webkitgtk-2.40.1

[Bruce Dubbs]

New minor version.

[Bruce Dubbs]

WebKitGTK 2.40.0

What's new in WebKitGTK 2.40.0?

• Enable the async clipboard API to make github work again.
• Make unmute work again.
• Apply basic font properties as font variation settings.
• Fix the remote inspector when using HTTP server.
• Fix the build with LTO enabled.
• Fix the build with jourland log disabled.
• Fix the build with media stream disabled.
• Fix clean build with GTK4.
• Fix several crashes and rendering issues.
• Translation updates: Turkish.

================= WebKitGTK 2.39.91 =================

What's new in WebKitGTK 2.39.91?

• Rename WebKitWebExtension to WebKitWebProcessExtension in GTK4 API.
• Remove WebKitJavascriptResult in favor of using JSCValue directly in GTK4 API.
• Add new API to get the request body of WebKitURISchemeRequest.
• Make it possible to handle WebKitDownload::decide-destination signal asynchronously.
• Allow WebKitDownload destination to be a path instead of a URI.
• Make webkit://gpu output exportable as JSON.
• Improve scrolling performance in accelerated compositing mode.
• Implement KeyboardEvent.repeat.
• Fix a crash in MiniBrowser when the favicon is updated.
• Fix the build in Ubuntu 20.04 and Debian Stable.
• Fix several crashes and rendering issues.
• Translation updates: Korean, Polish, Swedish, Korean.

================= WebKitGTK 2.39.90 =================

What's new in WebKitGTK 2.39.90?

• Add new JavaScript execution APIs.
• Merge functions of registering and unregistering script message handler in GTK4 API.
• Mark non-derivable types as final and make instance and class struct declarations private in GTK4 API.
• Make favicon and snapshot API use GdkTexture instead of cairo surfaces in GTK4 API.
• Fix scrolling after a history navigation with PSON enabled.
• Fix criticals from webkitOptionMenuSetEvent when opening any combo box.
• Fix large memory allocation when uploading content.
• Always update the active uri of WebKitFrame.
• Fix several crashes and rendering issues.
• Translation updates: Ukrainian.

================ WebKitGTK 2.39.7 ================

What's new in WebKitGTK 2.39.7?

• Fix the webkit.h public header causing applications to fail to build.
• Fix several crashes and rendering issues.

================ WebKitGTK 2.39.6 ================

What's new in WebKitGTK 2.39.6?

• Add support for speech synthesis using Flite.
• Bring back WebKitConsoleMessage API implementation.
• Fix async scroll event propagation for GTK4.
• Add network session API when building with GTK4.
• Make most public types final when building with GTK4.
• Remove WebKitPrintCustomWidget when building with GTK4.
• Remove most of the webkit_web_view_new_with_*() constructors when building with GTK4.
• Remove webkit_web_context_get/set_process_model when building with GTK4.
• Do not allow the sandbox to mount the entire home directory.
• Fix several crashes and rendering issues.

================ WebKitGTK 2.39.5 ================

What's new in WebKitGTK 2.39.5?

• Enable WebGL2 by default again that was disabled by mistake.
• Fix the build with WebGL disabled.
• Fix the webkit.h public header causing applications to fail to build.

================ WebKitGTK 2.39.4 ================

What's new in WebKitGTK 2.39.4?

• Fix WebGL when sandbox is enabled.
• Fix loading of media documents.
• Add new API disable web security.
• Disable support for HLS in media backend by default.
• Fix several crashes and rendering issues.
• Translation updates: Swedish.

================ WebKitGTK 2.39.3 ================

What's new in WebKitGTK 2.39.3?

• Add new API to query the permission state of web features.
• Deprecate all web extension DOM APIs (WebKitDOMDocument, WebKitDOMElement, WebKitDOMNode).
• Add webkit_web_hit_test_result_get_js_node() to get the JSCValue for the node.
• Add WebKitWebFormManager and deprecate WebKitWebPage form related signals.
• Don't perform position queries on video sink when the player is for audio only.
• Fix gibberish text when loading alternate data.
• Fix several crashes and rendering issues.

================ WebKitGTK 2.39.2 ================

What's new in WebKitGTK 2.39.2?

• Add API to support asynchronously returning values from user script messages.
• Deprecate WebKitConsoleMessage API.
• Deprecate event parameter of WebKitWebView::context-menu and WebKitWebView::show-option-menu signals in favor of a getter in WebKitConextMenu and WebKitOptionMenu.
• Do not emit context-menu signals for media settings popup menu.
• Use async scrolling also for keyboard scrolling.
• Add support for client side certificates on WebSocket connections.
• Fix first party for cookies set on every media request.
• Fix a crash on authentication dialog with GTK4.
• Fix web process leak when webkit_download_set_destination is called with empty destination.
• Fix several warnings when building for ARMv7 (32-bits).
• Fix several crashes and rendering issues.

================ WebKitGTK 2.39.1 ================

What's new in WebKitGTK 2.39.1?

• Use ANGLE for WebGL implementation and enable WebGL2.
• Remove internal nested wayland compositor making libwpe mandatory when building with wayland enabled.
• Prefer EGL over X11, intead of GLX, where available.
• Add support for background-repeat: space.
• Add API to check if a response policy decision is for the main resource.
• Fix rendering of checkbox and radio buttons in black backgrounds.
• Make checkbox, radio and inner spin button scale along by page zoom.
• Add support for get computed label and get computed role WebDriver commands.
• Fix several crashes and rendering issues.

[Bruce Dubbs]

Needs a very small aux package: ​https://dotat.at/prog/unifdef/unifdef-2.12.tar.gz

make 
install -m 0755 unifdef       /usr/bin/
install -m 0755 unifdefall.sh /usr/bin/unifdefall
install -m 0644 unifdef.1     /usr/share/man/man1/

For a test build I also had to add -DAVIF=OFF. I don't know if that package is needed or not.

A test build at -j24 took 1098.1 seconds/18 minutes -- 10.5 SBU. I saw peak memory usage of 46G but at least the system temperature stayed down at about 59C. Load values did get to 24 and stayed there a while.

md5sum : ece1da414dcc455ad08c6b5673a125e4  /usr/src/webkit/webkitgtk-2.40.0.tar.xz
39104 /usr/src/webkit/webkitgtk-2.40.0.tar.xz SIZE (38.187 MB)
1013152 kilobytes BUILD SIZE (989.406 MB)
SBU=10.458

[Xi Ruoyao]

AVIF (AV1 image format) is a new image format which is not widely used yet.

I'd like to add libavif and libaom for AV1 images and videos later into BLFS (as AV1 is a patent-free competitor or H.265 and it may be used more widely in the future), but it would be a low priority.

[Xi Ruoyao]

Replying to Bruce Dubbs:

Needs a very small aux package: ​https://dotat.at/prog/unifdef/unifdef-2.12.tar.gz

make 
install -m 0755 unifdef       /usr/bin/
install -m 0755 unifdefall.sh /usr/bin/unifdefall
install -m 0644 unifdef.1     /usr/share/man/man1/

The three install commands can be just make prefix=/usr install.

[Xi Ruoyao]

Replying to Bruce Dubbs:

For a test build I also had to add -DAVIF=OFF. I don't know if that package is needed or not.

Should be -DUSE_AVIF=OFF.

[Bruce Dubbs]

I'll note that libavif is listed as an external dependency now.

[Douglas R. Reno]

I've been waiting on this until a new release comes out with a relatively urgent CVE fix in it (an actively exploited zero-day fixed by Apple on Friday). Red Hat became aware of it yesterday from what I saw on their website, and they assigned a bug directly to the maintainer of the WebKitGTK+ stable branch, so I suspect that we'll see that fix very soon.

Once that's available, I will begin working on this and the rest of the gnome stack.

... as I was typing this, more commits are appearing in the stable branch. Soon? :) ​https://github.com/WebKit/WebKit/commits/webkitglib/2.40

[Douglas R. Reno]

I would like to see libavif/libaom added at some point, since we can also use it to decode av1f images in gdk-pixbuf, and it looks like kimageformats as well. It's definitely going to get a lot more common

[Douglas R. Reno]

I love how I said "Soon?" in a previous comment.

Apple released the patch to the WebKit repository yesterday. It can be found at ​https://github.com/WebKit/WebKit/commit/c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb , and matches the correct WebKit Bug Number (which is still inaccessible without a user account that is part of the WebKit Security Team).

At this point, proceeding with this update combined with the patch is probably the smartest approach because of how critical it is and the fact that the CVE will now have been public for two weeks.

For future reference, you can find the WebKit 2.40 branch at ​https://github.com/WebKit/WebKit/tree/webkitglib/2.40

Seeing as we need to add a couple of packages though, and I need to do some updates in Milestone 11.4 and to my system, this might take the rest of the day... and we might have a new version by then. :)

[Douglas R. Reno]

In the meantime though, I'm promoting this to High priority because:

• CVE-2023-28205 is actively exploited
• Requires no user interaction to exploit
• Has been public for two weeks (but no public patch until yesterday)
• US Government has given out a warning via CISA and put it on the Active Exploitation Catalog. See ​https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3544854 and ​https://content.govdelivery.com/accounts/USDHSCISA/bulletins/354114e

[Douglas R. Reno]

Now 2.40.1

[Douglas R. Reno]

What’s new in the WebKitGTK 2.40.1 release?

• The Bubblewrap sandbox no longer requires setting an application identifier via GApplication to operate correctly. Using GApplication is still recommended, but optional.
• Adjust the scrolling speed for mouse wheels to make it feel more natural.
• Allow pasting content using the Asynchronous Clipboard API when the origin is the same as the clipboard contents.
• Improvements to the GStreamer multimedia playback, in particular around MSE, WebRTC, and seeking.
• Make all supported image types appear in the Accept HTTP header.
• Fix text caret blinking when blinking is disabled in the GTK settings.
• Fix default database quota size definition.
• Fix application of all caps tags listed in the font-feature-settings CSS property.
• Fix the build with journald support enabled when using elogind instead of the systemd libraries.
• Fix the build when libgcrypt provides a libgcrypt-config script instead of a pkg-config module file.
• Fix font height calculations for the font-size-adjust CSS property.
• Fix the build when ccache is used in certain setups.
• Fix the build for RISC-V 64-bit targets.
• Fix the build with GCC 13.
• Fix several crashes and rendering issues.

[Douglas R. Reno]

WebKit's security advisory is likely to come next, but I've verified that the required commit is present in the new tarball.

[Douglas R. Reno]

Fixed at ab376e94b9a9e9403315743500150103b080330c

Security Advisory to come later, need to hop off for the day.

[Douglas R. Reno]

The WebKit Security Advisory has become officially available.

WebKitGTK and WPE WebKit Security Advisory WSA-2023-0003

    Date Reported: April 21, 2023

    Advisory ID: WSA-2023-0003

    CVE identifiers: CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, 
                     CVE-2023-27954, CVE-2023-28205.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

    CVE-2023-25358
        Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
        Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
        A use-after-free vulnerability exists in WebCore::RenderLayer. This issue 
          allows remote attackers to execute arbitrary code or cause a denial of 
          service (memory corruption and application crash) via a crafted web site. 
          This is the same issue as CVE-2023-25360, CVE-2023-25361, CVE-2023-25362 and 
          CVE-2023-25363.

    CVE-2022-0108
        Versions affected: WebKitGTK and WPE WebKit before 2.38.6 and 2.40 branch 
                           before 2.40.1.
        Credit to Luan Herrera (@lbherrera_).
        Impact: An HTML document may be able to render iframes with sensitive user 
                information. 
        Description: This issue was addressed with improved iframe sandbox enforcement.

    CVE-2022-32885
        Versions affected: WebKitGTK and WPE WebKit before 2.38.6 and 2.40 branch 
                           before 2.40.1.
        Credit to P1umer(@p1umer) and Q1IQ(@q1iqF).
        Impact: Processing maliciously crafted web content may lead to arbitrary code 
                execution. 
        Description: A memory corruption issue was addressed with improved validation.

    CVE-2023-27932
        Versions affected: WebKitGTK and WPE WebKit before 2.38.6 and 2.40 branch 
                           before 2.40.1.
        Credit to an anonymous researcher.
        Impact: Processing maliciously crafted web content may bypass Same Origin 
                Policy. 
        Description: This issue was addressed with improved state management.

    CVE-2023-27954
        Versions affected: WebKitGTK and WPE WebKit before 2.38.6 and 2.40 branch 
                           before 2.40.1.
        Credit to an anonymous researcher.
        Impact: A website may be able to track sensitive user information. 
        Description: The issue was addressed by removing origin information.

    CVE-2023-28205
        Versions affected: WebKitGTK and WPE WebKit before 2.38.6 and 2.40 branch 
                           before 2.40.1.
        Credit to Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó 
        Cearbhaill of Amnesty International’s Security Lab.
        Impact: Processing maliciously crafted web content may lead to arbitrary code 
                execution. Apple is aware of a report that this issue may have been 
                actively exploited. 
        Description: A use after free issue was addressed with improved memory 
                     management.

We appear to be impacted by all of these: CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, and CVE-2023-28205.

Going to file a security advisory now

[Douglas R. Reno]

SA-11.3-022 issued, including additional information for users upgrading.