes in Liferea. Liferea is now fixed in testing and works fine with WebKitGTK 2.32.x NOTE: theoretically other packages could have similar problems, but we haven't detected any. - https://bugs.debian.org/987686 An autopkgtest regression. This is actually not a bug in WebKitGTK, but the new dependency on xdg-desktop-portal-gtk triggers it. I downgraded the dependency to a recommendation and the problem is gone. I also uploaded a patch for balsa. I am not aware of any other regression. 2.32.0 was uploaded to unstable on the 22nd of April and 2.32.1 on the 10th of May. I would like to have this version of webkit2gtk unblocked and after that I'll prepare a new security update for buster. Thanks, Berto unblock webkit2gtk/2.32.1-1
Bug#985819: unblock: webkit2gtk/2.30.6-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk Starting from buster webkit2gtk has been receiving security updates, with a dozen DSAs published so far, at a pace of once every month or two. These updates follow the upstream stable releases. webkit2gtk 2.30.6 is a point release that was published on the 18th of March. It contains fixes for seven new security bugs: CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, CVE-2021-1870. You can see the details on the latest upstream security advisory: https://webkitgtk.org/security/WSA-2021-0002.html I would like to have this version of webkit2gtk unblocked and after that I'll prepare a new security update for buster. Thanks, Berto unblock webkit2gtk/2.30.6-1 -- System Information: Debian Release: 10.8 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-14-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#956805: stretch-pu: package megatools/1.9.98-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, megatools can be used (among other things) to download files from the Mega cloud storage service. Files can be downloaded using a link that contains a file handle and an encryption key. The format of these links has changed recently and megatools 1.9.98 doesn't recognize them. This upload includes a simple patch (already committed upstream) to add support for these new links. Debdiff attached. Berto P.S: a similar upload is proposed for buster (#956801). -- System Information: Debian Release: 10.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru megatools-1.9.98/debian/changelog megatools-1.9.98/debian/changelog --- megatools-1.9.98/debian/changelog 2016-11-03 15:02:16.0 +0100 +++ megatools-1.9.98/debian/changelog 2020-04-15 14:28:54.0 +0200 @@ -1,3 +1,10 @@ +megatools (1.9.98-1+deb9u1) stretch; urgency=medium + + * debian/patches/support-new-links.patch: +- Add support for the new format of mega.nz links. + + -- Alberto Garcia Wed, 15 Apr 2020 14:28:54 +0200 + megatools (1.9.98-1) unstable; urgency=medium * New upstream release (Closes: #828434, #838651). diff -Nru megatools-1.9.98/debian/patches/series megatools-1.9.98/debian/patches/series --- megatools-1.9.98/debian/patches/series 2016-11-03 15:02:16.0 +0100 +++ megatools-1.9.98/debian/patches/series 2020-04-15 14:28:54.0 +0200 @@ -1 +1,2 @@ make-verbose.patch +support-new-links.patch diff -Nru megatools-1.9.98/debian/patches/support-new-links.patch megatools-1.9.98/debian/patches/support-new-links.patch --- megatools-1.9.98/debian/patches/support-new-links.patch 1970-01-01 01:00:00.0 +0100 +++ megatools-1.9.98/debian/patches/support-new-links.patch 2020-04-15 14:28:54.0 +0200 @@ -0,0 +1,49 @@ +From: Alberto Garcia +Subject: Support new format of mega.nz links +Origin: https://megous.com/git/megatools/commit/?id=5d04a6203a231e8a3ea19bd1f203faee88e4b3a9 +Index: megatools/tools/dl.c +=== +--- megatools.orig/tools/dl.c megatools/tools/dl.c +@@ -145,6 +145,7 @@ int main(int ac, char* av[]) + { + gc_error_free GError *local_err = NULL; + gc_regex_unref GRegex *file_regex = NULL, *folder_regex = NULL; ++ gc_regex_unref GRegex *file_regex2 = NULL, *folder_regex2 = NULL;; + gint i; + int status = 0; + +@@ -179,9 +180,15 @@ int main(int ac, char* av[]) + file_regex = g_regex_new("^https?://mega(?:\\.co)?\\.nz/#!([a-z0-9_-]{8})!([a-z0-9_-]{43})$", G_REGEX_CASELESS, 0, NULL); + g_assert(file_regex != NULL); + ++ file_regex2 = g_regex_new("^https?://mega\\.nz/file/([a-z0-9_-]{8})#([a-z0-9_-]{43})$", G_REGEX_CASELESS, 0, NULL); ++ g_assert(file_regex2 != NULL); ++ + folder_regex = g_regex_new("^https?://mega(?:\\.co)?\\.nz/#F!([a-z0-9_-]{8})!([a-z0-9_-]{22})$", G_REGEX_CASELESS, 0, NULL); + g_assert(folder_regex != NULL); + ++ folder_regex2 = g_regex_new("^https?://mega\\.nz/folder/([a-z0-9_-]{8})#([a-z0-9_-]{22})$", G_REGEX_CASELESS, 0, NULL); ++ g_assert(folder_regex2 != NULL); ++ + // create session + + s = tool_start_session(0); +@@ -197,7 +204,7 @@ int main(int ac, char* av[]) + gc_free gchar* handle = NULL; + gc_free gchar* link = tool_convert_filename(av[i], FALSE); + +-if (g_regex_match(file_regex, link, 0, )) ++if (g_regex_match(file_regex, link, 0, ) || g_regex_match(file_regex2, link, 0, )) + { + handle = g_match_info_fetch(m1, 1); + key = g_match_info_fetch(m1, 2); +@@ -219,7 +226,7 @@ int main(int ac, char* av[]) + g_print("%s\n", cur_file); + } + } +-else if (g_regex_match(folder_regex, link, 0, )) ++else if (g_regex_match(folder_regex, link, 0, ) || g_regex_match(folder_regex2, link, 0, )) + { + if (opt_stream) + {
Bug#956801: buster-pu: package megatools/1.10.2-1+deb10u1
On Wed, Apr 15, 2020 at 01:57:16PM +0200, Alberto Garcia wrote: > +megatools (1.10.2-1+deb10u1) unstable; urgency=medium There's an error in the patch, it should say 'buster' instead of 'unstable'. Otherwise it should be ok. Sorry for the noise. Berto
Bug#956801: buster-pu: package megatools/1.10.2-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, megatools can be used (among other things) to download files from the Mega cloud storage service. Files can be downloaded using a link that contains a file handle and an encryption key. The format of these links has changed recently and megatools 1.10.2 doesn't recognize them. This upload includes a simple patch (already committed upstream) to add support for these new links. Debdiff attached. Berto -- System Information: Debian Release: 10.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru megatools-1.10.2/debian/changelog megatools-1.10.2/debian/changelog --- megatools-1.10.2/debian/changelog 2018-08-01 09:42:42.0 +0200 +++ megatools-1.10.2/debian/changelog 2020-04-15 13:43:30.0 +0200 @@ -1,3 +1,10 @@ +megatools (1.10.2-1+deb10u1) unstable; urgency=medium + + * debian/patches/support-new-links.patch: +- Add support for the new format of mega.nz links. + + -- Alberto Garcia Wed, 15 Apr 2020 13:43:30 +0200 + megatools (1.10.2-1) unstable; urgency=medium * New upstream release (Closes: #905156). diff -Nru megatools-1.10.2/debian/patches/series megatools-1.10.2/debian/patches/series --- megatools-1.10.2/debian/patches/series 2018-08-01 09:42:42.0 +0200 +++ megatools-1.10.2/debian/patches/series 2020-04-15 13:43:30.0 +0200 @@ -1 +1,2 @@ make-verbose.patch +support-new-links.patch diff -Nru megatools-1.10.2/debian/patches/support-new-links.patch megatools-1.10.2/debian/patches/support-new-links.patch --- megatools-1.10.2/debian/patches/support-new-links.patch 1970-01-01 01:00:00.0 +0100 +++ megatools-1.10.2/debian/patches/support-new-links.patch 2020-04-15 13:43:30.0 +0200 @@ -0,0 +1,56 @@ +From: Alberto Garcia +Subject: Support new format of mega.nz links +Origin: https://megous.com/git/megatools/commit/?id=5d04a6203a231e8a3ea19bd1f203faee88e4b3a9 +Index: megatools/tools/dl.c +=== +--- megatools.orig/tools/dl.c megatools/tools/dl.c +@@ -320,6 +320,7 @@ int main(int ac, char *av[]) + { + gc_error_free GError *local_err = NULL; + gc_regex_unref GRegex *file_regex = NULL, *folder_regex = NULL; ++ gc_regex_unref GRegex *file_regex2 = NULL, *folder_regex2 = NULL;; + gint i; + int status = 0; + +@@ -353,11 +354,20 @@ int main(int ac, char *av[]) +0, NULL); + g_assert(file_regex != NULL); + ++ file_regex2 = g_regex_new("^https?://mega\\.nz/file/([a-z0-9_-]{8})#([a-z0-9_-]{43})$", G_REGEX_CASELESS, ++ 0, NULL); ++ g_assert(file_regex2 != NULL); ++ + folder_regex = + g_regex_new("^https?://mega(?:\\.co)?\\.nz/#F!([a-z0-9_-]{8})!([a-z0-9_-]{22})(![a-z0-9_-]{8})?$", + G_REGEX_CASELESS, 0, NULL); + g_assert(folder_regex != NULL); + ++ folder_regex2 = ++ g_regex_new("^https?://mega\\.nz/folder/([a-z0-9_-]{8})#([a-z0-9_-]{22})$", ++ G_REGEX_CASELESS, 0, NULL); ++ g_assert(folder_regex2 != NULL); ++ + // create session + + s = tool_start_session(TOOL_SESSION_OPEN | TOOL_SESSION_AUTH_ONLY | TOOL_SESSION_AUTH_OPTIONAL); +@@ -377,7 +387,8 @@ int main(int ac, char *av[]) + gc_free gchar *specific = NULL; + gc_free gchar *link = tool_convert_filename(av[i], FALSE); + +- if (g_regex_match(file_regex, link, 0, )) { ++ if (g_regex_match(file_regex, link, 0, ) || ++g_regex_match(file_regex2, link, 0, )) { + handle = g_match_info_fetch(m1, 1); + key = g_match_info_fetch(m1, 2); + +@@ -398,7 +409,8 @@ int main(int ac, char *av[]) + if (opt_print_names) + g_print("%s\n", cur_file); + } +- } else if (g_regex_match(folder_regex, link, 0, )) { ++ } else if (g_regex_match(folder_regex, link, 0, ) || ++ g_regex_match(folder_regex2, link, 0, )) { + if (opt_stream) { + g_printerr("ERROR: Can't stream from a directory!\n"); + tool_fini(s);
Bug#935261: buster-pu: package fuse-emulator/1.5.7+dfsg1-2~deb10u1
On Wed, Aug 21, 2019 at 11:35:38PM +0100, Adam D. Barratt wrote: > Please go ahead. Uploaded, thanks. Berto
Bug#935261: buster-pu: package fuse-emulator/1.5.7+dfsg1-2~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, the GTK build of the Fuse ZX Spectrum Emulator has had problems with Wayland for a long time (bug #872994; in short: the display is corrupted). This is a known upstream bug in Fuse, and while some progress has been made it hasn't been fixed yet. After the buster release we are getting more reports from people who are running Wayland and can't use the emulator properly because of this. We fixed this in testing but we would like to do it in buster as well. This upload includes a patch that changes the default order of the GDK backends, so if both X11 and Wayland are available then Fuse will use the former. The Wayland backend will still be used if it's the only one available (or if the user sets the GDK_BACKEND environment variable). The other patch included in this build simply sets the window icon so it appears on the "About..." dialog and the window switcher. Debdiff attached. Best regards, Berto -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru fuse-emulator-1.5.7+dfsg1/debian/changelog fuse-emulator-1.5.7+dfsg1/debian/changelog --- fuse-emulator-1.5.7+dfsg1/debian/changelog 2018-12-11 12:33:12.0 +0200 +++ fuse-emulator-1.5.7+dfsg1/debian/changelog 2019-08-21 10:46:12.0 +0300 @@ -1,3 +1,19 @@ +fuse-emulator (1.5.7+dfsg1-2~deb10u1) unstable; urgency=medium + + * Rebuild for buster. + + -- Alberto Garcia Wed, 21 Aug 2019 10:46:12 +0300 + +fuse-emulator (1.5.7+dfsg1-2) unstable; urgency=medium + + * debian/patches/prefer-x11-over-wayland.patch: +- Prefer the X11 GDK backend over the Wayland one, as the latter is + known to have problems (see upstream bug #367) (Closes: #872994). + * debian/patches/show-fuse-icon.patch: +- Show the Fuse icon on the GTK window and About dialog. + + -- Alberto Garcia Fri, 16 Aug 2019 11:49:27 +0300 + fuse-emulator (1.5.7+dfsg1-1) unstable; urgency=medium * New upstream release. diff -Nru fuse-emulator-1.5.7+dfsg1/debian/copyright fuse-emulator-1.5.7+dfsg1/debian/copyright --- fuse-emulator-1.5.7+dfsg1/debian/copyright 2018-12-11 12:33:12.0 +0200 +++ fuse-emulator-1.5.7+dfsg1/debian/copyright 2019-08-21 10:46:12.0 +0300 @@ -28,7 +28,7 @@ License: LGPL-2.1+ Files: debian/* -Copyright: 2010-2013,2015-2018 Alberto Garcia +Copyright: 2010-2013,2015-2019 Alberto Garcia License: GPL-2+ License: GPL-2+ diff -Nru fuse-emulator-1.5.7+dfsg1/debian/patches/prefer-x11-over-wayland.patch fuse-emulator-1.5.7+dfsg1/debian/patches/prefer-x11-over-wayland.patch --- fuse-emulator-1.5.7+dfsg1/debian/patches/prefer-x11-over-wayland.patch 1970-01-01 02:00:00.0 +0200 +++ fuse-emulator-1.5.7+dfsg1/debian/patches/prefer-x11-over-wayland.patch 2019-08-21 10:46:12.0 +0300 @@ -0,0 +1,20 @@ +From: Alberto Garcia +Subject: Prefer the X11 GDK backend over the Wayland one +Bug: https://sourceforge.net/p/fuse-emulator/bugs/367/ +Bug-Debian: https://bugs.debian.org/872994 +Index: fuse-emulator/ui/gtk/gtkui.c +=== +--- fuse-emulator.orig/ui/gtk/gtkui.c fuse-emulator/ui/gtk/gtkui.c +@@ -153,6 +153,11 @@ ui_init( int *argc, char ***argv ) + GtkAccelGroup *accel_group; + GtkSettings *settings; + ++#if GTK_CHECK_VERSION( 3, 10, 0 ) ++ /* The Wayland output is buggy, see #367 */ ++ gdk_set_allowed_backends( "quartz,win32,mir,x11,*" ); ++#endif ++ + gtk_init(argc,argv); + + #if !GTK_CHECK_VERSION( 3, 0, 0 ) diff -Nru fuse-emulator-1.5.7+dfsg1/debian/patches/series fuse-emulator-1.5.7+dfsg1/debian/patches/series --- fuse-emulator-1.5.7+dfsg1/debian/patches/series 2018-12-11 12:33:12.0 +0200 +++ fuse-emulator-1.5.7+dfsg1/debian/patches/series 2019-08-21 10:46:12.0 +0300 @@ -5,3 +5,5 @@ desktop-file.patch manpage-errors.patch bash-completion.patch +prefer-x11-over-wayland.patch +show-fuse-icon.patch diff -Nru fuse-emulator-1.5.7+dfsg1/debian/patches/show-fuse-icon.patch fuse-emulator-1.5.7+dfsg1/debian/patches/show-fuse-icon.patch --- fuse-emulator-1.5.7+dfsg1/debian/patches/show-fuse-icon.patch 1970-01-01 02:00:00.0 +0200 +++ fuse-emulator-1.5.7+dfsg1/debian/patches/show-fuse-icon.patch 2019-08-21 10:46:12.0 +0300 @@ -0,0 +1,25 @@ +From: Alberto Garcia +Subject: Show the Fuse icon on the GTK window and About dialog +Bug: https://sourceforge.net/p/fuse-emulator/patches/413/ +Index: fuse-emu
Bug#932111: buster-pu: package webkit2gtk/2.24.3-1~deb10u1
On Tue, Aug 20, 2019 at 11:52:30PM +0100, Adam D. Barratt wrote: > Please go ahead. Thanks, I just uploaded the new version (source-only, please correct me if it needed to be a binary upload). Berto
Re: Bug#931052: unblock: webkit2gtk/2.24.2-2
On Thu, Jun 27, 2019 at 03:26:32PM +0300, Adrian Bunk wrote: > > We like to support non-sse2 on i386, but we are not comfortable > > fixing webkit2gtk at this stage of the release. > > Why is this relatively small change a problem in a package where new > upstream versions are permitted after the release of stable? I'll try to explain again with more detail so we all understand the nature of the proposed changes. - WebKitGTK has several mechanisms to run JavaScript code, in brief: a C-based interpreter (CLoop), an assembler-based interpreter and a JIT compiler. - CLoop is the slowest but it is portable and runs in all platforms. It's the one selected at build time when the CPU is unsupported or unknown. - The other two generate CPU-specific code. In an effort to simplify them upstream took recently the decision to stop supporting i386 processors without SSE2 instructions. - Because of that, WebKitGTK 2.24.1 added a build-time check to detect if the compiler can generate SSE2 instructions. For the Debian case I had to add -msse2 -mfpmath=sse to CFLAGS, as suggested by upstream. - The consequence of this is that GCC generates SSE2 instructions when appropriate when compiling regular C/C++ code, causing crashes like the one previously reported. - However, and this is the part that I originally overlooked, only the C-based interpreter is working at the moment in i386. The other two are less actively maintained for i386, and stopped working after some big changes upstream in the last few months. - So it is possible to remove the compile-time check for SSE2 and build the package without those flags in i386. What this all means is that the only real difference between webkit2gtk 2.24.2-1 (in buster) and 2.24.2-2 (in sid) is that, for i386, the former is compiled with -msse2 -mfpmath=sse and the latter is not. So for floating point operations the former uses SSE2 and the latter uses x87. This produces some differences in rounding in some corner cases which could have user-visible consequences. We don't know when it is going to happen, but once upstream brings back JIT support to i386 again we would have to make the decision to either: a) keep using CLoop in order to remain compatible with non-SSE2 CPUs (conservative approach, I'd probably support this one). b) think of a way to support both sets of users so those with more modern processors can benefit from the additional performance of the JIT compiler. This could involve using e.g. /usr/lib/sse2/ for those binaries. I hope this clarifies the situation. Berto
Bug#931052: unblock: webkit2gtk/2.24.2-2
On Tue, Jun 25, 2019 at 11:04:59AM +0300, Alberto Garcia wrote: > This upload disables the JIT compiler and enables the CLoop > JavaScript interpreter, which is slower but works on all CPUs. It > also removes the gcc SSE2 flags. Only the i386 build is affected by > these changes. I realized that this is not accurate: in this particular version of webkit2gtk the JIT compiler is already disabled for i386 (work is being done upstream to have it enabled back again), so in practice this line is a no-op because these are already the current values: > + EXTRA_CMAKE_ARGUMENTS += -DENABLE_JIT=OFF -DENABLE_C_LOOP=ON I would still keep that line because it will be necessary as soon as upstream brings back JIT support for x86. This patch still removes -msse2 -mfpmath=sse from CFLAGS, and that's what makes the package work in non-SSE2 CPUs. Berto
Bug#931052: unblock: webkit2gtk/2.24.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk Upstream WebKitGTK has recently stopped supporting i386 CPUs without SSE2 extensions, as other browsers (Chromium, Firefox) already did a few years ago. There is at least one bug report (#930932, opened two days ago) from a user that cannot run Zenity on a machine with an Athlon XP CPU because of this, and some hours ago bug #930935 was filed against webkit2gtk. WebKit generates SSE2 instructions with its JIT compiler, and the build scripts also force gcc to pass the -msse2 compilation flags. This upload disables the JIT compiler and enables the CLoop JavaScript interpreter, which is slower but works on all CPUs. It also removes the gcc SSE2 flags. Only the i386 build is affected by these changes. Debdiff attached. Note: the changelog includes the list of CVEs from the latest security advisory, published shortly after the previous release. This is purely informative and has no effects on the package. unblock webkit2gtk/2.24.2-2 -- System Information: Debian Release: 9.9 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru webkit2gtk-2.24.2/debian/changelog webkit2gtk-2.24.2/debian/changelog --- webkit2gtk-2.24.2/debian/changelog 2019-05-17 17:40:52.0 +0300 +++ webkit2gtk-2.24.2/debian/changelog 2019-06-24 16:34:09.0 +0300 @@ -1,3 +1,26 @@ +webkit2gtk (2.24.2-2) unstable; urgency=high + + * The WebKitGTK security advisory WSA-2019-0003 lists the following +security fixes in the latest versions of WebKitGTK+: ++ CVE-2019-8571, CVE-2019-8583, CVE-2019-8586, CVE-2019-8594, + CVE-2019-8609, CVE-2019-8611, CVE-2019-8622 and CVE-2019-8623 + (fixed in 2.24.0). ++ CVE-2019-6237, CVE-2019-8584, CVE-2019-8587, CVE-2019-8596, + CVE-2019-8597, CVE-2019-8601, CVE-2019-8608, CVE-2019-8610 and + CVE-2019-8619 (fixed in 2.24.1). ++ CVE-2019-8595, CVE-2019-8607 and CVE-2019-8615 (fixed in 2.24.2). + * Use the CLoop Javascript interpreter in i386 and stop telling gcc to +use SSE2 instructions (Closes: #930935). ++ debian/rules: + - Build with -DENABLE_JIT=OFF -DENABLE_C_LOOP=ON and stop using +-msse2 -mfpmath=sse. ++ debian/patches/dont-detect-sse2.patch: + - Don't check for SSE2 support. ++ debian/NEWS: + - Remove item about the requirement to have an SSE2-capable CPU. + + -- Alberto Garcia Mon, 24 Jun 2019 16:34:09 +0300 + webkit2gtk (2.24.2-1) unstable; urgency=medium * New upstream release. diff -Nru webkit2gtk-2.24.2/debian/NEWS webkit2gtk-2.24.2/debian/NEWS --- webkit2gtk-2.24.2/debian/NEWS 2019-05-17 17:40:52.0 +0300 +++ webkit2gtk-2.24.2/debian/NEWS 2019-06-24 16:34:09.0 +0300 @@ -1,12 +1,3 @@ -webkit2gtk (2.24.1-2) unstable; urgency=high - - Since version 2.24.0, i386 builds of WebKitGTK require an SSE2-capable - CPU. This instruction set was first introduced with the Pentium 4 in - year 2000. Support for older processors was dropped in WebKitGTK - upstream and is unfortunately not expected to come back. - - -- Alberto Garcia Fri, 10 May 2019 15:40:28 +0300 - webkit2gtk (2.20.0-2) unstable; urgency=medium webkit2gtk 2.20.0 contains a security feature named Gigacage that diff -Nru webkit2gtk-2.24.2/debian/patches/dont-detect-sse2.patch webkit2gtk-2.24.2/debian/patches/dont-detect-sse2.patch --- webkit2gtk-2.24.2/debian/patches/dont-detect-sse2.patch 1970-01-01 02:00:00.0 +0200 +++ webkit2gtk-2.24.2/debian/patches/dont-detect-sse2.patch 2019-06-24 16:34:09.0 +0300 @@ -0,0 +1,24 @@ +From: Alberto Garcia +Subject: Don't check for SSE2 support on i386 +Bug-Debian: https://bugs.debian.org/930935 +Forwarded: no +Index: webkitgtk/Source/cmake/WebKitCompilerFlags.cmake +=== +--- webkitgtk.orig/Source/cmake/WebKitCompilerFlags.cmake webkitgtk/Source/cmake/WebKitCompilerFlags.cmake +@@ -144,15 +144,6 @@ if (COMPILER_IS_GCC_OR_CLANG) + if (CMAKE_COMPILER_IS_GNUCXX) + WEBKIT_PREPEND_GLOBAL_COMPILER_FLAGS(-Wno-expansion-to-defined) + endif () +- +-# Force SSE2 fp on x86 builds. +-if (WTF_CPU_X86 AND NOT CMAKE_CROSSCOMPILING) +-WEBKIT_PREPEND_GLOBAL_COMPILER_FLAGS(-msse2 -mfpmath=sse) +-include(DetectSSE2) +-if (NOT SSE2_SUPPORT_FOUND) +-message(FATAL_ERROR "SSE2 support is required to compile WebKit") +-endif () +-endif () + endif () + + if (COMPILER_IS_GCC_OR_CLANG AND NOT MSVC) diff -Nru webkit2gtk-2.24.2/debian/patches/series webkit2gtk-2.24.2/debian/patches/series --- webkit2gtk-2.24.2/debian/patc
Bug#929603: unblock: webkit2gtk/2.24.2-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk The new upstream stable release contains (among others) fixes for these three security bugs: CVE-2019-8595, CVE-2019-8607 and CVE-2019-8615. unblock webkit2gtk/2.24.2-1 -- System Information: Debian Release: 9.9 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#926929: unblock: webkit2gtk/2.24.1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk Upstream published the 2.24 stable branch recently and 2.22 is no longer maintained. We want to offer webkit2gtk security updates in buster and for that we will collaborate with the Debian security team, so we'd like to have the most up-to-date stable release in the distribution. The 2.24 branch contains fixes for the following security bugs: CVE-2019-6251 CVE-2019-8506 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-8544 CVE-2019-8551 CVE-2019-8558 CVE-2019-8559 CVE-2019-8563 CVE-2019-11070 See the latest WebKitGTK security advisory for more details: https://webkitgtk.org/security/WSA-2019-0002.html Updating to 2.24.1 also fixes the following Debian bug: https://bugs.debian.org/923476 unblock webkit2gtk/2.24.1-1 -- System Information: Debian Release: 9.8 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#887589: stretch-pu: package grilo-plugins/0.3.3-1
Control: tags -1 - moreinfo On Mon, Feb 26, 2018 at 08:55:51PM +, Adam D. Barratt wrote: > > I would like to upload a new grilo-plugins package, which contains > > a fix for https://bugs.debian.org/887469 > > The BTS metadata for that bug indicates that it affects the version > of grilo-plugins in unstable and has not yet been resolved there - > is that correct? It's not correct, the version is sid is already patched. Here's the proposed patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=887589;filename=grilo-plugins.diff;msg=5 Here's the source code of the version in sid: https://sources.debian.org/src/grilo-plugins/0.3.5-2/src/lua-factory/sources/grl-radiofrance.lua/#L108 I'll update the metadata of the bug report. Berto
Bug#887589: stretch-pu: package grilo-plugins/0.3.3-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I would like to upload a new grilo-plugins package, which contains a fix for https://bugs.debian.org/887469 The Radio France website has changed and Grilo can no longer detect the available radios correctly. This was fixed upstream more than a year ago already. These are the upstream bug report and the fix: https://bugzilla.gnome.org/show_bug.cgi?id=773310 https://github.com/grilofw/grilo-plugins/commit/4617b91983792f3282757b93134f0b7e8f287d52 I have tested the patch and it works correctly. The reporter of the original bug also confirms that it solves the problem. I haven't uploaded the package yet, I'll do it as soon as I get the confirmation that the changes are fine. Debdiff attached. Thanks! -- System Information: Debian Release: 9.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru grilo-plugins-0.3.3/debian/changelog grilo-plugins-0.3.3/debian/changelog --- grilo-plugins-0.3.3/debian/changelog2016-09-12 10:50:22.0 +0300 +++ grilo-plugins-0.3.3/debian/changelog2018-01-17 11:30:37.0 +0200 @@ -1,3 +1,10 @@ +grilo-plugins (0.3.3-1+deb9u1) stretch; urgency=medium + + * debian/patches/radiofrance.patch: +- Fix Radio France source after website changes (Closes: #887469). + + -- Alberto Garcia <be...@igalia.com> Wed, 17 Jan 2018 11:30:37 +0200 + grilo-plugins (0.3.3-1) unstable; urgency=medium * New upstream release. diff -Nru grilo-plugins-0.3.3/debian/patches/radiofrance.patch grilo-plugins-0.3.3/debian/patches/radiofrance.patch --- grilo-plugins-0.3.3/debian/patches/radiofrance.patch1970-01-01 02:00:00.0 +0200 +++ grilo-plugins-0.3.3/debian/patches/radiofrance.patch2018-01-17 11:30:37.0 +0200 @@ -0,0 +1,24 @@ +From: Bastien Nocera <had...@hadess.net> +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=773310 +Bug-Debian: https://bugs.debian.org/887469 +Subject: Fix radiofrance unset URLs after recent website changes +Origin: https://github.com/grilofw/grilo-plugins/commit/4617b91983792f3282757b93134f0b7e8f287d52 +Index: grilo-plugins/src/lua-factory/sources/grl-radiofrance.lua +=== +--- grilo-plugins.orig/src/lua-factory/sources/grl-radiofrance.lua grilo-plugins/src/lua-factory/sources/grl-radiofrance.lua +@@ -105,9 +105,12 @@ function create_media(id, result) + media.id = 'fip' + end + +- media.url = result:match("liveUrl: '(.-)',") ++ media.url = result:match("urlLive:'(http.-%mp3)") + if not media.url then +-media.url = result:match('"player" href="(http.-%.mp3)') ++media.url = result:match('player" href="(http.-%.mp3)') ++ end ++ if not media.url then ++media.url = result:match('data%-url%-live="(http.-%.mp3)') + end + + media.title = get_title(id) diff -Nru grilo-plugins-0.3.3/debian/patches/series grilo-plugins-0.3.3/debian/patches/series --- grilo-plugins-0.3.3/debian/patches/series 1970-01-01 02:00:00.0 +0200 +++ grilo-plugins-0.3.3/debian/patches/series 2018-01-17 11:30:37.0 +0200 @@ -0,0 +1 @@ +radiofrance.patch
Bug#864318: unblock: filetea/0.1.16-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package filetea The version of Filetea currently in testing (0.1.16-3) does not work at all because of an API change in one of its dependencies (libjs-jquery). See https://bugs.debian.org/862742 for more details. In addition to that, 0.1.16-4 contains the following changes, all of them trivial: - Replace the build dependency on the libgcrypt11-dev transition package (#864101). - Correct the homepage URL. - Add the missing dependency on lsb-base (fixes a lintian error). - Update Standards-Version to 3.9.8 (no changes to the package). - Add the name of the manpage to the systemd service file. The debdiff comparing both versions is attached. Regards, Berto unblock filetea/0.1.16-4 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru filetea-0.1.16/debian/changelog filetea-0.1.16/debian/changelog --- filetea-0.1.16/debian/changelog 2014-08-27 16:15:15.0 +0300 +++ filetea-0.1.16/debian/changelog 2017-06-06 12:01:04.0 +0300 @@ -1,3 +1,20 @@ +filetea (0.1.16-4) unstable; urgency=high + + * debian/control: +- Replace build dependency on libgcrypt11-dev with libgcrypt20-dev + (Closes: #864101). +- Update Homepage URL. +- Update Standards-Version to 3.9.8 (no changes). +- Depend on lsb-base (>= 3.0-6). + * debian/patches/jquery-compat.patch: +- Make Filetea work with libjs-jquery 3.x (Closes: #862742). + * debian/patches/systemd.patch: +- Add missing Documentation key. + * debian/copyright: +- Update copyright years. + + -- Alberto Garcia <be...@igalia.com> Tue, 06 Jun 2017 12:01:04 +0300 + filetea (0.1.16-3) unstable; urgency=medium * Add systemd service file. diff -Nru filetea-0.1.16/debian/control filetea-0.1.16/debian/control --- filetea-0.1.16/debian/control 2014-08-27 16:15:15.0 +0300 +++ filetea-0.1.16/debian/control 2017-06-06 12:01:04.0 +0300 @@ -6,11 +6,11 @@ dh-autoreconf, dh-systemd, uuid-dev, - libgcrypt11-dev, + libgcrypt20-dev, libevd-0.1-dev (>= 0.1.18), libjson-glib-dev (>= 0.10.0) -Standards-Version: 3.9.5 -Homepage: https://gitorious.org/filetea +Standards-Version: 3.9.8 +Homepage: https://github.com/elima/FileTea Package: filetea Architecture: any @@ -18,6 +18,7 @@ adduser, shared-mime-info, libjs-jquery, + lsb-base (>= 3.0-6), ${misc:Depends} Suggests: ssl-cert Description: Web-based file sharing system diff -Nru filetea-0.1.16/debian/copyright filetea-0.1.16/debian/copyright --- filetea-0.1.16/debian/copyright 2014-08-27 16:15:15.0 +0300 +++ filetea-0.1.16/debian/copyright 2017-06-06 12:01:04.0 +0300 @@ -15,7 +15,7 @@ License: Expat or GPL-2 Files: debian/* -Copyright: 2011-2013 Alberto Garcia <be...@igalia.com> +Copyright: 2011-2013,2017 Alberto Garcia <be...@igalia.com> License: AGPL-3+ License: GPL-2 diff -Nru filetea-0.1.16/debian/patches/jquery-compat.patch filetea-0.1.16/debian/patches/jquery-compat.patch --- filetea-0.1.16/debian/patches/jquery-compat.patch 1970-01-01 02:00:00.0 +0200 +++ filetea-0.1.16/debian/patches/jquery-compat.patch 2017-06-06 12:01:04.0 +0300 @@ -0,0 +1,140 @@ +From: harikrishnakanchi <harikrishnakan...@gmail.com> +Subject: Make Filetea work with jQuery 3 +Bug-Debian: https://bugs.debian.org/862742 +Index: filetea/html/default/transfersView.js +=== +--- filetea.orig/html/default/transfersView.js filetea/html/default/transfersView.js +@@ -73,6 +73,24 @@ Evd.Object.extend (TransfersView.prototy + "aborted", + "aborted" + ]; ++this._cancelDialog = $ ("#transfer-list-confirm-cancel"); ++this._cancelDialog.dialog({ ++modal: true, ++title: "Cancel transfer", ++autoOpen: false, ++buttons: { ++"Yes": function () { ++var id = $ (this).dialog("option", "transferId"); ++self._transfers.cancel ([id]); ++ ++$ (this).dialog ("close"); ++}, ++"No": function () { ++$ (this).dialog ("close"); ++} ++} ++}); ++ + }, + + _
Bug#787021: jessie-pu: package webkitgtk/2.4.8-2
Control: tag -1 - moreinfo On Sat, Aug 29, 2015 at 03:39:45PM +0200, Julien Cristau wrote: > > The 2.4 branch of webkit is a stable branch and there's no active > > development there. However it's still maintained and there are > > releases with important bugfixes periodically, so I think it's the > > kind of releases that would make sense in a stable distribution. > > > > Should I upload webkitgtk 2.4.9 to wheezy-pu? > > > > For reference here's the changelog of the latest release: > > > Hi Alberto, > > I'd be ok with this in principle, however we normally want to see a > source debdiff from a tested package for a final ack. Here's the debdiff. This is essentially the same as 2.4.9-1 from unstable. Many of the changes from upstream 2.4.8 had already been backported to the 2.4.8 package in stable (see all removed patches in the Debian changelog), so there's not a lot new. I tested it in a jessie system with several browsers that use this library (dwb, xombrero, uzbl) and everything seems to work fine. Berto webkitgtk-diff.bz2 Description: Binary data
Bug#787021: jessie-pu: package webkitgtk/2.4.8-2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, webkitgtk 2.4.9 was released containing several bug fixes, including the one for CVE-2015-2330. I contacted the Debian security team in order to make a security release with this fix. However, and since webkitgtk is in the limited-support set of packages it's very unlikely that the fix can be released through a DSA. They suggested to check if the proposed-updates mechanism would be suitable. The 2.4 branch of webkit is a stable branch and there's no active development there. However it's still maintained and there are releases with important bugfixes periodically, so I think it's the kind of releases that would make sense in a stable distribution. Should I upload webkitgtk 2.4.9 to wheezy-pu? For reference here's the changelog of the latest release: * Check TLS errors as soon as they are set in the SoupMessage to prevent any data from being sent to the server in case of invalid certificate. [CVE-2015-2330] * Clear the GObject DOM bindings internal cache when frames are destroyed or web view contents are updated. * Add HighDPI support for non-accelerated compositing contents. * Fix some transfer annotations used in GObject DOM bindings. * Use latin1 instead of UTF-8 for HTTP header values. * Fix synchronous loads when maximum connection limits are reached. * Fix a crash ScrollView::contentsToWindow() when GtkPluginWidget doesn’t have a parent. * Fix a memory leak in webkit_web_policy_decision_new. * Fix g_closure_unref runtime warning. * Fix a crash due to empty drag image during drag and drop. * Fix rendering of scrollbars with GTK+ = 3.16. * Fix the build on mingw32/msys. * Fix the build with WebKit2 disabled. * Fix the build with accelerated compositing disabled. * Fix clang version check in configure. * Fix the build with recent versions of GLib that have GMutexLocker. * Fix the build for Linux/MIPS64EL. Regards, Berto -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150527204947.6420.60200.reportbug@perseus.local
Bug#781386: unblock: webkitgtk/2.4.8-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkitgtk This package contains two patches: * debian/patches/g-closure-unref.diff: Fixes a case of use-after-free. http://bugs.debian.org/780444 * debian/patches/fix-cloop.patch: Fixes the LLInt part of the JavaScript interpreter that makes webkitgtk unusable on powerpc. This patch has been recommended by the RedHat maintainer. http://bugs.debian.org/771841 unblock webkitgtk/2.4.8-2 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru webkitgtk-2.4.8/debian/changelog webkitgtk-2.4.8/debian/changelog --- webkitgtk-2.4.8/debian/changelog 2015-01-17 14:19:53.0 +0200 +++ webkitgtk-2.4.8/debian/changelog 2015-03-26 23:49:46.0 +0200 @@ -1,3 +1,13 @@ +webkitgtk (2.4.8-2) unstable; urgency=medium + + * debian/patches/g-closure-unref.diff: ++ Fix use-after-free warning when loading page into WebView + (Closes: #780444). + * debian/patches/fix-cloop.patch: ++ Fix crash on powerpc (Closes: #771841). + + -- Alberto Garcia be...@igalia.com Thu, 26 Mar 2015 23:49:21 +0200 + webkitgtk (2.4.8-1) unstable; urgency=medium * New upstream release, which includes some of the patches already diff -Nru webkitgtk-2.4.8/debian/patches/fix-cloop.patch webkitgtk-2.4.8/debian/patches/fix-cloop.patch --- webkitgtk-2.4.8/debian/patches/fix-cloop.patch 1970-01-01 02:00:00.0 +0200 +++ webkitgtk-2.4.8/debian/patches/fix-cloop.patch 2015-03-26 23:49:46.0 +0200 @@ -0,0 +1,240 @@ +From: Tomas Popela tpop...@redhat.com +Subject: Fix crash on powerpc +Bug-Debian: https://bugs.debian.org/771841 +Origin: http://pkgs.fedoraproject.org/cgit/webkitgtk3.git/tree/ +Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm +=== +--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm +@@ -2002,7 +2002,7 @@ _llint_op_next_pname: + loadi 20[PC], t2 + loadi PayloadOffset[cfr, t2, 8], t2 + loadp JSPropertyNameIterator::m_jsStrings[t2], t3 +-loadi [t3, t0, 8], t3 ++loadi PayloadOffset[t3, t0, 8], t3 + addi 1, t0 + storei t0, PayloadOffset[cfr, t1, 8] + loadi 4[PC], t1 +Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm +=== +--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter.asm webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm +@@ -299,13 +299,13 @@ macro assertNotConstant(index) + end + + macro functionForCallCodeBlockGetter(targetRegister) +-loadp Callee[cfr], targetRegister ++loadp Callee + PayloadOffset[cfr], targetRegister + loadp JSFunction::m_executable[targetRegister], targetRegister + loadp FunctionExecutable::m_codeBlockForCall[targetRegister], targetRegister + end + + macro functionForConstructCodeBlockGetter(targetRegister) +-loadp Callee[cfr], targetRegister ++loadp Callee + PayloadOffset[cfr], targetRegister + loadp JSFunction::m_executable[targetRegister], targetRegister + loadp FunctionExecutable::m_codeBlockForConstruct[targetRegister], targetRegister + end +Index: webkitgtk/Source/JavaScriptCore/interpreter/ProtoCallFrame.h +=== +--- webkitgtk.orig/Source/JavaScriptCore/interpreter/ProtoCallFrame.h webkitgtk/Source/JavaScriptCore/interpreter/ProtoCallFrame.h +@@ -36,7 +36,7 @@ struct ProtoCallFrame { + Register calleeValue; + Register argCountAndCodeOriginValue; + Register thisArg; +-size_t paddedArgCount; ++uint32_t paddedArgCount; + JSValue *args; + + void init(CodeBlock*, JSScope*, JSObject*, JSValue, int, JSValue* otherArgs = 0); +@@ -53,7 +53,7 @@ struct ProtoCallFrame { + int argumentCountIncludingThis() const { return argCountAndCodeOriginValue.payload(); } + int argumentCount() const { return argumentCountIncludingThis() - 1; } + void setArgumentCountIncludingThis(int count) { argCountAndCodeOriginValue.payload() = count; } +-void setPaddedArgsCount(size_t argCount) { paddedArgCount = argCount; } ++void setPaddedArgsCount(uint32_t argCount) { paddedArgCount = argCount; } + + void clearCurrentVPC() { argCountAndCodeOriginValue.tag() = 0; } + +Index: webkitgtk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp +=== +--- webkitgtk.orig/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
Bug#779903: unblock: webkit2gtk/2.6.2+dfsg1-4
: ++ Recursive crash at WebCore::accessibleNameForNode. + * debian/patches/fix-clearselection-segfault.patch: ++ Fix segfault when calling clearSelection on a detached RenderObject. + * debian/patches/fix-date.patch: ++ String(new Date(Mar 30 2014 01:00:00)) is wrong in CET. + * debian/patches/check-tls-errors.patch: ++ Check TLS errors as soon as they are set in the SoupMessage. + + -- Alberto Garcia be...@igalia.com Fri, 06 Mar 2015 09:33:11 +0200 + webkit2gtk (2.6.2+dfsg1-3) unstable; urgency=medium * debian/patches/no-ssl-record-version.patch: diff -Nru webkit2gtk-2.6.2+dfsg1/debian/libwebkit2gtk-4.0-doc.links webkit2gtk-2.6.2+dfsg1/debian/libwebkit2gtk-4.0-doc.links --- webkit2gtk-2.6.2+dfsg1/debian/libwebkit2gtk-4.0-doc.links 2014-12-07 18:53:35.0 +0200 +++ webkit2gtk-2.6.2+dfsg1/debian/libwebkit2gtk-4.0-doc.links 2015-03-06 09:33:28.0 +0200 @@ -1 +1,2 @@ usr/share/doc/libwebkit2gtk-4.0-doc/html usr/share/gtk-doc/html/webkit2gtk-4.0 +usr/share/doc/libwebkit2gtk-4.0-doc/html/webkit2gtk.devhelp2.gz usr/share/doc/libwebkit2gtk-4.0-doc/html/webkit2gtk-4.0.devhelp2.gz diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/check-tls-errors.patch webkit2gtk-2.6.2+dfsg1/debian/patches/check-tls-errors.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/check-tls-errors.patch 1970-01-01 02:00:00.0 +0200 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/check-tls-errors.patch 2015-03-06 09:33:28.0 +0200 @@ -0,0 +1,121 @@ +From: Carlos Garcia Campos carlo...@webkit.org +Subject: Check TLS errors as soon as they are set in the SoupMessage +Bug: https://bugs.webkit.org/show_bug.cgi?id=142244 +Origin: http://trac.webkit.org/changeset/181074 +Index: webkitgtk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp +=== +--- webkitgtk.orig/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp webkitgtk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp +@@ -331,16 +331,21 @@ static bool handleUnignoredTLSErrors(Res + return true; + } + +-static void gotHeadersCallback(SoupMessage* message, gpointer data) ++static void tlsErrorsChangedCallback(SoupMessage* message, GParamSpec*, gpointer data) + { + ResourceHandle* handle = static_castResourceHandle*(data); + if (!handle || handle-cancelledOrClientless()) + return; + +-if (handleUnignoredTLSErrors(handle, message)) { ++if (handleUnignoredTLSErrors(handle, message)) + handle-cancel(); ++} ++ ++static void gotHeadersCallback(SoupMessage* message, gpointer data) ++{ ++ResourceHandle* handle = static_castResourceHandle*(data); ++if (!handle || handle-cancelledOrClientless()) + return; +-} + + ResourceHandleInternal* d = handle-getInternal(); + +@@ -931,6 +936,7 @@ static bool createSoupMessageForHandleAn + (!request.httpBody() || request.httpBody()-isEmpty())) + soup_message_headers_set_content_length(soupMessage-request_headers, 0); + ++g_signal_connect(d-m_soupMessage.get(), notify::tls-errors, G_CALLBACK(tlsErrorsChangedCallback), handle); + g_signal_connect(d-m_soupMessage.get(), got-headers, G_CALLBACK(gotHeadersCallback), handle); + g_signal_connect(d-m_soupMessage.get(), wrote-body-data, G_CALLBACK(wroteBodyDataCallback), handle); + +Index: webkitgtk/Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestSSL.cpp +=== +--- webkitgtk.orig/Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestSSL.cpp webkitgtk/Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestSSL.cpp +@@ -129,16 +129,21 @@ static void testInsecureContent(Insecure + webkit_web_context_set_tls_errors_policy(context, originalPolicy); + } + ++static bool assertIfSSLRequestProcessed = false; ++ + static void testTLSErrorsPolicy(SSLTest* test, gconstpointer) + { + WebKitWebContext* context = webkit_web_view_get_context(test-m_webView); + // TLS errors are treated as transport failures by default. + g_assert(webkit_web_context_get_tls_errors_policy(context) == WEBKIT_TLS_ERRORS_POLICY_FAIL); ++ ++assertIfSSLRequestProcessed = true; + test-loadURI(kHttpsServer-getURIForPath(/).data()); + test-waitUntilLoadFinished(); + g_assert(test-m_loadFailed); + g_assert(test-m_loadEvents.contains(LoadTrackingTest::ProvisionalLoadFailed)); + g_assert(!test-m_loadEvents.contains(LoadTrackingTest::LoadCommitted)); ++assertIfSSLRequestProcessed = false; + + webkit_web_context_set_tls_errors_policy(context, WEBKIT_TLS_ERRORS_POLICY_IGNORE); + g_assert(webkit_web_context_get_tls_errors_policy(context) == WEBKIT_TLS_ERRORS_POLICY_IGNORE); +@@ -158,11 +163,13 @@ static void testTLSErrorsRedirect(SSLTes + WebKitTLSErrorsPolicy originalPolicy = webkit_web_context_get_tls_errors_policy(context); + webkit_web_context_set_tls_errors_policy(context, WEBKIT_TLS_ERRORS_POLICY_FAIL); + ++assertIfSSLRequestProcessed = true
Bug#777372: wheezy-pu: package frogr/0.7-2
Control: tags -1 - moreinfo On Sat, Feb 07, 2015 at 07:45:58PM +, Adam D. Barratt wrote: A working version is Frogr 0.10, which is already in jessie. I was considering to backport it, but since the version in wheezy is no longer usable, what would be the recommended way to go here? The URL mentioned above suggests that the basic changes are as simple as s/http/https/g. Does the version on frogr in wheezy need any changes beyond that to become functional once more? I just discussed this with upstream and it's actually easy to fix, apart from replacing the API URLs it's also necessary to backport a fix for a crash in gcrypt. I'm attaching the debdiff, this is my first attempt to upload a package to stable so please tell me if I'm overlooking something (I'm particular, is the version numbering scheme the right one?). Thanks, Berto diff -Nru frogr-0.7/debian/changelog frogr-0.7/debian/changelog --- frogr-0.7/debian/changelog 2012-05-26 03:50:49.0 +0300 +++ frogr-0.7/debian/changelog 2015-02-08 18:36:45.0 +0200 @@ -1,3 +1,16 @@ +frogr (0.7-2+deb7u1) stable; urgency=medium + + * use-ssl-api.patch: +- Use the SSL endpoints for the Flickr API. The non-SSL API was + disabled on June 2014. + * fix-gcrypt-crash.patch: +- Fix crash in gcrypt. + * debian/control: +- Remove obsolete DM-Upload-Allowed flag. + * Update my e-mail address in debian/*. + + -- Alberto Garcia be...@igalia.com Sun, 08 Feb 2015 18:23:00 +0200 + frogr (0.7-2) unstable; urgency=low * debian/preferences-general.png: this file was missing from the tarball diff -Nru frogr-0.7/debian/control frogr-0.7/debian/control --- frogr-0.7/debian/control 2012-05-26 03:50:49.0 +0300 +++ frogr-0.7/debian/control 2015-02-08 18:36:45.0 +0200 @@ -1,8 +1,7 @@ Source: frogr Section: graphics Priority: optional -Maintainer: Alberto Garcia agar...@igalia.com -DM-Upload-Allowed: yes +Maintainer: Alberto Garcia be...@igalia.com Build-Depends: intltool, debhelper (= 9), libgtk-3-dev | libgtk2.0-dev (= 2.16), diff -Nru frogr-0.7/debian/copyright frogr-0.7/debian/copyright --- frogr-0.7/debian/copyright 2012-05-26 03:50:49.0 +0300 +++ frogr-0.7/debian/copyright 2015-02-08 18:36:45.0 +0200 @@ -12,7 +12,7 @@ License: LGPL-3 Files: debian/* -Copyright: 2010-2012 Alberto Garcia agar...@igalia.com +Copyright: 2010-2012 Alberto Garcia be...@igalia.com License: GPL-3 License: GPL-3 diff -Nru frogr-0.7/debian/patches/fix-gcrypt-crash.patch frogr-0.7/debian/patches/fix-gcrypt-crash.patch --- frogr-0.7/debian/patches/fix-gcrypt-crash.patch 1970-01-01 02:00:00.0 +0200 +++ frogr-0.7/debian/patches/fix-gcrypt-crash.patch 2015-02-08 18:36:45.0 +0200 @@ -0,0 +1,47 @@ +From: Mario Sanchez Prada msanc...@gnome.org +Subject: Fix initialization of gcrypt to avoid crashes +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=732475 +Origin: https://git.gnome.org/browse/frogr/commit/?id=d7f4e944aa691244e57a8fcc8f4f0e5f91da8686 +Index: frogr/src/flicksoup/fsp-session.c +=== +--- frogr.orig/src/flicksoup/fsp-session.c frogr/src/flicksoup/fsp-session.c +@@ -26,6 +26,7 @@ + #include fsp-session.h + + #include config.h ++#include errno.h + #include gcrypt.h + + #ifdef HAVE_LIBSOUP_GNOME +@@ -34,9 +35,13 @@ + #include libsoup/soup.h + #endif + ++#include pthread.h + #include stdarg.h + #include string.h + ++/* We need this macro defined to properly initialize gcrypt */ ++GCRY_THREAD_OPTION_PTHREAD_IMPL; ++ + #define FLICKR_API_BASE_URL https://api.flickr.com/services/rest; + #define FLICKR_API_UPLOAD_URL https://up.flickr.com/services/upload; + #define FLICKR_REQUEST_TOKEN_OAUTH_URL https://www.flickr.com/services/oauth/request_token; +@@ -486,6 +491,16 @@ fsp_session_init + self-priv-using_gnome_proxy = FALSE; + self-priv-proxy_uri = NULL; + ++ /* Apparently, we need to initialize gcrypt not to get a crash: ++ http://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html */ ++ if (!gcry_control (GCRYCTL_ANY_INITIALIZATION_P)) ++{ ++ gcry_control (GCRYCTL_SET_THREAD_CBS, gcry_threads_pthread); ++ gcry_check_version (NULL); ++ gcry_control (GCRYCTL_INIT_SECMEM, 32768); ++ gcry_control (GCRYCTL_INITIALIZATION_FINISHED); ++} ++ + self-priv-soup_session = soup_session_async_new (); + } + diff -Nru frogr-0.7/debian/patches/series frogr-0.7/debian/patches/series --- frogr-0.7/debian/patches/series 1970-01-01 02:00:00.0 +0200 +++ frogr-0.7/debian/patches/series 2015-02-08 18:36:45.0 +0200 @@ -0,0 +1,2 @@ +use-ssl-api.patch +fix-gcrypt-crash.patch diff -Nru frogr-0.7/debian/patches/use-ssl-api.patch frogr-0.7/debian/patches/use-ssl-api.patch --- frogr-0.7/debian/patches/use-ssl-api.patch 1970-01-01 02:00:00.0 +0200 +++ frogr-0.7/debian/patches/use-ssl-api.patch 2015-02-08 18:36:45.0 +0200 @@ -0,0 +1,35
Bug#777372: wheezy-pu: package frogr/0.7-2
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu The current version of Frogr in Debian wheezy no longer works due to an API change in Flickr. http://code.flickr.net/2014/04/30/flickr-api-going-ssl-only-on-june-27th-2014/ A working version is Frogr 0.10, which is already in jessie. I was considering to backport it, but since the version in wheezy is no longer usable, what would be the recommended way to go here? Can I upload 0.10 to wheezy-pu? Should I upload it to backports instead? In that case, should I request the removal of 0.7 from wheezy? Thanks, Berto -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150207184655.28923.99123.reportbug@perseus.local
Bug#775752: unblock: frogr/0.10-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package frogr It contains a fix for this bug: https://bugzilla.gnome.org/show_bug.cgi?id=732475 This initializes the gcrypt library, otherwise frogr may experience random crashes in some scenarios. This patch is already available in the latest stable version of Frogr, and upstream strongly recommends backporting it to this release. unblock frogr/0.10-2 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru frogr-0.10/debian/changelog frogr-0.10/debian/changelog --- frogr-0.10/debian/changelog 2014-06-17 10:47:52.0 +0300 +++ frogr-0.10/debian/changelog 2015-01-19 15:50:01.0 +0200 @@ -1,3 +1,10 @@ +frogr (0.10-2) unstable; urgency=medium + + * fix-gcrypt-crash.patch: +- Fix crash in gcrypt. + + -- Alberto Garcia be...@igalia.com Mon, 19 Jan 2015 15:45:16 +0200 + frogr (0.10-1) unstable; urgency=medium * New upstream release. diff -Nru frogr-0.10/debian/patches/fix-gcrypt-crash.patch frogr-0.10/debian/patches/fix-gcrypt-crash.patch --- frogr-0.10/debian/patches/fix-gcrypt-crash.patch 1970-01-01 02:00:00.0 +0200 +++ frogr-0.10/debian/patches/fix-gcrypt-crash.patch 2015-01-19 15:50:01.0 +0200 @@ -0,0 +1,42 @@ +From: Mario Sanchez Prada msanc...@gnome.org +Subject: Fix initialization of gcrypt to avoid crashes +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=732475 +Origin: https://git.gnome.org/browse/frogr/commit/?id=d7f4e944aa691244e57a8fcc8f4f0e5f91da8686 +Index: frogr/src/flicksoup/fsp-session.c +=== +--- frogr.orig/src/flicksoup/fsp-session.c frogr/src/flicksoup/fsp-session.c +@@ -26,11 +26,16 @@ + #include fsp-session.h + + #include config.h ++#include errno.h + #include gcrypt.h + #include libsoup/soup.h ++#include pthread.h + #include stdarg.h + #include string.h + ++/* We need this macro defined to properly initialize gcrypt */ ++GCRY_THREAD_OPTION_PTHREAD_IMPL; ++ + #define FLICKR_API_BASE_URL https://api.flickr.com/services/rest; + #define FLICKR_API_UPLOAD_URL https://up.flickr.com/services/upload; + #define FLICKR_REQUEST_TOKEN_OAUTH_URL https://www.flickr.com/services/oauth/request_token; +@@ -492,6 +497,16 @@ fsp_session_init + self-priv-using_default_proxy = TRUE; + self-priv-proxy_uri = NULL; + ++ /* Apparently, we need to initialize gcrypt not to get a crash: ++ http://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html */ ++ if (!gcry_control (GCRYCTL_ANY_INITIALIZATION_P)) ++{ ++ gcry_control (GCRYCTL_SET_THREAD_CBS, gcry_threads_pthread); ++ gcry_check_version (NULL); ++ gcry_control (GCRYCTL_INIT_SECMEM, 32768); ++ gcry_control (GCRYCTL_INITIALIZATION_FINISHED); ++} ++ + #ifdef SOUP_VERSION_2_42 + /* soup_session_async_new() deprecated in lisoup 2.42 */ + self-priv-soup_session = soup_session_new (); diff -Nru frogr-0.10/debian/patches/series frogr-0.10/debian/patches/series --- frogr-0.10/debian/patches/series 1970-01-01 02:00:00.0 +0200 +++ frogr-0.10/debian/patches/series 2015-01-19 15:50:01.0 +0200 @@ -0,0 +1 @@ +fix-gcrypt-crash.patch
Bug#772559: unblock: webkitgtk/2.4.7-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkitgtk This release contains several fixes cherry picked from the upstream stable branches. All of them solve either crashes or other important bugs: * debian/patches/ppc64-align.patch: This fixes a crash on ppc64 that happens because the address passed to mprotect() is not aligned to the page size. http://bugs.debian.org/762670 https://bugs.webkit.org/show_bug.cgi?id=130237 https://bugzilla.redhat.com/show_bug.cgi?id=1074093 * debian/patches/no-ssl-record-version.patch: This fixes a problem where, following the POODLE vulnerability, many web sites incorrectly ban SSL 3.0 record packet versions used to advertise TLS 1.2. This fix makes WebKitGTK+ use the latest TLS version record instead of using the default SSL 3.0. https://bugs.webkit.org/show_bug.cgi?id=138794 * debian/patches/nullptr-accessibilitymenulistoption.patch: * debian/patches/nullptr-applystylecommand.patch: * debian/patches/nullptr-frameprogresstracker.patch: * debian/patches/render-text-control.patch: These other four patches fix several NULL pointers crashes in differents parts of the code. Here are the upstream bug reports: https://bugs.webkit.org/show_bug.cgi?id=138727 https://bugs.webkit.org/show_bug.cgi?id=137961 https://bugs.webkit.org/show_bug.cgi?id=138061 https://bugs.webkit.org/show_bug.cgi?id=138035 * debian/patches/protect-document.patch: This fixes a crash that happens while applying XSLTransform. This is marked upstream as a security fix so the details are private. * debian/patches/ax-focus-events.patch: Two related accessibility fixes, preventing crashes for both users and non users of assistive technology. https://bugs.webkit.org/show_bug.cgi?id=137866 https://bugs.webkit.org/show_bug.cgi?id=137867 unblock webkitgtk/2.4.7-3 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru webkitgtk-2.4.7/debian/changelog webkitgtk-2.4.7/debian/changelog --- webkitgtk-2.4.7/debian/changelog 2014-11-11 10:44:21.0 + +++ webkitgtk-2.4.7/debian/changelog 2014-12-08 12:26:31.0 + @@ -1,3 +1,25 @@ +webkitgtk (2.4.7-3) unstable; urgency=medium + + * debian/patches/ppc64-align.patch: ++ Fix crash in ppc64el (Closes: #762670). + * debian/patches/no-ssl-record-version.patch: ++ Don't use a SSL3.0 record version in client hello. + * debian/patches/protect-document.patch: ++ Protect Document in ProcessingInstruction::setXSLStyleSheet(). This + is a security fix, see https://codereview.chromium.org/579133004. + * debian/patches/nullptr-accessibilitymenulistoption.patch: ++ Check for NULL pointers in AccessibilityMenuListOption. + * debian/patches/nullptr-applystylecommand.patch: ++ Check for NULL pointer in ApplyStyleCommand. + * debian/patches/nullptr-frameprogresstracker.patch: ++ Check for NULL pointer in FrameProgressTracker. + * debian/patches/render-text-control.patch: ++ Check for NULL pointer in SearchInputType. + * debian/patches/ax-focus-events.patch: ++ Fix accessible focus events in non-focused combo boxes. + + -- Alberto Garcia be...@igalia.com Mon, 08 Dec 2014 13:26:23 +0100 + webkitgtk (2.4.7-2) unstable; urgency=medium * debian/patches/touch-event.patch: diff -Nru webkitgtk-2.4.7/debian/patches/ax-focus-events.patch webkitgtk-2.4.7/debian/patches/ax-focus-events.patch --- webkitgtk-2.4.7/debian/patches/ax-focus-events.patch 1970-01-01 00:00:00.0 + +++ webkitgtk-2.4.7/debian/patches/ax-focus-events.patch 2014-12-08 12:26:31.0 + @@ -0,0 +1,78 @@ +From: Joanmarie Diggs jdi...@igalia.com +Subject: Fix accessible focus events in non-focused combo boxes +Origin: http://trac.webkit.org/changeset/176177, http://trac.webkit.org/changeset/176178 +Index: webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp +=== +--- webkitgtk.orig/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp +@@ -170,8 +170,12 @@ static void notifyChildrenSelectionChang + if (axItem) { + bool isSelected = item-isSelected(); + atk_object_notify_state_change(axItem, ATK_STATE_SELECTED, isSelected); +-g_signal_emit_by_name(axItem, focus-event, isSelected); +-atk_object_notify_state_change(axItem, ATK_STATE_FOCUSED, isSelected); ++// When the selection changes in a collapsed widget such as a combo box ++// whose child menu is not showing, that collapsed widget retains focus. ++if (!object
Bug#772491: unblock: webkit2gtk/2.6.2+dfsg1-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk This release contains several fixes cherry picked from the upstream stable branches. All of them solve either crashes or other important bugs: * debian/patches/no-ssl-record-version.patch: This fixes a problem where, following the POODLE vulnerability, many web sites incorrectly ban SSL 3.0 record packet versions used to advertise TLS 1.2. This fix makes WebKitGTK+ use the latest TLS version record instead of using the default SSL 3.0. https://bugs.webkit.org/show_bug.cgi?id=138794 * debian/patches/nullptr-accessibilitymenulistoption.patch: * debian/patches/nullptr-applystylecommand.patch: * debian/patches/nullptr-frameprogresstracker.patch: * debian/patches/render-text-control.patch: These other four patches fix several NULL pointers crashes in differents parts of the code. Here are the upstream bug reports: https://bugs.webkit.org/show_bug.cgi?id=138727 https://bugs.webkit.org/show_bug.cgi?id=137961 https://bugs.webkit.org/show_bug.cgi?id=138061 https://bugs.webkit.org/show_bug.cgi?id=138035 * debian/patches/twitter-inserted-text.patch: A bug in a string cache makes WebKitGTK+ sometimes write spurious text in some input fields, notably in Etherpad and the Twitter message box. https://bugs.webkit.org/show_bug.cgi?id=139076 * debian/patches/protect-document.patch: This fixes a crash that happens while applying XSLTransform. This is marked upstream as a security fix so the details are private. * debian/patches/at-spi2.patch: This fixes a regression. It disables the new AtkObject API that is still not supported by AT-SPI2. https://bugs.webkit.org/show_bug.cgi?id=138776 * debian/patches/ax-focus-events.patch: Two related accessibility fixes, preventing crashes for both users and non users of assistive technology. https://bugs.webkit.org/show_bug.cgi?id=137866 https://bugs.webkit.org/show_bug.cgi?id=137867 unblock webkit2gtk/2.6.2+dfsg1-3 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru webkit2gtk-2.6.2+dfsg1/debian/changelog webkit2gtk-2.6.2+dfsg1/debian/changelog --- webkit2gtk-2.6.2+dfsg1/debian/changelog 2014-11-10 09:45:07.0 + +++ webkit2gtk-2.6.2+dfsg1/debian/changelog 2014-12-07 16:53:35.0 + @@ -1,3 +1,27 @@ +webkit2gtk (2.6.2+dfsg1-3) unstable; urgency=medium + + * debian/patches/no-ssl-record-version.patch: + + Don't use a SSL3.0 record version in client hello. + * debian/patches/nullptr-accessibilitymenulistoption.patch: + + Check for NULL pointers in AccessibilityMenuListOption. + * debian/patches/nullptr-applystylecommand.patch: + + Check for NULL pointer in ApplyStyleCommand. + * debian/patches/nullptr-frameprogresstracker.patch: + + Check for NULL pointer in FrameProgressTracker. + * debian/patches/render-text-control.patch: + + Check for NULL pointer in SearchInputType. + * debian/patches/twitter-inserted-text.patch: + + Fix inserted text when typing in the Twitter message box. + * debian/patches/protect-document.patch: + + Protect Document in ProcessingInstruction::setXSLStyleSheet(). This + is a security fix, see https://codereview.chromium.org/579133004. + * debian/patches/at-spi2.patch: + + Accessible values are no longer accessible via AT-SPI2. + * debian/patches/ax-focus-events.patch: + + Fix accessible focus events in non-focused combo boxes. + + -- Alberto Garcia be...@igalia.com Sun, 07 Dec 2014 17:53:25 +0100 + webkit2gtk (2.6.2+dfsg1-2) unstable; urgency=medium * debian/patches/fix-mips64-build.patch: diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/at-spi2.patch webkit2gtk-2.6.2+dfsg1/debian/patches/at-spi2.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/at-spi2.patch 1970-01-01 00:00:00.0 + +++ webkit2gtk-2.6.2+dfsg1/debian/patches/at-spi2.patch 2014-12-07 16:53:35.0 + @@ -0,0 +1,39 @@ +From: Joanmarie Diggs jdi...@igalia.com +Subject: Accessible values are no longer accessible via AT-SPI2 +Origin: http://trac.webkit.org/changeset/176193 +Index: webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleInterfaceValue.cpp +=== +--- webkitgtk.orig/Source/WebCore/accessibility/atk/WebKitAccessibleInterfaceValue.cpp webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleInterfaceValue.cpp +@@ -114,7 +114,7 @@ static AtkRange* webkitAccessibleGetRang + gchar* valueDescription = g_strdup_printf(%s, coreObject-valueDescription().utf8().data()); + return atk_range_new(minValue, maxValue, valueDescription); + } +-#else ++#endif + static
Bug#769876: unblock: ocrfeeder/0.7.11-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ocrfeeder This package contains the fix for http://bugs.debian.org/767627 In order to fix desktop-mime-but-no-exec-code, ocrfeeder 0.7.11-4 replaced the Exec=ocrfeeder line in the .desktop file with Exec=ocrfeeder -i %f. This way, OCRFeeder was able to open a file from e.g. Nautilus. However this change doesn't allow opening OCRFeeder from the applications menu, since ocrfeeder -i (with no extra arguments) is not a valid way to launch the program. This upload reverts the change. unblock ocrfeeder/0.7.11-6 -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru ocrfeeder-0.7.11/debian/changelog ocrfeeder-0.7.11/debian/changelog --- ocrfeeder-0.7.11/debian/changelog 2014-10-19 13:09:35.0 +0300 +++ ocrfeeder-0.7.11/debian/changelog 2014-11-02 23:14:39.0 +0200 @@ -1,3 +1,14 @@ +ocrfeeder (0.7.11-6) unstable; urgency=medium + + * desktop-exec-code.patch: +- Remove, this prevents OCRFeeder from being launched from the menu + (Closes: #767627). + * desktop-no-mime-types.patch: +- Remove the MimeType keyword from the desktop file since the command + listed in Exec cannot open an image. This needs a separate file. + + -- Alberto Garcia be...@igalia.com Sun, 02 Nov 2014 23:05:57 +0200 + ocrfeeder (0.7.11-5) unstable; urgency=medium * debian/control: diff -Nru ocrfeeder-0.7.11/debian/patches/desktop-exec-code.patch ocrfeeder-0.7.11/debian/patches/desktop-exec-code.patch --- ocrfeeder-0.7.11/debian/patches/desktop-exec-code.patch 2014-10-19 13:09:35.0 +0300 +++ ocrfeeder-0.7.11/debian/patches/desktop-exec-code.patch 1970-01-01 02:00:00.0 +0200 @@ -1,15 +0,0 @@ -From: Alberto Garcia be...@igalia.com -Subject: Add code to the Exec key in order to open a file -Index: ocrfeeder/resources/ocrfeeder.desktop.in -=== ocrfeeder.orig/resources/ocrfeeder.desktop.in -+++ ocrfeeder/resources/ocrfeeder.desktop.in -@@ -4,7 +4,7 @@ Type=Application - _Name=OCRFeeder - _Comment=The complete OCR suite. - TryExec=ocrfeeder --Exec=ocrfeeder -+Exec=ocrfeeder -i %f - Icon=/usr/share/ocrfeeder/icons/ocrfeeder.svg - MimeType=image/bmp;image/gif;image/jpeg;image/jpg;image/pjpeg;image/png;image/tiff; - Categories=Application;Office; diff -Nru ocrfeeder-0.7.11/debian/patches/desktop-no-mime-types.patch ocrfeeder-0.7.11/debian/patches/desktop-no-mime-types.patch --- ocrfeeder-0.7.11/debian/patches/desktop-no-mime-types.patch 1970-01-01 02:00:00.0 +0200 +++ ocrfeeder-0.7.11/debian/patches/desktop-no-mime-types.patch 2014-11-02 23:14:39.0 +0200 @@ -0,0 +1,12 @@ +From: Alberto Garcia be...@igalia.com +Subject: Add code to the Exec key in order to open a file +Index: ocrfeeder/resources/ocrfeeder.desktop.in +=== +--- ocrfeeder.orig/resources/ocrfeeder.desktop.in ocrfeeder/resources/ocrfeeder.desktop.in +@@ -6,5 +6,4 @@ _Comment=The complete OCR suite. + TryExec=ocrfeeder + Exec=ocrfeeder + Icon=/usr/share/ocrfeeder/icons/ocrfeeder.svg +-MimeType=image/bmp;image/gif;image/jpeg;image/jpg;image/pjpeg;image/png;image/tiff; + Categories=Application;Office; diff -Nru ocrfeeder-0.7.11/debian/patches/series ocrfeeder-0.7.11/debian/patches/series --- ocrfeeder-0.7.11/debian/patches/series 2014-10-19 13:09:35.0 +0300 +++ ocrfeeder-0.7.11/debian/patches/series 2014-11-02 23:14:39.0 +0200 @@ -3,4 +3,4 @@ gtkspell.patch automake-warnings.patch gdk-threads.patch -desktop-exec-code.patch +desktop-no-mime-types.patch
Bug#769404: unblock: grilo-plugins/0.2.13-2
On Sun, Nov 16, 2014 at 03:48:04PM +, Jonathan Wiltshire wrote: Given the changes are small, seem to match the freeze policy, and can anyway be reverted later if needed: if I were you, I would skip the pre-approval procedure, upload to sid and then ping this bug to avoid more round-trips. I updated the changelog message as suggested and uploaded the package, here's the debdiff. Thanks, Berto diff -Nru grilo-plugins-0.2.13/debian/changelog grilo-plugins-0.2.13/debian/changelog --- grilo-plugins-0.2.13/debian/changelog 2014-08-27 14:48:24.0 +0300 +++ grilo-plugins-0.2.13/debian/changelog 2014-11-16 17:58:56.0 +0200 @@ -1,3 +1,15 @@ +grilo-plugins (0.2.13-2) unstable; urgency=medium + + * debian/control: +- Add build dependency on librest-dev, needed by the Pocket + plugin. This has been working so far because librest-dev is also + a dependency of libgoa-1.0-dev, but we should not rely on that. +- Make grilo-plugins recommend dleyna-server (Closes: #765986). + * fix-dleyna-crash.patch: +- Fix crash due to variable redefinition (Closes: #769357). + + -- Alberto Garcia be...@igalia.com Sun, 16 Nov 2014 17:58:49 +0200 + grilo-plugins (0.2.13-1) unstable; urgency=medium * New upstream release (Closes: #750038). diff -Nru grilo-plugins-0.2.13/debian/control grilo-plugins-0.2.13/debian/control --- grilo-plugins-0.2.13/debian/control 2014-08-27 14:48:24.0 +0300 +++ grilo-plugins-0.2.13/debian/control 2014-11-16 17:58:56.0 +0200 @@ -10,6 +10,7 @@ yelp-tools, python-dbusmock, libarchive-dev, + librest-dev (= 0.7.90), libglib2.0-dev (= 2.36), libgrilo-0.2-dev (= 0.2.11), libxml2-dev, @@ -36,6 +37,7 @@ Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} +Recommends: dleyna-server Description: Framework for discovering and browsing media - Plugins Grilo is a framework focused on making media discovery and browsing easy for application developers. diff -Nru grilo-plugins-0.2.13/debian/patches/fix-dleyna-crash.patch grilo-plugins-0.2.13/debian/patches/fix-dleyna-crash.patch --- grilo-plugins-0.2.13/debian/patches/fix-dleyna-crash.patch 1970-01-01 02:00:00.0 +0200 +++ grilo-plugins-0.2.13/debian/patches/fix-dleyna-crash.patch 2014-11-16 17:58:56.0 +0200 @@ -0,0 +1,16 @@ +From: Juan A. Suarez Romero jasua...@igalia.com +Subject: Remove variable redefinition +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=740052 +Bug-Debian: https://bugs.debian.org/769357 +Index: grilo-plugins/src/dleyna/grl-dleyna-utils.c +=== +--- grilo-plugins.orig/src/dleyna/grl-dleyna-utils.c grilo-plugins/src/dleyna/grl-dleyna-utils.c +@@ -213,7 +213,6 @@ is_our_user_ipv6 (struct sockaddr_in6 *a + + status = g_io_channel_read_line (file, line, NULL, NULL, NULL); + while (status == G_IO_STATUS_NORMAL) { +-char *line; + int j, k, l; + /* 4*8 for IP, 4 for port, 1 for :, 1 for NUL */ + char buffer[4*8 + 4 + 1 + 1]; diff -Nru grilo-plugins-0.2.13/debian/patches/series grilo-plugins-0.2.13/debian/patches/series --- grilo-plugins-0.2.13/debian/patches/series 1970-01-01 02:00:00.0 +0200 +++ grilo-plugins-0.2.13/debian/patches/series 2014-11-16 17:58:56.0 +0200 @@ -0,0 +1 @@ +fix-dleyna-crash.patch
Bug#769404: unblock: grilo-plugins/0.2.13-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package grilo-plugins I'm about to upload the new package, which contains the following fixes: http://bugs.debian.org/769357 There is a variable redefinition in the code that parses IPv6 addresses that makes the plugin crash (in short: the code iterates over an uninitialized array). This renders programs like totem unusable. http://bugs.debian.org/765986 The dLeyna plugin uses the dleyna-server DBUS API, but the grilo-plugins package does not define any relationship to dleyna-server. This change adds a Recommends: dleyna-server field. In addition to that, I added a build dependency on librest-dev. This is a hard requirement for one of the plugins and the dependency is explicitly checked in the configure script. If it's working at the moment it's because it's coincidentally being pulled by other build dependencies. I don't have any bug for this, so if this change is not appropriate I'll revert it. I haven't uploaded the package yet, I'll do it as soon as I get the confirmation that the changes are fine. Thanks! unblock grilo-plugins/0.2.13-2 -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru grilo-plugins-0.2.13/debian/changelog grilo-plugins-0.2.13/debian/changelog --- grilo-plugins-0.2.13/debian/changelog 2014-08-27 14:48:24.0 +0300 +++ grilo-plugins-0.2.13/debian/changelog 2014-11-13 14:11:23.0 +0200 @@ -1,3 +1,13 @@ +grilo-plugins (0.2.13-2) unstable; urgency=medium + + * debian/control: +- Add build dependency on librest-dev. +- Make grilo-plugins recommend dleyna-server (Closes: #765986). + * fix-dleyna-crash.patch: +- Fix crash due to variable redefinition (Closes: #769357). + + -- Alberto Garcia be...@igalia.com Thu, 13 Nov 2014 14:11:07 +0200 + grilo-plugins (0.2.13-1) unstable; urgency=medium * New upstream release (Closes: #750038). diff -Nru grilo-plugins-0.2.13/debian/control grilo-plugins-0.2.13/debian/control --- grilo-plugins-0.2.13/debian/control 2014-08-27 14:48:24.0 +0300 +++ grilo-plugins-0.2.13/debian/control 2014-11-13 14:11:23.0 +0200 @@ -10,6 +10,7 @@ yelp-tools, python-dbusmock, libarchive-dev, + librest-dev (= 0.7.90), libglib2.0-dev (= 2.36), libgrilo-0.2-dev (= 0.2.11), libxml2-dev, @@ -36,6 +37,7 @@ Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} +Recommends: dleyna-server Description: Framework for discovering and browsing media - Plugins Grilo is a framework focused on making media discovery and browsing easy for application developers. diff -Nru grilo-plugins-0.2.13/debian/patches/fix-dleyna-crash.patch grilo-plugins-0.2.13/debian/patches/fix-dleyna-crash.patch --- grilo-plugins-0.2.13/debian/patches/fix-dleyna-crash.patch 1970-01-01 02:00:00.0 +0200 +++ grilo-plugins-0.2.13/debian/patches/fix-dleyna-crash.patch 2014-11-13 14:11:23.0 +0200 @@ -0,0 +1,16 @@ +From: Juan A. Suarez Romero jasua...@igalia.com +Subject: Remove variable redefinition +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=740052 +Bug-Debian: https://bugs.debian.org/769357 +Index: grilo-plugins/src/dleyna/grl-dleyna-utils.c +=== +--- grilo-plugins.orig/src/dleyna/grl-dleyna-utils.c grilo-plugins/src/dleyna/grl-dleyna-utils.c +@@ -213,7 +213,6 @@ is_our_user_ipv6 (struct sockaddr_in6 *a + + status = g_io_channel_read_line (file, line, NULL, NULL, NULL); + while (status == G_IO_STATUS_NORMAL) { +-char *line; + int j, k, l; + /* 4*8 for IP, 4 for port, 1 for :, 1 for NUL */ + char buffer[4*8 + 4 + 1 + 1]; diff -Nru grilo-plugins-0.2.13/debian/patches/series grilo-plugins-0.2.13/debian/patches/series --- grilo-plugins-0.2.13/debian/patches/series 1970-01-01 02:00:00.0 +0200 +++ grilo-plugins-0.2.13/debian/patches/series 2014-11-13 14:11:23.0 +0200 @@ -0,0 +1 @@ +fix-dleyna-crash.patch
Bug#769092: unblock: webkit2gtk/2.6.2+dfsg1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk This package contains fixes for two bugs: http://bugs.debian.org/768341 The Flash plugin (and possibly others) can cause a stack buffer overflow. Although the GCC stack protector can detect it, it renders the plugin completely unusable. The fix is trivial and has already been applied upstream. http://bugs.debian.org/767598 This fixes a FTBFS on mips64el. It simply adds support for this platform by adding the __mips64 pre-processor macro to a list of supported machines. It has no effect on other architectures. unblock webkit2gtk/2.6.2+dfsg1-2 -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru webkit2gtk-2.6.2+dfsg1/debian/changelog webkit2gtk-2.6.2+dfsg1/debian/changelog --- webkit2gtk-2.6.2+dfsg1/debian/changelog 2014-10-23 09:18:28.0 + +++ webkit2gtk-2.6.2+dfsg1/debian/changelog 2014-11-10 09:45:07.0 + @@ -1,3 +1,12 @@ +webkit2gtk (2.6.2+dfsg1-2) unstable; urgency=medium + + * debian/patches/fix-mips64-build.patch: ++ Fix mips64el build (Closes: #767598). + * debian/patches/flash-crash.patch: ++ Fix crash in the Flash player (Closes: #768341). + + -- Alberto Garcia be...@igalia.com Mon, 10 Nov 2014 11:44:56 +0200 + webkit2gtk (2.6.2+dfsg1-1) unstable; urgency=medium * New upstream release. diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/fix-mips64-build.patch webkit2gtk-2.6.2+dfsg1/debian/patches/fix-mips64-build.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/fix-mips64-build.patch 1970-01-01 00:00:00.0 + +++ webkit2gtk-2.6.2+dfsg1/debian/patches/fix-mips64-build.patch 2014-11-10 09:45:07.0 + @@ -0,0 +1,55 @@ +From: YunQiang Su wzss...@gmail.com +Subject: Fix build in MIPS64EL +Bug-Debian: http://bugs.debian.org/767598 +Bug: https://bugs.webkit.org/show_bug.cgi?id=124370 +Index: webkitgtk/Source/WTF/wtf/Platform.h +=== +--- webkitgtk.orig/Source/WTF/wtf/Platform.h webkitgtk/Source/WTF/wtf/Platform.h +@@ -80,16 +80,20 @@ + #endif + #endif + +-/* CPU(MIPS) - MIPS 32-bit */ +-/* Note: Only O32 ABI is tested, so we enable it for O32 ABI for now. */ +-#if (defined(mips) || defined(__mips__) || defined(MIPS) || defined(_MIPS_)) \ +- defined(_ABIO32) ++/* CPU(MIPS) - MIPS 32-bit and 64-bit */ ++#if (defined(mips) || defined(__mips__) || defined(MIPS) || defined(_MIPS_) \ ++|| defined(__mips64)) ++#if defined(__mips64) ++#define WTF_CPU_MIPS64 1 ++#define WTF_MIPS_ARCH __mips64 ++#else + #define WTF_CPU_MIPS 1 ++#define WTF_MIPS_ARCH __mips ++#endif + #if defined(__MIPSEB__) + #define WTF_CPU_BIG_ENDIAN 1 + #endif + #define WTF_MIPS_PIC (defined __PIC__) +-#define WTF_MIPS_ARCH __mips + #define WTF_MIPS_ISA(v) (defined WTF_MIPS_ARCH WTF_MIPS_ARCH == v) + #define WTF_MIPS_ISA_AT_LEAST(v) (defined WTF_MIPS_ARCH WTF_MIPS_ARCH = v) + #define WTF_MIPS_ARCH_REV __mips_isa_rev +@@ -662,6 +666,7 @@ + || CPU(ARM64) \ + || CPU(SPARC64) \ + || CPU(S390X) \ ++|| CPU(MIPS64) \ + || CPU(PPC64) \ + || CPU(PPC64LE) + #define WTF_USE_JSVALUE64 1 +Index: webkitgtk/Source/WTF/wtf/dtoa/utils.h +=== +--- webkitgtk.orig/Source/WTF/wtf/dtoa/utils.h webkitgtk/Source/WTF/wtf/dtoa/utils.h +@@ -49,7 +49,7 @@ + defined(__ARMEL__) || \ + defined(_MIPS_ARCH_MIPS32R2) + #define DOUBLE_CONVERSION_CORRECT_DOUBLE_OPERATIONS 1 +-#elif CPU(MIPS) || CPU(PPC) || CPU(PPC64) || CPU(PPC64LE) || OS(WINCE) || CPU(SH4) || CPU(S390) || CPU(S390X) || CPU(IA64) || CPU(SPARC) || CPU(ALPHA) || CPU(ARM64) || CPU(HPPA) ++#elif CPU(MIPS) || CPU(MIPS64) || CPU(PPC) || CPU(PPC64) || CPU(PPC64LE) || OS(WINCE) || CPU(SH4) || CPU(S390) || CPU(S390X) || CPU(IA64) || CPU(SPARC) || CPU(ALPHA) || CPU(ARM64) || CPU(HPPA) + #define DOUBLE_CONVERSION_CORRECT_DOUBLE_OPERATIONS 1 + #elif defined(_M_IX86) || defined(__i386__) + #if defined(_WIN32) diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/flash-crash.patch webkit2gtk-2.6.2+dfsg1/debian/patches/flash-crash.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/flash-crash.patch 1970-01-01 00:00:00.0 + +++ webkit2gtk-2.6.2+dfsg1/debian/patches/flash-crash.patch 2014-11-10 09:45:07.0 + @@ -0,0 +1,19 @@ +From: Alberto Garcia be...@igalia.com +Subject: Fix crash in the Flash plugin +Bug: https://bugs.webkit.org/show_bug.cgi?id=137849 +Bug-Debian: http://bugs.debian.org/768341 +Index: webkitgtk/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp +=== +--- webkitgtk.orig
Bug#769136: unblock: webkitgtk/2.4.7-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkitgtk This package contains fixes for two bugs: http://bugs.debian.org/768929 The Flash plugin (and possibly others) can cause a stack buffer overflow. Although the GCC stack protector can detect it, it renders the plugin completely unusable. The fix is trivial and has already been applied upstream. http://bugs.debian.org/761492 The WebKit event dispatcher code tries to access the elements of an event list without checking first if it's null. This can be reproduced with certain websites and crashes the web process. The patch is very simple and is a backport from the 2.6 stable series. unblock webkitgtk/2.4.7-2 -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru webkitgtk-2.4.7/debian/changelog webkitgtk-2.4.7/debian/changelog --- webkitgtk-2.4.7/debian/changelog 2014-10-23 09:10:22.0 + +++ webkitgtk-2.4.7/debian/changelog 2014-11-11 10:44:21.0 + @@ -1,3 +1,12 @@ +webkitgtk (2.4.7-2) unstable; urgency=medium + + * debian/patches/touch-event.patch: ++ Fix crash in EventPath::updateTouchLists() (Closes: #761492). + * debian/patches/flash-crash.patch: ++ Fix crash in the Flash player (Closes: #768929). + + -- Alberto Garcia be...@igalia.com Tue, 11 Nov 2014 12:43:45 +0200 + webkitgtk (2.4.7-1) unstable; urgency=medium * New upstream release. diff -Nru webkitgtk-2.4.7/debian/patches/flash-crash.patch webkitgtk-2.4.7/debian/patches/flash-crash.patch --- webkitgtk-2.4.7/debian/patches/flash-crash.patch 1970-01-01 00:00:00.0 + +++ webkitgtk-2.4.7/debian/patches/flash-crash.patch 2014-11-11 10:44:21.0 + @@ -0,0 +1,19 @@ +From: Alberto Garcia be...@igalia.com +Subject: Fix crash in the Flash plugin +Bug: https://bugs.webkit.org/show_bug.cgi?id=137849 +Bug-Debian: http://bugs.debian.org/768929 +Index: webkitgtk/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp +=== +--- webkitgtk.orig/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp webkitgtk/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp +@@ -201,7 +201,9 @@ void NetscapePlugin::platformPreInitiali + bool NetscapePlugin::platformPostInitialize() + { + uint64_t windowID = 0; +-bool needsXEmbed = false; ++// NPPVpluginNeedsXEmbed is a boolean value, but at least the ++// Flash player plugin is using an 'int' instead. ++int needsXEmbed = 0; + if (m_isWindowed) { + NPP_GetValue(NPPVpluginNeedsXEmbed, needsXEmbed); + if (needsXEmbed) { diff -Nru webkitgtk-2.4.7/debian/patches/series webkitgtk-2.4.7/debian/patches/series --- webkitgtk-2.4.7/debian/patches/series 2014-10-23 09:10:22.0 + +++ webkitgtk-2.4.7/debian/patches/series 2014-11-11 10:44:21.0 + @@ -11,3 +11,5 @@ x32_support.patch fix-arm64-build.patch fix-mips64-build.patch +touch-event.patch +flash-crash.patch diff -Nru webkitgtk-2.4.7/debian/patches/touch-event.patch webkitgtk-2.4.7/debian/patches/touch-event.patch --- webkitgtk-2.4.7/debian/patches/touch-event.patch 1970-01-01 00:00:00.0 + +++ webkitgtk-2.4.7/debian/patches/touch-event.patch 2014-11-11 10:44:21.0 + @@ -0,0 +1,51 @@ +From: Miyoung Shin myid.s...@samsung.com +Subject: Fix crash during dispatching touchEvent created by JS +Bug-Debian: https://bugs.debian.org/761492 +Bug: https://bugs.webkit.org/show_bug.cgi?id=138211 +Index: webkitgtk/Source/WebCore/dom/EventDispatcher.cpp +=== +--- webkitgtk.orig/Source/WebCore/dom/EventDispatcher.cpp webkitgtk/Source/WebCore/dom/EventDispatcher.cpp +@@ -91,7 +91,7 @@ public: + EventContext contextAt(size_t i) { return *m_path[i]; } + + #if ENABLE(TOUCH_EVENTS) +-void updateTouchLists(const TouchEvent); ++bool updateTouchLists(const TouchEvent); + #endif + void setRelatedTarget(EventTarget); + +@@ -312,8 +312,10 @@ bool EventDispatcher::dispatchEvent(Node + if (EventTarget* relatedTarget = event-relatedTarget()) + eventPath.setRelatedTarget(*relatedTarget); + #if ENABLE(TOUCH_EVENTS) !PLATFORM(IOS) +-if (event-isTouchEvent()) +-eventPath.updateTouchLists(*toTouchEvent(event.get())); ++if (event-isTouchEvent()) { ++if (!eventPath.updateTouchLists(*toTouchEvent(event.get( ++return true; ++} + #endif + + ChildNodesLazySnapshot::takeChildNodesLazySnapshot(); +@@ -432,8 +434,11 @@ static void addRelatedNodeResolversForTo + touchTargetResolvers.append
Bug#761283: nmu: grilo-plugins_0.2.13-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, the 'Pocket' plugin in grilo-plugins requires a version of librest that was not available in kfreebsd when the package was built. The latest librest is finally available so grilo-plugins can now be rebuilt. I just tested it myself and it builds fine. nmu grilo-plugins_0.2.13-1 . kfreebsd-amd64 kfreebsd-i386 . -m Rebuild against the latest librest in order to build the 'Pocket' plugin Thanks, Berto -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140912125625.18656.95151.reportbug@perseus.local
Bug#702826: nmu: binutils-z80_2.22-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, binutils recently added a fix for #688951 (CVE-2012-3509) which also affects binutils-z80. The following binNMU will cause the fix to be applied to binutils-z80: nmu binutils-z80_2.22-3 . ALL . -m Rebuild against new binutils to pick up fix for #688951. Closes: #702407. Thanks, Berto -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=pt_PT, LC_CTYPE=pt_PT (charmap=UTF-8) (ignored: LC_ALL set to pt_PT.UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130311220900.30104.22369.reportbug@hermes.local
Bug#685880: Bug#670405: ekiga: During start up segfault in `libopal.so.3.10.4`
On Thu, Sep 13, 2012 at 04:07:55PM +0200, Paul Menzel wrote: Berto, it would be awesome if you could test Ekiga from experimental [3][4] and report back if it fixes the issues for you. I've just tried ekiga 3.9.90-1 and it seems to work now. These are the new packages that I installed: ekiga 3.9.90-1 libopal3.10.7 3.10.7~dfsg-3 libpt2.10.7 2.10.7~dfsg-1 libboost-signals1.49.0 1.49.0-3.1 I made a few test calls and it looks fine, it was unusable before this. Thanks! Berto -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121103162317.ga22...@igalia.com