Bug 17491

Summary: shotwell WebKit2 port and TLS certificate validation
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jani.valimaa, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/671739/
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: shotwell-0.22.0-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-01-13 20:19:27 CET 
Fedora has issued an advisory today (January 13):
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175443.html

They updated shotwell to a git snapshot which ported it to WebKit2, which as I mentioned on the dev list:
https://ml.mageia.org/l/arc/dev/2016-01/msg00078.html

is needed since WebKit1 has a bunch of security vulnerabilities that will never be fixed, and it also implements TLS certificate validation, which has been missing.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-03-12 01:13:51 CET 
Jani did this update for Cauldron.  Thanks Jani!

We should update this for Mageia 5 if possible.

CC: (none) => jani.valimaa
Version: Cauldron => 5

Comment 2 David Walser 2016-03-12 16:40:46 CET 
Updated package uploaded by Jani.  Thanks!

Advisory:
========================

Updated shotwell package fixes security vulnerabilities:

Shotwell is vulnerable to numerous security vulnerabilities, due to its use
of the old APIs of the Webkit library which are no longer maintained (the
"webkit" package in Mageia).

The shotwell package has been updated to use the current Webkit API, allowing
it to benefit from security fixes in the newer Webkit branch (the "webkit2"
package in Mageia).  Another benefit of switching to the newer Webkit branch
is that it allows shotwell to validate TLS certificates when connecting to
websites.

References:
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175443.html
========================

Updated packages in core/updates_testing:
========================
shotwell-0.22.1-0.20160310.1.mga5

from shotwell-0.22.1-0.20160310.1.mga5.src.rpm

Assignee: olav => qa-bugs

Comment 3 Len Lawrence 2016-03-13 19:02:54 CET 
mga5  x86_64  Mate

Shotwell already installed so I tinkered with it to get the feel of it.
Updated to shotwell-0.22.1-0.20160310.1 and tried out a few functions:
import from folders, remove redeye, rotate, zoom.  Set images as background did not work but that is not surprising.

At a basic level it certainly works.

CC: (none) => tarazed25

Len Lawrence 2016-03-13 19:03:33 CET

Whiteboard: (none) => MGA5-64-OK

Comment 4 Len Lawrence 2016-03-13 19:15:48 CET 
mga5  i586 virtualbox  Mate

This works fine on 32-bit architecture as well.
Validating the update.  Please push to 5 updates.
Len Lawrence 2016-03-13 19:16:12 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA-32-OK
CC: (none) => sysadmin-bugs

Len Lawrence 2016-03-13 19:17:17 CET

Whiteboard: MGA5-64-OK MGA-32-OK => MGA5-64-OK MGA5-32-OK

Comment 5 claire robinson 2016-03-15 19:54:52 CET 
Advisory uploaded.

Whiteboard: MGA5-64-OK MGA5-32-OK => advisory MGA5-64-OK MGA5-32-OK

Comment 6 Mageia Robot 2016-03-16 19:08:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0111.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED