webkitgtk-2.48.0

[Bruce Dubbs]

New minor version.

How many CVEs ???

[Xi Ruoyao]

-D ENABLE_SPEECH_SYNTHESIS=OFF is needed to avoid an external dependency.

[Xi Ruoyao]

FTBFS: ​https://bugs.webkit.org/show_bug.cgi?id=289849

I manually edited the code to move the needed definitions out of #ifndef GST_DISABLE_GST_DEBUG to continue the build.

[Douglas R. Reno]

The answer to the question of how many CVEs is... 3! The advisory was just released this morning.

------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory                 WSA-2025-0002
------------------------------------------------------------------------

Date reported           : March 20, 2025
Advisory ID             : WSA-2025-0002
WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2025-0002.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2025-0002.html
CVE identifiers         : CVE-2024-44192, CVE-2024-54467,
                          CVE-2025-24201.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2024-44192
    Versions affected: WebKitGTK and WPE WebKit before 2.48.0.
    Credit to Tashita Software Security.
    Impact: Processing maliciously crafted web content may lead to an
    unexpected process crash. Description: The issue was addressed with
    improved checks.
    WebKit Bugzilla: 268770

CVE-2024-54467
    Versions affected: WebKitGTK and WPE WebKit before 2.48.0.
    Credit to Narendra Bhati, Manager of Cyber Security At Suma Soft Pvt. Ltd,
    Pune (India).
    Impact: A malicious website may exfiltrate data cross-origin.
    Description: A cookie management issue was addressed with improved
    state management.
    WebKit Bugzilla: 287874

CVE-2025-24201
    Versions affected: WebKitGTK before 2.48.0 and WPE WebKit before
    2.46.7.
    Credit to Apple.
    Impact: Maliciously crafted web content may be able to break out of
    Web Content sandbox. This is a supplementary fix for an attack that
    was blocked in iOS 17.2. (Apple is aware of a report that this issue
    may have been exploited in an extremely sophisticated attack against
    specific targeted individuals on versions of iOS before iOS 17.2.).
    Description: An out-of-bounds write issue was addressed with
    improved checks to prevent unauthorized actions.
    WebKit Bugzilla: 285858

It looks like our impacts are unexpected process crashes, data exfiltration, and sandbox escape (which was exploited in the wild).

Severities from NVD:

• CVE-2024-44192: 5.5 Medium
• CVE-2024-54467: 6.5 Medium
• CVE-2025-24201: 8.8 High

[Douglas R. Reno]

Release notes:

================
WebKitGTK 2.48.0
================

What's new in WebKitGTK 2.48.0?

  - Fix YouTube playing by using a different user agent quirk.
  - Avoid adding redundant tracks to MediaPlayer.
  - Propagate the font's computed locale to HarfBuzz.
  - Fix build on non-Linux platforms.
  - Fix several crashes and rendering issues.
  - Translation updates: Polish.

=================
WebKitGTK 2.47.90
=================

What's new in WebKitGTK 2.47.90?

  - Ensure WebKitCookieManager APIs keep cookie cache up to date.
  - Use two GPU rendering threads if the system has more than 4 cores.
  - Fix web view contents not rendered in some cases.
  - Fix invalid DPI-aware font size conversion.
  - Reduce memory copies when rendering DMABufs video frames.
  - Translation updates: Brazilian Portuguese.

================
WebKitGTK 2.47.4
================

What's new in WebKitGTK 2.47.4?

  - Add support for the Cookie Store API.
  - Add documentation about how to use the remote web inspector.
  - Enable WebDriver BiDi as an experimental feature.
  - Fix a crash when enabling Skia CPU rendering.
  - Fix several crashes and rendering issues.

================
WebKitGTK 2.47.3
================

What's new in WebKitGTK 2.47.3?
  - Added new function for creating Promise objects to JavaScripotCore GLib API.
  - Speed up of reading large messages of remote inspector protocol.
  - Add metadata (title and creation/modification date) to the PDF document generated for printing.
  - Pause rendering when suspended state is present in current toplevel window.
  - Bring back support for OpenType-SVG fonts using Skia SVG module.
  - Improve performance of preserve-3D intersection rendering.
  - Fix several crashes and rendering issues.
  - Translation updates: Slovenian

================
WebKitGTK 2.47.2
================

What's new in WebKitGTK 2.47.2?

  - Move tiles rendering to a secondary thread when using the GPU.
  - Use the damage information when collected to improve composition in WebKit.
  - Improve performance of canvas putImageData by avoiding buffer copies.
  - Fix preserve-3D intersection rendering.
  - Fix video dimensions since GStreamer 1.24.9.
  - Fix opening links with window.open() when noopener is present.
  - Fix several crashes and rendering issues.
  - Translation updates: Indonesian.

================
WebKitGTK 2.47.1
================

What's new in WebKitGTK 2.47.1?

  - Flatten layers to a plane when preseve-3d style is set.
  - Build GPU process by default, but keeping WebGL in the web process by default for now.
  - Use DMA-BUF buffers for WebGL when available.
  - Fix DuckDuckGo links by adding a user agent quirk.
  - Make GStreamer GL sink handle DMA-BUF memory to replace the DMA-BUF sink.
  - Fix several crashes and rendering issues.

[Douglas R. Reno]

Fixed at 0ec5067aa2990fe346919742d7a8436d26c8c579

Security Advisory to come most likely tomorrow as I need to do additional testing for BLFS 12.3.