Bug#1034870: unblock: webkit2gtk/2.40.1-1

Wed, 26 Apr 2023 03:45:19 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package webkit2gtk

[ Reason ]
Fix five CVEs, one of them reported to have been actively exploited.

[ Impact ]
webkit2gtk, like all other major browser engines, is affected by a
constant stream of security bugs so it's not recommended to browse the
web using an outdated version of the package. For this reason the
security team has been providing webkit2gtk updates using the upstream
stable releases sice Debian buster.

2.40.1 is the first stable point release after 2.40.0 (already in
bookworm). It contains fixes for several bugs including 5 CVEs:

  CVE-2022-0108

    Impact: An HTML document may be able to render iframes with
    sensitive user information.

  CVE-2022-32885

    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution.

  CVE-2023-27932

    Impact: Processing maliciously crafted web content may bypass Same
    Origin Policy.

  CVE-2023-27954

    Impact: A website may be able to track sensitive user information.

  CVE-2023-28205

    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Apple is aware of a report that this
    issue may have been actively exploited.

This new version also works in bullseye and the the corresponding
security update is also being prepared.

[ Tests ]
Tested manually using the Epiphany web browser for several days.

[ Risks ]
WebKitGTK evolves very fast and its stable releases contain other
fixes apart from the security ones. Because of this the chance of
regressions is higher than with other packages. That said, upstream
has had a good track record of publishing updates with no major
issues.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

Note that I only include the debian/ part of the debdiff since the
changes to the source itself are larger due to the nature of the
release.

unblock webkit2gtk/2.40.1-1

diff -Nru webkit2gtk-2.40.0/debian/changelog webkit2gtk-2.40.1/debian/changelog
--- webkit2gtk-2.40.0/debian/changelog  2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/changelog  2023-04-20 14:29:23.000000000 +0200
@@ -1,3 +1,15 @@
+webkit2gtk (2.40.1-1) unstable; urgency=high
+
+  * New upstream release.
+  * debian/rules:
+    - Build with -DUSE_GBM=OFF in the Hurd (Closes: #1033999).
+  * Drop fix-script-message-received-marshaller.patch and
+    fix-gst-crash.patch. Refresh all other patches.
+  * debian/copyright:
+    - Update copyright information of all files.
+
+ -- Alberto Garcia <be...@igalia.com>  Thu, 20 Apr 2023 14:29:23 +0200
+
 webkit2gtk (2.40.0-3) unstable; urgency=medium
 
   * debian/{rules,control.in}:
diff -Nru webkit2gtk-2.40.0/debian/copyright webkit2gtk-2.40.1/debian/copyright
--- webkit2gtk-2.40.0/debian/copyright  2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/copyright  2023-04-20 14:29:23.000000000 +0200
@@ -1923,8 +1923,6 @@
        Source/WebCore/rendering/RenderTextInlines.h
        Source/WebCore/rendering/RenderTheme.cpp
        Source/WebCore/rendering/RenderTheme.h
-       Source/WebCore/rendering/RenderThemeGtk.cpp
-       Source/WebCore/rendering/RenderThemeGtk.h
        Source/WebCore/rendering/RenderThemeMac.h
        Source/WebCore/rendering/RenderThemeWin.cpp
        Source/WebCore/rendering/RenderThemeWin.h
diff -Nru webkit2gtk-2.40.0/debian/patches/fix-ftbfs-m68k.patch 
webkit2gtk-2.40.1/debian/patches/fix-ftbfs-m68k.patch
--- webkit2gtk-2.40.0/debian/patches/fix-ftbfs-m68k.patch       2023-03-21 
18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/patches/fix-ftbfs-m68k.patch       2023-04-20 
14:29:23.000000000 +0200
@@ -158,7 +158,7 @@
  namespace JSC {
  
  template<typename CallOp, typename = std::true_type>
-@@ -5497,3 +5502,6 @@ void printInternal(PrintStream& out, JSC
+@@ -5499,3 +5504,6 @@ void printInternal(PrintStream& out, JSC
  
  } // namespace WTF
  
diff -Nru webkit2gtk-2.40.0/debian/patches/fix-gst-crash.patch 
webkit2gtk-2.40.1/debian/patches/fix-gst-crash.patch
--- webkit2gtk-2.40.0/debian/patches/fix-gst-crash.patch        2023-03-21 
18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/patches/fix-gst-crash.patch        1970-01-01 
01:00:00.000000000 +0100
@@ -1,65 +0,0 @@
-From: Philippe Normand <ph...@igalia.com>
-Subject: Fix crash in webkit_media_stream_src_class_init()
-Bug: https://bugs.webkit.org/show_bug.cgi?id=254025
-Origin: 
https://github.com/WebKit/WebKit/commit/358ce3a4bd7353c8edaa5720c949301f31c9a5e9
-Index: 
webkitgtk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
-===================================================================
---- 
webkitgtk.orig/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
-+++ 
webkitgtk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
-@@ -2647,6 +2647,9 @@ MediaPlayer::SupportsType MediaPlayerPri
- #endif
-     }
- 
-+    if (!ensureGStreamerInitialized())
-+        return result;
-+
-     GST_DEBUG("Checking mime-type \"%s\"", 
parameters.type.raw().utf8().data());
-     if (parameters.type.isEmpty())
-         return result;
-Index: 
webkitgtk/Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp
-===================================================================
---- 
webkitgtk.orig/Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp
-+++ 
webkitgtk/Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp
-@@ -439,22 +439,13 @@ void MediaPlayerPrivateGStreamerMSE::get
- 
- MediaPlayer::SupportsType MediaPlayerPrivateGStreamerMSE::supportsType(const 
MediaEngineSupportParameters& parameters)
- {
--    static std::optional<VideoDecodingLimits> videoDecodingLimits;
--#ifdef VIDEO_DECODING_LIMIT
--    static std::once_flag onceFlag;
--    std::call_once(onceFlag, [] {
--        videoDecodingLimits = videoDecoderLimitsDefaults();
--        if (!videoDecodingLimits) {
--            GST_WARNING("Parsing VIDEO_DECODING_LIMIT failed");
--            ASSERT_NOT_REACHED();
--        }
--    });
--#endif
--
-     MediaPlayer::SupportsType result = 
MediaPlayer::SupportsType::IsNotSupported;
-     if (!parameters.isMediaSource)
-         return result;
- 
-+    if (!ensureGStreamerInitialized())
-+        return result;
-+
-     auto containerType = parameters.type.containerType();
- 
-     // YouTube TV provides empty types for some videos and we want to be 
selected as best media engine for them.
-@@ -476,6 +467,16 @@ MediaPlayer::SupportsType MediaPlayerPri
-     if (!ok)
-         height = 0;
- 
-+    static std::optional<VideoDecodingLimits> videoDecodingLimits;
-+#ifdef VIDEO_DECODING_LIMIT
-+    static std::once_flag onceFlag;
-+    std::call_once(onceFlag, [] {
-+        videoDecodingLimits = videoDecoderLimitsDefaults();
-+        if (!videoDecodingLimits)
-+            GST_WARNING("Parsing VIDEO_DECODING_LIMIT failed");
-+    });
-+#endif
-+
-     if (videoDecodingLimits && (width > videoDecodingLimits->mediaMaxWidth || 
height > videoDecodingLimits->mediaMaxHeight))
-         return result;
- 
diff -Nru 
webkit2gtk-2.40.0/debian/patches/fix-script-message-received-marshaller.patch 
webkit2gtk-2.40.1/debian/patches/fix-script-message-received-marshaller.patch
--- 
webkit2gtk-2.40.0/debian/patches/fix-script-message-received-marshaller.patch   
    2023-03-21 18:11:48.000000000 +0100
+++ 
webkit2gtk-2.40.1/debian/patches/fix-script-message-received-marshaller.patch   
    1970-01-01 01:00:00.000000000 +0100
@@ -1,20 +0,0 @@
-From: Michael Catanzaro <mcatanz...@redhat.com>
-Subject: Fix WebKitUserContentManager::script-message-received marshaller
-Bug: https://bugs.webkit.org/show_bug.cgi?id=254089
-Origin: 
https://github.com/WebKit/WebKit/commit/fa61ab3f24678c03f96ca6c4a51a8c7e21439f83
-Index: webkitgtk/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp
-===================================================================
---- 
webkitgtk.orig/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp
-+++ webkitgtk/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp
-@@ -106,7 +106,11 @@ static void webkit_user_content_manager_
-             G_TYPE_FROM_CLASS(gObjectClass),
-             static_cast<GSignalFlags>(G_SIGNAL_RUN_LAST | G_SIGNAL_DETAILED),
-             0, nullptr, nullptr,
-+#if ENABLE(2022_GLIB_API)
-+            g_cclosure_marshal_VOID__OBJECT,
-+#else
-             g_cclosure_marshal_VOID__BOXED,
-+#endif
-             G_TYPE_NONE, 1,
- #if ENABLE(2022_GLIB_API)
-             JSC_TYPE_VALUE);
diff -Nru webkit2gtk-2.40.0/debian/patches/series 
webkit2gtk-2.40.1/debian/patches/series
--- webkit2gtk-2.40.0/debian/patches/series     2023-03-21 18:11:48.000000000 
+0100
+++ webkit2gtk-2.40.1/debian/patches/series     2023-04-20 14:29:23.000000000 
+0200
@@ -5,5 +5,3 @@
 dont-detect-sse2.patch
 reduce-memory-overheads.patch
 fix-ftbfs-hurd.patch
-fix-script-message-received-marshaller.patch
-fix-gst-crash.patch
diff -Nru webkit2gtk-2.40.0/debian/rules webkit2gtk-2.40.1/debian/rules
--- webkit2gtk-2.40.0/debian/rules      2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/rules      2023-04-20 14:29:23.000000000 +0200
@@ -55,6 +55,11 @@
        EXTRA_CMAKE_ARGUMENTS += -DENABLE_WEBGL=OFF
 endif
 
+# libgbm-dev is not available in the Hurd (#1033999)
+ifneq (,$(filter $(DEB_HOST_ARCH),hurd-i386))
+       EXTRA_CMAKE_ARGUMENTS += -DUSE_GBM=OFF
+endif
+
 # Systemd/elogind and libmanette are Linux-only
 ifneq ($(DEB_HOST_ARCH_OS),linux)
        EXTRA_CMAKE_ARGUMENTS += -DENABLE_JOURNALD_LOG=OFF -DENABLE_GAMEPAD=OFF

Reply via email to