Opened 4 months ago

Closed 4 months ago

#14837 closed enhancement (fixed)

webkitgtk-2.32.0

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 10.2
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version

I'm splitting this out of #14798 and doing it today because an urgent security issue has been unveiled.

Change History (5)

comment:1 by Douglas R. Reno, 4 months ago

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0003

    Date Reported: March 29, 2021

    Advisory ID: WSA-2021-0003

    CVE identifiers: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

    CVE-2021-1788
        Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
        Credit to Francisco Alonso (@revskills).
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

    CVE-2021-1844
        Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
        Credit to Clément Lecigne of Google’s Threat Analysis Group, Alison Huffman of Microsoft Browser Vulnerability Research.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved validation.

    CVE-2021-1871
        Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
        Credit to an anonymous researcher.
        Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. 
Description: A logic issue was addressed with improved restrictions.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

"Apple is aware of a report that this issue may have been actively exploited."

comment:2 by Douglas R. Reno, 4 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 4 months ago

WebKitGTK 2.32.0 released!

This is the first stable release in the 2.32 series.
Highlights of the WebKitGTK 2.32.0 release

    NPAPI plugins support have been removed.
    System font scaling factor is correctly applied now.
    New permission request API for MediaKeySystem access.
    New API to remove individual scripts/stylesheets using WebKitUserContentManager.
    Web inspector now shows detailed information about main loop frames.
    The minimum required GStreamer version is now 1.14.
    The GStreamer runtime is now initialized only when required.
    Improved platform support for WebAudio (WebAudio->MediaStream, Worklet, Multi-channel).
    Support for hardware-accelerated video rendering on i.MX8 platforms (using the NXP driver).

comment:4 by Douglas R. Reno, 4 months ago

A couple of changes here:

  • New optional dependencies: libmanette, gtk4
  • When we have gtk4 added into the book (ideally tomorrow), I'll rebuild WebKitGTK+ with support for it.
  • CMake needs -DENABLE_GAMEPAD=OFF to bypass the check for libmanette. I don't think we necessarily need gamepad support for WebKitGTK+, but we'll see if it causes issues with epiphany or anything like that over the next couple of days.

comment:5 by Douglas R. Reno, 4 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r24420

Note: See TracTickets for help on using tickets.