Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package webkit2gtk [ Reason ] Fix five CVEs, one of them reported to have been actively exploited. [ Impact ] webkit2gtk, like all other major browser engines, is affected by a constant stream of security bugs so it's not recommended to browse the web using an outdated version of the package. For this reason the security team has been providing webkit2gtk updates using the upstream stable releases sice Debian buster. 2.40.1 is the first stable point release after 2.40.0 (already in bookworm). It contains fixes for several bugs including 5 CVEs: CVE-2022-0108 Impact: An HTML document may be able to render iframes with sensitive user information. CVE-2022-32885 Impact: Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2023-27932 Impact: Processing maliciously crafted web content may bypass Same Origin Policy. CVE-2023-27954 Impact: A website may be able to track sensitive user information. CVE-2023-28205 Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This new version also works in bullseye and the the corresponding security update is also being prepared. [ Tests ] Tested manually using the Epiphany web browser for several days. [ Risks ] WebKitGTK evolves very fast and its stable releases contain other fixes apart from the security ones. Because of this the chance of regressions is higher than with other packages. That said, upstream has had a good track record of publishing updates with no major issues. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing Note that I only include the debian/ part of the debdiff since the changes to the source itself are larger due to the nature of the release. unblock webkit2gtk/2.40.1-1
diff -Nru webkit2gtk-2.40.0/debian/changelog webkit2gtk-2.40.1/debian/changelog --- webkit2gtk-2.40.0/debian/changelog 2023-03-21 18:11:48.000000000 +0100 +++ webkit2gtk-2.40.1/debian/changelog 2023-04-20 14:29:23.000000000 +0200 @@ -1,3 +1,15 @@ +webkit2gtk (2.40.1-1) unstable; urgency=high + + * New upstream release. + * debian/rules: + - Build with -DUSE_GBM=OFF in the Hurd (Closes: #1033999). + * Drop fix-script-message-received-marshaller.patch and + fix-gst-crash.patch. Refresh all other patches. + * debian/copyright: + - Update copyright information of all files. + + -- Alberto Garcia <be...@igalia.com> Thu, 20 Apr 2023 14:29:23 +0200 + webkit2gtk (2.40.0-3) unstable; urgency=medium * debian/{rules,control.in}: diff -Nru webkit2gtk-2.40.0/debian/copyright webkit2gtk-2.40.1/debian/copyright --- webkit2gtk-2.40.0/debian/copyright 2023-03-21 18:11:48.000000000 +0100 +++ webkit2gtk-2.40.1/debian/copyright 2023-04-20 14:29:23.000000000 +0200 @@ -1923,8 +1923,6 @@ Source/WebCore/rendering/RenderTextInlines.h Source/WebCore/rendering/RenderTheme.cpp Source/WebCore/rendering/RenderTheme.h - Source/WebCore/rendering/RenderThemeGtk.cpp - Source/WebCore/rendering/RenderThemeGtk.h Source/WebCore/rendering/RenderThemeMac.h Source/WebCore/rendering/RenderThemeWin.cpp Source/WebCore/rendering/RenderThemeWin.h diff -Nru webkit2gtk-2.40.0/debian/patches/fix-ftbfs-m68k.patch webkit2gtk-2.40.1/debian/patches/fix-ftbfs-m68k.patch --- webkit2gtk-2.40.0/debian/patches/fix-ftbfs-m68k.patch 2023-03-21 18:11:48.000000000 +0100 +++ webkit2gtk-2.40.1/debian/patches/fix-ftbfs-m68k.patch 2023-04-20 14:29:23.000000000 +0200 @@ -158,7 +158,7 @@ namespace JSC { template<typename CallOp, typename = std::true_type> -@@ -5497,3 +5502,6 @@ void printInternal(PrintStream& out, JSC +@@ -5499,3 +5504,6 @@ void printInternal(PrintStream& out, JSC } // namespace WTF diff -Nru webkit2gtk-2.40.0/debian/patches/fix-gst-crash.patch webkit2gtk-2.40.1/debian/patches/fix-gst-crash.patch --- webkit2gtk-2.40.0/debian/patches/fix-gst-crash.patch 2023-03-21 18:11:48.000000000 +0100 +++ webkit2gtk-2.40.1/debian/patches/fix-gst-crash.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,65 +0,0 @@ -From: Philippe Normand <ph...@igalia.com> -Subject: Fix crash in webkit_media_stream_src_class_init() -Bug: https://bugs.webkit.org/show_bug.cgi?id=254025 -Origin: https://github.com/WebKit/WebKit/commit/358ce3a4bd7353c8edaa5720c949301f31c9a5e9 -Index: webkitgtk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp -=================================================================== ---- webkitgtk.orig/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp -+++ webkitgtk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp -@@ -2647,6 +2647,9 @@ MediaPlayer::SupportsType MediaPlayerPri - #endif - } - -+ if (!ensureGStreamerInitialized()) -+ return result; -+ - GST_DEBUG("Checking mime-type \"%s\"", parameters.type.raw().utf8().data()); - if (parameters.type.isEmpty()) - return result; -Index: webkitgtk/Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp -=================================================================== ---- webkitgtk.orig/Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp -+++ webkitgtk/Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp -@@ -439,22 +439,13 @@ void MediaPlayerPrivateGStreamerMSE::get - - MediaPlayer::SupportsType MediaPlayerPrivateGStreamerMSE::supportsType(const MediaEngineSupportParameters& parameters) - { -- static std::optional<VideoDecodingLimits> videoDecodingLimits; --#ifdef VIDEO_DECODING_LIMIT -- static std::once_flag onceFlag; -- std::call_once(onceFlag, [] { -- videoDecodingLimits = videoDecoderLimitsDefaults(); -- if (!videoDecodingLimits) { -- GST_WARNING("Parsing VIDEO_DECODING_LIMIT failed"); -- ASSERT_NOT_REACHED(); -- } -- }); --#endif -- - MediaPlayer::SupportsType result = MediaPlayer::SupportsType::IsNotSupported; - if (!parameters.isMediaSource) - return result; - -+ if (!ensureGStreamerInitialized()) -+ return result; -+ - auto containerType = parameters.type.containerType(); - - // YouTube TV provides empty types for some videos and we want to be selected as best media engine for them. -@@ -476,6 +467,16 @@ MediaPlayer::SupportsType MediaPlayerPri - if (!ok) - height = 0; - -+ static std::optional<VideoDecodingLimits> videoDecodingLimits; -+#ifdef VIDEO_DECODING_LIMIT -+ static std::once_flag onceFlag; -+ std::call_once(onceFlag, [] { -+ videoDecodingLimits = videoDecoderLimitsDefaults(); -+ if (!videoDecodingLimits) -+ GST_WARNING("Parsing VIDEO_DECODING_LIMIT failed"); -+ }); -+#endif -+ - if (videoDecodingLimits && (width > videoDecodingLimits->mediaMaxWidth || height > videoDecodingLimits->mediaMaxHeight)) - return result; - diff -Nru webkit2gtk-2.40.0/debian/patches/fix-script-message-received-marshaller.patch webkit2gtk-2.40.1/debian/patches/fix-script-message-received-marshaller.patch --- webkit2gtk-2.40.0/debian/patches/fix-script-message-received-marshaller.patch 2023-03-21 18:11:48.000000000 +0100 +++ webkit2gtk-2.40.1/debian/patches/fix-script-message-received-marshaller.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,20 +0,0 @@ -From: Michael Catanzaro <mcatanz...@redhat.com> -Subject: Fix WebKitUserContentManager::script-message-received marshaller -Bug: https://bugs.webkit.org/show_bug.cgi?id=254089 -Origin: https://github.com/WebKit/WebKit/commit/fa61ab3f24678c03f96ca6c4a51a8c7e21439f83 -Index: webkitgtk/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp -=================================================================== ---- webkitgtk.orig/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp -+++ webkitgtk/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp -@@ -106,7 +106,11 @@ static void webkit_user_content_manager_ - G_TYPE_FROM_CLASS(gObjectClass), - static_cast<GSignalFlags>(G_SIGNAL_RUN_LAST | G_SIGNAL_DETAILED), - 0, nullptr, nullptr, -+#if ENABLE(2022_GLIB_API) -+ g_cclosure_marshal_VOID__OBJECT, -+#else - g_cclosure_marshal_VOID__BOXED, -+#endif - G_TYPE_NONE, 1, - #if ENABLE(2022_GLIB_API) - JSC_TYPE_VALUE); diff -Nru webkit2gtk-2.40.0/debian/patches/series webkit2gtk-2.40.1/debian/patches/series --- webkit2gtk-2.40.0/debian/patches/series 2023-03-21 18:11:48.000000000 +0100 +++ webkit2gtk-2.40.1/debian/patches/series 2023-04-20 14:29:23.000000000 +0200 @@ -5,5 +5,3 @@ dont-detect-sse2.patch reduce-memory-overheads.patch fix-ftbfs-hurd.patch -fix-script-message-received-marshaller.patch -fix-gst-crash.patch diff -Nru webkit2gtk-2.40.0/debian/rules webkit2gtk-2.40.1/debian/rules --- webkit2gtk-2.40.0/debian/rules 2023-03-21 18:11:48.000000000 +0100 +++ webkit2gtk-2.40.1/debian/rules 2023-04-20 14:29:23.000000000 +0200 @@ -55,6 +55,11 @@ EXTRA_CMAKE_ARGUMENTS += -DENABLE_WEBGL=OFF endif +# libgbm-dev is not available in the Hurd (#1033999) +ifneq (,$(filter $(DEB_HOST_ARCH),hurd-i386)) + EXTRA_CMAKE_ARGUMENTS += -DUSE_GBM=OFF +endif + # Systemd/elogind and libmanette are Linux-only ifneq ($(DEB_HOST_ARCH_OS),linux) EXTRA_CMAKE_ARGUMENTS += -DENABLE_JOURNALD_LOG=OFF -DENABLE_GAMEPAD=OFF