#18255 closed enhancement (fixed)
webkitgtk-2.41.6
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | blocker | Keywords: | |
| Cc: |
Description
New point version.
Change History (17)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 3 years ago
comment:3 by , 3 years ago
Has anyone verified if 2.40.3 has fixed the flickering issues? If so we might want to move back to stable, although I don't see any crippling bugs in unstable right now
comment:4 by , 3 years ago
I haven't tried 2.40.3, but I can give that a shot prior to updating to 2.41.6
comment:5 by , 3 years ago
Upon further inspection, it does seem to have fixed it for me at least on an older system. Here is the changelog for 2.40.3
- Make memory pressure monitor honor memory.memsw.usage_in_bytes if exists.
- Include key modifiers in wheel events.
- Apply cookie blocking policy to WebSocket handshakes.
- Remove accidental dependency on GLib 2.70.
- Fix the build with BUBBLEWRAP_SANDBOX disabled.
- Fix several crashes and rendering issues.
The bubblewrap fix is a bonus since the build was broken on stable in 2.40.2 without fixing it
comment:6 by , 3 years ago
What's interesting to me is that there's no commits in there between 2.40.2 and 2.40.3 that should fix that (nothing graphics related at least, and it's not scrollkey related): https://github.com/WebKit/WebKit/commits/webkitglib/2.40
It's good that the bubblewrap sandbox issue has been resolved though :)
follow-up: 8 comment:7 by , 3 years ago
When you test downgrading WebKitGTK be careful to remove (or move away) the newer version of shared libraries from /usr/lib, or the dynamic linker may still load the shared libraries with newer version, not the old one.
See LFS chapter 8.2.
I'll stick with 2.41 on my system to avoid the nasty downgrading issues.
comment:8 by , 3 years ago
Replying to Xi Ruoyao:
I'll stick with 2.41 on my system to avoid the nasty downgrading issues.
Yeah, maybe we should stick with 2.41 on dev to avoid downgrade issues and confusion, the 2.42 stable release seems to line up with the BLFS stable package freeze so we might just want to wait it out on unstable until 2.42
follow-up: 10 comment:9 by , 3 years ago
| Priority: | normal → high |
|---|---|
| Severity: | normal → blocker |
This needs https://github.com/WebKit/WebKit/commit/4f99c0670d2d91dbc51725a7af6909e186db1b07 to fix CVE-2023-37450, which is classified as urgent by upstream and is being actively exploited.
Promoting to Highest severity. I will let this run overnight.
follow-up: 11 comment:10 by , 3 years ago
Replying to Douglas R. Reno:
This needs https://github.com/WebKit/WebKit/commit/4f99c0670d2d91dbc51725a7af6909e186db1b07 to fix CVE-2023-37450, which is classified as urgent by upstream and is being actively exploited.
Promoting to Highest severity. I will let this run overnight.
Note that we've no evidence this is the fix for CVE-2023-37450 yet, but we know it's a security fix and the security issue is very likely CVE-2023-37450.
comment:11 by , 3 years ago
Replying to Xi Ruoyao:
Replying to Douglas R. Reno:
This needs https://github.com/WebKit/WebKit/commit/4f99c0670d2d91dbc51725a7af6909e186db1b07 to fix CVE-2023-37450, which is classified as urgent by upstream and is being actively exploited.
Promoting to Highest severity. I will let this run overnight.
Note that we've no evidence this is the fix for CVE-2023-37450 yet, but we know it's a security fix and the security issue is very likely CVE-2023-37450.
This is a good point, we don't have concrete evidence that it's CVE-2023-37450 just yet. It is worth noting though that on https://support.apple.com/en-us/HT201222, we would be classified as Safari 16.5.2 since WebKit 2.40 tracks Safari 16.5, and CVE-2023-32439 was fixed in WebKitGTK-2.40.x at the same time it was fixed in Safari 16.5.1
Apple hasn't updated their security updates website just yet with the bug number for CVE-2023-37450 though :(
Red Hat has some good advice that we'll put into the SA. It is to disable WASM with an environment variable as a temporary workaround (https://access.redhat.com/security/cve/CVE-2023-37450) - the catch being that some websites will break which use WASM (and some modern JS frameworks make heavy use of that)
For now let's treat it as if CVE-2023-37450 is fixed here but if anything else comes out let's make sure to bring it up here
comment:12 by , 3 years ago
I've installed it with https://github.com/WebKit/WebKit/commit/4f99c0670d2d91dbc51725a7af6909e186db1b07.patch. There seems no regressions so far.
follow-up: 14 comment:13 by , 3 years ago
WebKit 2.40.4 was released this morning with the following release note:
What's new in the WebKitGTK 2.40.4 release? =========================================== - Fix a bug in JavaScript reading variable arguments in a call.
Until we have confirmation that the CVE was fixed, what I think we'll do is update anyway and file an SA once we get the confirmation.
comment:14 by , 3 years ago
Replying to Douglas R. Reno:
WebKit 2.40.4 was released this morning with the following release note:
What's new in the WebKitGTK 2.40.4 release? =========================================== - Fix a bug in JavaScript reading variable arguments in a call.Until we have confirmation that the CVE was fixed, what I think we'll do is update anyway and file an SA once we get the confirmation.
Hmm, I'm really puzzled. If this is the CVE fix why don't they mention it here? If not why the Bugzilla ticket is classified?
comment:15 by , 3 years ago
Confirmed, it does have the CVE fix:
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0006
------------------------------------------------------------------------
Date reported : July 21, 2023
Advisory ID : WSA-2023-0006
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2023-0006.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2023-0006.html
CVE identifiers : CVE-2023-37450, CVE-2023-32393.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
CVE-2023-37450
Versions affected: WebKitGTK and WPE WebKit before 2.40.4.
Credit to an anonymous researcher.
Impact: Processing web content may lead to arbitrary code execution.
Apple is aware of a report that this issue may have been actively
exploited. Description: The issue was addressed with improved
checks.
CVE-2023-32393
Versions affected: WebKitGTK and WPE WebKit before 2.40.0.
Credit to Francisco Alonso (@revskills).
Impact: Processing web content may lead to arbitrary code execution.
Description: The issue was addressed with improved memory handling.
We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.
Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.
The WebKitGTK and WPE WebKit team,
July 21, 2023
_______________________________________________
webkit-gtk mailing list
webkit-gtk@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-gtk
comment:16 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 053e0a13afa9f6bab02aa412f0061859f9b259e2
SA-11.3-061 issued.
What’s new in the WebKitGTK 2.41.6 release?