Re: [webkit-gtk] Fix CVE-2023-32435 for webkitgtk 2.38.6
On Thu, Sep 7 2023 at 11:29:58 AM +0800, 不会弹吉他的KK wrote: For Yocto project whick I am working on, packages(recipes) can NOT be updated with major version upgrade on Yocto released products/branches. So we still have to fix such kind of CVEs. But for master branch, webkitgtk will be upgraded as soon as it released. I'm going to recommend a different approach: don't fix any CVEs and instead prominently document that the version of WebKitGTK distributed by Yocto does not receive security updates. It's really better to avoid misplaced expectations; when you backport security fixes, people assume incorrectly that the package is receiving comprehensive security backports and is safe to use, but that's just not true. i.e. your security updates actually harm security because they mess up users' expectations. It's better to just be clear about it. We have this same problem in RHEL and are slowly moving towards doing no updates there as well. I would recommend removing WebKitGTK and its dependencies from Yocto altogether if they have rules that prohibit you from releasing proper security updates just because the version number is higher. Anyway, good luck. Michael ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
Re: [webkit-gtk] Fix CVE-2023-32435 for webkitgtk 2.38.6
On Wed, Sep 6, 2023 at 9:46 PM Michael Catanzaro wrote: > On Wed, Sep 6 2023 at 04:23:17 PM +0800, 不会弹吉他的KK > wrote: > > My question is > > 1. Does webkitgtk 2.38.6 is vulnerable to CVE-2023-32435? > > No clue, sorry. > > > 2. If YES, how to deal the patches with the 2 new files? If just > > ignore and only patch file > > Source/JavaScriptCore/wasm/WasmSectionParser.cpp, could > > CVE-2023-32435 be fixed for 2.38.6, please? > > Patching just that one file is what I would do if tasked with > backporting this fix. OK. That said, keep in mind that only 10-20% of our > security vulnerabilities receive CVEs, so just patching CVEs is not > sufficient to provide a secure version of WebKitGTK. The 2.38 branch is > no longer secure and you should try upgrading to 2.42. (I would skip > 2.40 at this point, since that branch will end next week when 2.42.0 is > released.) > For Yocto project whick I am working on, packages(recipes) can NOT be updated with major version upgrade on Yocto released products/branches. So we still have to fix such kind of CVEs. But for master branch, webkitgtk will be upgraded as soon as it released. Thanks a lot. Kai > > Michael > > > ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
Re: [webkit-gtk] Fix CVE-2023-32435 for webkitgtk 2.38.6
On Wed, Sep 6 2023 at 04:23:17 PM +0800, 不会弹吉他的KK wrote: My question is 1. Does webkitgtk 2.38.6 is vulnerable to CVE-2023-32435? No clue, sorry. 2. If YES, how to deal the patches with the 2 new files? If just ignore and only patch file Source/JavaScriptCore/wasm/WasmSectionParser.cpp, could CVE-2023-32435 be fixed for 2.38.6, please? Patching just that one file is what I would do if tasked with backporting this fix. That said, keep in mind that only 10-20% of our security vulnerabilities receive CVEs, so just patching CVEs is not sufficient to provide a secure version of WebKitGTK. The 2.38 branch is no longer secure and you should try upgrading to 2.42. (I would skip 2.40 at this point, since that branch will end next week when 2.42.0 is released.) Michael ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
[webkit-gtk] Fix CVE-2023-32435 for webkitgtk 2.38.6
Hi All, CVE-2023-32435 has been fixed in webkitgtk 2.40.0. According to https://bugs.webkit.org/show_bug.cgi?id=251890, the commit is at https://github.com/WebKit/WebKit/commit/50c7aaec2f53ab3b960f1b299aad5009df6f1967 . It patches 3 files, but 2 of them are created/added in 2.40.0 and do NOT exist in 2.38.6: * Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp * Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h My question is 1. Does webkitgtk 2.38.6 is vulnerable to CVE-2023-32435? 2. If YES, how to deal the patches with the 2 new files? If just ignore and only patch file Source/JavaScriptCore/wasm/WasmSectionParser.cpp, could CVE-2023-32435 be fixed for 2.38.6, please? Regards, Kai ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk