Bug 30866

Summary: webkit2 security issues fixed upstream (WSA-2022-0009)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, guillaume.royer, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: webkit2-2.36.7-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-09-19 18:56:03 CEST 
Upstream has issued an advisory today (September 19):
https://webkitgtk.org/security/WSA-2022-0009.html

The issues are fixed upstream in 2.36.8:
https://webkitgtk.org/2022/09/16/webkitgtk2.36.8-released.html
Comment 1 Nicolas Salguero 2022-09-20 13:19:01 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability and other issues.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32886
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32891
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32912
https://webkitgtk.org/security/WSA-2022-0009.html
https://webkitgtk.org/2022/09/16/webkitgtk2.36.8-released.html
========================

Updated packages in core/updates_testing:
========================
lib(64)javascriptcoregtk4.0_18-2.36.8-1.mga8
lib(64)javascriptcore-gir4.0-2.36.8-1.mga8
lib(64)webkit2gtk4.0_37-2.36.8-1.mga8
lib(64)webkit2gtk-gir4.0-2.36.8-1.mga8
lib(64)webkit2-devel-2.36.8-1.mga8
webkit2-2.36.8-1.mga8
webkit2-jsc-2.36.8-1.mga8.x86_64.rpm

from SRPM:
webkit2-2.36.8-1.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 2 Dave Hodgins 2022-09-20 17:41:58 CEST 
For CVE-2022-32912, WSA-2022-0009 states "This issue only affects MacOS builds (Linux builds are not affected).".

CC: (none) => davidwhodgins

Comment 3 Thomas Andrews 2022-09-21 02:29:09 CEST 
(i586 users, use "webkit2-jsc-2.36.8-1.mga8" in Qarepo.)

Checked in Foolishness, my 32-bit Dell Inspiron 5100, P4, Radeon RV200 graphics, 32-bit Xfce system. No installation issues.

This update does not affect Bug 30332 on this hardware. MCC (drakconf) still comes up with a blank, unresponsive area.

CC: (none) => andrewsfarm

Comment 4 Guillaume Royer 2022-09-22 09:50:06 CEST 
MGA8 64 XFCE with Nvidia graphic card 520M.

Updated with QA repo.

No installation issues.
MCC (drakconf) still comes up with a blank, unresponsive area here too.

CC: (none) => guillaume.royer

Comment 5 Thomas Andrews 2022-09-24 05:05:31 CEST 
Tested in a mga8-64 Plasma guest in VirtualBox. No installation issues.

No change in behavior of MCC. If 3D acceleration is enabled, MCC works as designed. If it is disabled, the first time it comes up with a blank screen, but if you click on it the text appears and is responsive.

Using my test from Bug 30777, "zenity --calendar" works, as do the games  four-in-a-row and five-in-line. 

So, other than the problem of Bug 30332, this update appears to be working as designed.
Comment 6 Thomas Andrews 2022-09-25 14:28:32 CEST 
Since this is a security update, and no new regressions have surfaced, and remembering that we have approved several webkit2 security updates since Bug 30332 was reported, I'm somewhat reluctantly going to give this one an OK, too.

Validating. Advisory in Comment 1.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2022-09-26 01:18:38 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-09-26 08:23:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0346.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED