Opened 6 months ago
Closed 6 months ago
#20409 closed enhancement (fixed)
webkitgtk-2.46.1
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New minor version
2.45.1
What’s new in the WebKitGTK 2.45.1 release?
Use skia instead of cairo for rendering.
Sync WebGL content with fences when available.
Implement printing using the Print portal.
Disable the gst-libav aac decoder.
Fix text scaling.
Consider keycode when activating application accelerators.
Support AXActiveElement and AXSelectedChildren for comboboxes, lists and listboxes.
Avoid notifying an empty cursor rectangle to input methods.
Fix several crashes and rendering issues.
2.45.2
What’s new in the WebKitGTK 2.45.2 release?
Use cairo on big-endian for now, since skia doesn’t support it.
Fix a crash in GIF image decoder.
Revert the text scaling fix, since it caused several issues in some sites.
Add new API to load settings from a config file.
Fix several crashes and rendering issues.
2.45.3
What’s new in the WebKitGTK 2.45.3 release?
Enable offscreen canvas by default.
Enable ImageBitmap acceleration.
Add support for accelerated offscreen canvas.
Do not display WebGL front buffer before it’s initialized.
Fix text scaling.
Add a new setting to enable or disable the 2D canvas acceleration (enabled by default).
Deprecate WebKitWebContext:use-system-appearance-for-scrollbars property.
Undeprecate and document webkit_print_operation_print() behavior.
Fix several crashes and rendering issues.
2.45.4
What’s new in the WebKitGTK 2.45.4 release?
Enable offscreen canvas by default in production builds too.
Fix video flickering with DMA-BUF sink.
Fix movement delta on mouse events in GTK3.
Fix accelerated images dissapearing after scrolling.
Bubblewrap sandbox no longer kills auxiliary process when UI process terminates.
Fix rendering of shadows with several compositing operators.
Implement FEDropShadow and FEComponentTransfer filters using Skia.
Undeprecate webkit_back_forward_list_item_get_title().
Undeprecate console message API and make it available in 2022 API.
Fix several crashes and rendering issues.
2.45.5
What’s new in the WebKitGTK 2.45.5 release?
Add support for system tracing with Sysprof.
Allow receiving event listener signals from the a11y bus.
Fix pointer lock on X11.
Fix source links in generated API documentation.
Fix drawing shadows in some cases when ImageBitmap is accelerated.
Fix the build with MEDIA_STREAM disabled.
Fix several crashes and rendering issues.
2.45.6
What’s new in the WebKitGTK 2.45.6 release?
Fix web process cache suspend/resume when sandbox is enabled.
Use server wait instead of client wait for GL fences when possible.
Avoid unnecessary composition when layer didn’t change even if a request animation frame is scheduled.
Improve pointer lock on X11.
Fix several crashes and rendering issues.
2.45.90
What’s new in the WebKitGTK 2.45.90 release?
Add explicit fencing support when available.
Use RGBA as the pixel format for texture backed SkSurfaces.
Fix build with gstreamer versions < 1.22.
Translatation updates: Slovenian.
2.45.91
What’s new in the WebKitGTK 2.45.91 release?
Add new API to WebKitAutomationSession to be notified when the session is about to be closed.
Fix WebGL with accelerated compositing disabled.
Fix image filtering not being applied in some cases.
Fix the build on 32 bits systems.
Fix the build with -DUSE_TEXTURE_MAPPER_DMABUF=OFF
Fix several crashes and rendering issues.
Translatation updates: Slovenian.
2.45.92
What’s new in the WebKitGTK 2.45.92 release?
Add webkit://gpu/stdout to dump the information from webkit://gpu to stdout.
Undeprecate injected bundle frame access interfaces.
Fix drag and drop.
Fix connection to a11y bus under flatpak.
Fix the build with Wayland and GBM disabled.
Fix the build in non-linux systems.
Fix linker relocation errors on Debug/RelWithDebInfo builds.
Fix several crashes and rendering issues.
2.46.0
Highlights of the WebKitGTK 2.46.0 release
Use Skia instead of cairo for 2D rendering and enable GPU rendering by default.
Enable offscreen canvas by default.
Add support for system tracing with Sysprof.
Implement printing using the Print portal.
Add new API to load settings from a config file.
Add a new setting to enable or disable the 2D canvas acceleration (enabled by default).
Undeprecate console messages API and make it available in 6.0 API.
Change History (14)
comment:1 by , 6 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 6 months ago
| Priority: | normal → high |
|---|
follow-up: 11 comment:3 by , 6 months ago
-D USE_SYSTEM_SYSPROF_CAPTURE=NO is needed to avoid sysprof.
comment:5 by , 6 months ago
Replying to Xi Ruoyao:
The fix is https://github.com/WebKit/WebKit/pull/33393.
I'd like to take https://github.com/WebKit/WebKit/pull/33765 and https://github.com/WebKit/WebKit/pull/33766 in as well.
comment:6 by , 6 months ago
comment:7 by , 6 months ago
We have three additional security fixes now known for 2.46.0:
CVE-2024-40857
Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
Credit to Ron Masas.
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting. Description: This issue was
addressed through improved state management.
WebKit Bugzilla: 268724
CVE-2024-40866
Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
Credit to Hafiizh and YoKo Kho (@yokoacc) of HakTrak.
Impact: Visiting a malicious website may lead to address bar
spoofing. Description: The issue was addressed with improved UI.
WebKit Bugzilla: 279451
CVE-2024-44187
Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
Credit to Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd,
Pune (India).
Impact: A malicious website may exfiltrate data cross-origin.
Description: A cross-origin issue existed with "iframe" elements.
This was addressed with improved tracking of security origins.
WebKit Bugzilla: 279452
comment:8 by , 6 months ago
| Summary: | webkitgtk-2.46.0 → webkitgtk-2.46.1 |
|---|
Now 2.46.1
What's new in the WebKitGTK 2.46.1 release? =========================================== - Fix login QR code not shown in WhatsApp web. - Disable PSON by default again in GTK 3 API versions. - Disable DMABuf video sink by default to prevent file descriptor leaks. - Fix the build with GCC 13. - Fix several crashes and rendering issues.
comment:10 by , 6 months ago
For some reason (deliberate or unintentionally?) the new Skia code calls abort() if no font can be found. Thus if fontconfig isn't configured properly a WebKitWebProcess crash will happen.
follow-up: 12 comment:11 by , 6 months ago
Replying to Xi Ruoyao:
-D USE_SYSTEM_SYSPROF_CAPTURE=NOis needed to avoid sysprof.
Sorry I made a mistake here. It should be -D USE_SYSPROF_CAPTURE=NO or an internal copy of sysprof will be built, wasting some CPU cycles.
comment:12 by , 6 months ago
comment:13 by , 6 months ago
comment:14 by , 6 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
This has the fix for the 0.0.0.0 day vulnerability in it (https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser and https://github.com/WebKit/WebKit/commit/e59cd4a4330877f4692ab31caaf5039185e845bf)
This just leaves Firefox and QtWebEngine as Seamonkey has a mitigation already.