Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#17046 closed enhancement (fixed)

webkitgtk-2.38.2

Reported by: Xi Ruoyao Owned by: Douglas R. Reno
Priority: high Milestone: gnome-43
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (14)

comment:1 by Xi Ruoyao, 3 years ago

  • New media controls UI style.
  • Add new API to set WebView’s Content-Security-Policy for web extensions support.
  • Make it possible to use the remote inspector from other browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
  • MediaSession is enabled by default, allowing remote media control using MPRIS.
  • Add support for PDF documents using PDF.js.

comment:2 by Xi Ruoyao, 3 years ago

We need -DENABLE_DOCUMENTATION=OFF to avoid a dependency on gi-docgen (at least for now: we can add gi-docgen later if there are many packages using it).

comment:3 by Douglas R. Reno, 3 years ago

Is there anything else that we need to change regarding CMake switches? I know we were talking in IRC about some SOUP changes

comment:4 by Douglas R. Reno, 2 years ago

Summary: webkitgtk-2.38.0webkitgtk-2.38.1

Now 2.38.1

comment:5 by Douglas R. Reno, 2 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:6 by Xi Ruoyao, 2 years ago

Summary: webkitgtk-2.38.1webkitgtk-2.38.2

Now 2.38.2.

comment:7 by Douglas R. Reno, 2 years ago

Priority: normalhigh

There are five CVEs fixed here - two allow for RCE, one for state disclosure, one for UI disclosure, and one for disclosure of sensitive user information. Highest rated is 8.8/10 High.

comment:8 by Douglas R. Reno, 2 years ago

2.37.1 

What’s new in the WebKitGTK 2.37.1 release?

    Add initial implementation of WebRTC using GstWebRTC if GStreamer 1.20 is available, disabled by default via web view settings.
    Add new API to set WebView’s Content-Security-Policy for web extensions support.
    Add new API to run async JavaScript functions.
    Expose typed arrays in JavaScriptCore GLib API.
    Add support for PDF documents using PDF.js.
    Show font name and font variant settings in the inspector.
    MediaSession is enabled by default, allowing remote media control using MPRIS.
    Modernized media controls UI.
    Add Support Google Dynamic Ad Insertion (DAI).
    Add support for capturing encoded video streams from a webcam.
    Make it possible to use the remote inspector from other browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
    Add support for IPv6 in the remote inspector.
    Update form elements style to match libadwaita.
    Fix canvas animations and images with threaded rendering enabled.
    Switch to use gi-docgen for API documentation instead of gtk-doc.
    Remove the ATK a11y implementation that has been replaced by AT-SPI DBus interfaces.
    Fix several crashes and rendering issues.

2.37.90 

What’s new in the WebKitGTK 2.37.90 release?

    Remove libnotify dependency.
    Add support for service worker notifications.
    Add support for loading the notification icon.
    Add support for pac proxy type in WebDriver.
    Fix several crashes and rendering issues.
    Translation updates: Swedish.

2.37.91 

What’s new in the WebKitGTK 2.37.91 release?

    Cache and reuse image-based backing stores to improve memory consumption.
    Fix printing with bubblewrap sandbox enabled
    Deprecate enable-frame-flattening setting because the functionality will be removed for 2.40.
    Fix deadlock when disposing player while handling rotation tag.
    Fix several crashes and rendering issues.
    Translation updates: Polish.

2.38.0 

Highlights of the WebKitGTK 2.38.0 release

    New media controls UI style.
    Add new API to set WebView’s Content-Security-Policy for web extensions support.
    Make it possible to use the remote inspector from other browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
    MediaSession is enabled by default, allowing remote media control using MPRIS.
    Add support for PDF documents using PDF.js.

2.38.1 

What’s new in the WebKitGTK 2.38.1 release?

    Make xdg-dbus-proxy work if host session bus address is an abstract socket.
    Use a single xdg-dbus-proxy process when sandbox is enabled.
    Fix high resolution video playback due to unimplemented changeType operation.
    Ensure GSubprocess uses posix_spawn() again and inherit file descriptors.
    Fix player stucking in buffering (paused) state for progressive streaming.
    Do not try to preconnect on link click when link preconnect setting is disabled.
    Fix close status code returned when the client closes a WebSocket in some cases.
    Fix media player duration calculation.
    Fix several crashes and rendering issues.

2.38.2 

What’s new in the WebKitGTK 2.38.2 release?

    Fix scrolling issues in some sites having fixed background.
    Fix prolonged buffering during progressive live playback.
    Fix the build with accessibility disabled.
    Fix several crashes and rendering issues.

comment:9 by Douglas R. Reno, 2 years ago

Details from upstream:

CVE-2022-32888

Versions affected: WebKitGTK and WPE WebKit before 2.38.0.

Impact: Processing maliciously crafted web content may lead to arbitrary code execution.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32923

Versions affected: WebKitGTK and WPE WebKit before 2.38.0.

Impact: Processing maliciously crafted web content may disclose internal states of the app.

Description: A correctness issue in the JIT was addressed with improved checks.

CVE-2022-42799

Versions affected: WebKitGTK and WPE WebKit before 2.38.2.

Impact: Visiting a malicious website may lead to user interface spoofing.

Description: The issue was addressed with improved UI handling.

CVE-2022-42823

Versions affected: WebKitGTK and WPE WebKit before 2.38.2.

Impact: Processing maliciously crafted web content may lead to arbitrary code execution.

Description: A type confusion issue was addressed with improved memory handling.

CVE-2022-42824

Versions affected: WebKitGTK before 2.38.2.

Impact: Processing maliciously crafted web content may disclose sensitive user information.

Description: A logic issue was addressed with improved state management.

comment:10 by Douglas R. Reno, 2 years ago

  • Add optional dependency on gi-docgen
  • Remove dependency on libnotify
  • Remove dependency on gtk-doc
  • Change libsoup2 dependency to libsoup3
  • Drop -DSOUP2=ON from cmake command
  • Add -DENABLE_DOCUMENTATION=OFF to cmake command
  • Change references to webkitgtk-4.0 to webkitgtk-4.1
  • Remove description for -DUSE_LIBNOTIFY=OFF and -DENABLE_GTKDOC=ON
  • Add description for -DENABLE_DOCUMENTATION=OFF
  • Patch Balsa to use webkitgtk-4.1
  • Apply a sed to Zenity to use webkitgtk-4.1

For the security advisory, I will say to add -DENABLE_DOCUMENTATION=OFF to the cmake command line and use the instructions from the stable book with that version substituted in. This is due to the soup3 version being incompatible with what shipped with BLFS 11.2.

comment:11 by Douglas R. Reno, 2 years ago

Also change the installation instructions for the prerendered documentation to match webkitgtk-4.1

comment:12 by Douglas R. Reno, 2 years ago

More documentation installation changes are required, webkitdomgtk doesn't exist anymore, so we'll change that to jsc-glib-4.1 and webkit2gtk-web-extension-4.1. The 'html' directories also no longer exist in the Documentation/ folders.

comment:13 by Douglas R. Reno, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at c7318b48f1ca59e3484a437dbdc346a805a5ae80

Security advisory coming shortly

comment:14 by Douglas R. Reno, 2 years ago

SA-11.2-056 issued

Note: See TracTickets for help on using tickets.