Opened 2 years ago

Closed 2 years ago

#12448 closed enhancement (fixed)

webkitgtk-2.24.4

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (7)

comment:1 by Douglas R. Reno, 2 years ago

I'd like to consider backporting this to 9.0. Here are the release notes:

    Updated the user agent string to make happy certain websites which would claim that the browser being used was unsupported.
    Improve loading of multimedia streams to avoid memory exhaustion due to excessive caching.
    Fix display of documents with MIME type application/xml in the Web Inspector, when loaded using XmlHttpRequest.
    Fix a hang while scrolling certain websites which include HLS video content (Twitter, for example).
    Fix rounding artifacts in volume levels for media playback.
    Fix several crashes and rendering issues.
    Fix the build with video track support disabled.
    Fix the build with OpenGL support disabled.
    Fix build issue which would cause media controls to disappear when Python 3.x was used during the build process.

The Python3 fix, rounding artifacts, and hang fixes are extremely important

comment:2 by Xi Ruoyao, 2 years ago

Why there is always a new webkitgtk release just after I built it? :(

I'll try and see if this release can fix the issue playing videos on Bilibili.

comment:3 by Douglas R. Reno, 2 years ago

Heads up, this has several security fixes in it. Fixes include patches for CVE IDs CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8678, CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, and CVE-2019-8688. All of these have between a 6.1 and 6.3 CVSSv3 Score as well.

CVE-2019-8644

CVE-2019-8644
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to G. Geshev working with Trend Micro's Zero Day Initiative.
    Processing maliciously crafted web content may lead to arbitrary
    code execution. Multiple memory corruption issues were addressed
    with improved memory handling.

CVE-2019-8649

CVE-2019-8649
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to Sergei Glazunov of Google Project Zero.
    Processing maliciously crafted web content may lead to universal
    cross site scripting. A logic issue existed in the handling of
    synchronous page loads. This issue was addressed with improved state
    management.

CVE-2019-8658

CVE-2019-8658
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to akayn working with Trend Micro's Zero Day Initiative.
    Processing maliciously crafted web content may lead to universal
    cross site scripting. A logic issue was addressed with improved
    state management.

CVE-2019-8669

CVE-2019-8669
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to akayn working with Trend Micro's Zero Day Initiative.
    Processing maliciously crafted web content may lead to arbitrary
    code execution. Multiple memory corruption issues were addressed
    with improved memory handling.

CVE-2019-8678

CVE-2019-8678
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to an anonymous researcher, Anthony Lai (@darkfloyd1014) of
    Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a)
    of Theori, Johnny Yu (@straight_blast) of VX Browser Exploitation
    Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group,
    Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho
    (@alan_h0) of Knownsec, Byron Wai of VX Browser Exploitation.
    Processing maliciously crafted web content may lead to arbitrary
    code execution. Multiple memory corruption issues were addressed
    with improved memory handling.

CVE-2019-8680

CVE-2019-8680
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to Jihui Lu of Tencent KeenLab.
    Processing maliciously crafted web content may lead to arbitrary
    code execution. Multiple memory corruption issues were addressed
    with improved memory handling.

CVE-2019-8683

CVE-2019-8683
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to lokihardt of Google Project Zero.
    Processing maliciously crafted web content may lead to arbitrary
    code execution. Multiple memory corruption issues were addressed
    with improved memory handling.

CVE-2019-8684

CVE-2019-8684
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to lokihardt of Google Project Zero.
    Processing maliciously crafted web content may lead to arbitrary
    code execution. Multiple memory corruption issues were addressed
    with improved memory handling.

CVE-2019-8688

CVE-2019-8688
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to Insu Yun of SSLab at Georgia Tech.
    Processing maliciously crafted web content may lead to arbitrary
    code execution. Multiple memory corruption issues were addressed
    with improved memory handling.

comment:4 by Douglas R. Reno, 2 years ago

Priority: normalhigh

comment:5 by Douglas R. Reno, 2 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:6 by Douglas R. Reno, 2 years ago

Milestone: 9.19.0

Push back to version 9.0.

comment:7 by Douglas R. Reno, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r22076

Note: See TracTickets for help on using tickets.