Bug 29921

CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954, CVE-2021-30984 are the CVEs fixed in this update, plus a not-yet-assigned CVE-2022-XXXXX identifier to come later.

Updates submitted to the build system.

Package list will be:
webkit2-2.34.4-1.mga8
webkit2-jsc-2.34.4-1.mga8
libwebkit2gtk-gir4.0-2.34.4-1.mga8
libjavascriptcore-gir4.0-2.34.4-1.mga8
libjavascriptcoregtk4.0_18-2.34.4-1.mga8
libwebkit2gtk4.0_37-2.34.4-1.mga8
libwebkit2-devel-2.34.4-1.mga8

from SRPM:
webkit2-2.34.4-1.mga8.src.rpm

Cauldron is giving a build error:
+ /usr/bin/cmake --build build -j6 --verbose
ninja: error: '/unstable/pointer-constraints/pointer-constraints-unstable-v1.xml', needed by 'WebKit2Gtk/DerivedSources/pointer-constraints-unstable-v1-protocol.c', missing and no known rule to make it

http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20220121182201.luigiwalser.duvel.3961065/log/webkit2-2.34.4-1.mga9/build.x86_64.0.20220121182207.log

Status comment: (none) => Build failure in Cauldron
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO

Best to assign (rather than CC) this to NicolasS, the principle packager for this SRPM.

CC: nicolas.salguero => (none)
Assignee: bugsquad => nicolas.salguero

(In reply to David Walser from comment #1)
> Cauldron is giving a build error:
> + /usr/bin/cmake --build build -j6 --verbose
> ninja: error:
> '/unstable/pointer-constraints/pointer-constraints-unstable-v1.xml', needed
> by 'WebKit2Gtk/DerivedSources/pointer-constraints-unstable-v1-protocol.c',
> missing and no known rule to make it
> 
> http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/
> 20220121182201.luigiwalser.duvel.3961065/log/webkit2-2.34.4-1.mga9/build.
> x86_64.0.20220121182207.log

According to this link: https://www.freshports.org/www/webkit2-gtk3 we need to add wayland-protocols as BR.

Thanks, looks like that's working.

Package list and CVEs in Comment 1, references in Comment 0.

Status comment: Build failure in Cauldron => (none)
Version: Cauldron => 8
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)

The following 6 packages are going to be installed:

- lib64javascriptcore-gir4.0-2.34.4-1.mga8.x86_64
- lib64javascriptcoregtk4.0_18-2.34.4-1.mga8.x86_64
- lib64webkit2gtk-gir4.0-2.34.4-1.mga8.x86_64
- lib64webkit2gtk4.0_37-2.34.4-1.mga8.x86_64
- webkit2-2.34.4-1.mga8.x86_64
- webkit2-jsc-2.34.4-1.mga8.x86_64


No installation issues.

Lots of previous updates for webkit2. Invoking Herman's usual test, the zenity calendar:

$ zenity --calendar
Selected a date, and this appeared in the terminal:
01/31/2022

On a whim I decided to try another test from bug 21894, using atril:

$ $ strace atril 2>&1 | grep webkit
openat(AT_FDCWD, "/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
lstat("/home/tom/.local/share/webkitgtk/databases/indexeddb/v0", {st_mode=S_IFLNK|0777, st_size=52, ...}) = 0
stat("/home/tom/.local/share/webkitgtk/databases/indexeddb/v0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0

Atril opened a small window, with no document. Loaded a blank IRS Form 1040, filled in a couple of lines, and closed without saving it. No more references to webkit2, but everything worked as it should.

Giving this an OK, and validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0034.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Ubuntu has issued an advisory for this on January 27:
https://ubuntu.com/security/notices/USN-5255-1

(In reply to David Walser from comment #1)
> CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952,
> CVE-2021-30953, CVE-2021-30954, CVE-2021-30984 are the CVEs fixed in this
> update, plus a not-yet-assigned CVE-2022-XXXXX identifier to come later.

CVE-2022-22594 has been assigned for that last issue:
https://www.openwall.com/lists/oss-security/2022/01/31/6