17491 – shotwell WebKit2 port and TLS certificate validation

Bug 17491 - shotwell WebKit2 port and TLS certificate validation

Summary: shotwell WebKit2 port and TLS certificate validation

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/671739/
Whiteboard:	advisory MGA5-64-OK MGA5-32-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-01-13 20:19 CET by David Walser
Modified:	2016-03-16 19:08 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	shotwell-0.22.0-3.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-01-13 20:19:27 CET

Fedora has issued an advisory today (January 13):
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175443.html

They updated shotwell to a git snapshot which ported it to WebKit2, which as I mentioned on the dev list:
https://ml.mageia.org/l/arc/dev/2016-01/msg00078.html

is needed since WebKit1 has a bunch of security vulnerabilities that will never be fixed, and it also implements TLS certificate validation, which has been missing.

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2016-03-12 01:13:51 CET

Jani did this update for Cauldron.  Thanks Jani!

We should update this for Mageia 5 if possible.

CC: (none) => jani.valimaa
Version: Cauldron => 5

Comment 2 David Walser 2016-03-12 16:40:46 CET

Updated package uploaded by Jani.  Thanks!

Advisory:
========================

Updated shotwell package fixes security vulnerabilities:

Shotwell is vulnerable to numerous security vulnerabilities, due to its use
of the old APIs of the Webkit library which are no longer maintained (the
"webkit" package in Mageia).

The shotwell package has been updated to use the current Webkit API, allowing
it to benefit from security fixes in the newer Webkit branch (the "webkit2"
package in Mageia).  Another benefit of switching to the newer Webkit branch
is that it allows shotwell to validate TLS certificates when connecting to
websites.

References:
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175443.html
========================

Updated packages in core/updates_testing:
========================
shotwell-0.22.1-0.20160310.1.mga5

from shotwell-0.22.1-0.20160310.1.mga5.src.rpm

Assignee: olav => qa-bugs

Comment 3 Len Lawrence 2016-03-13 19:02:54 CET

mga5  x86_64  Mate

Shotwell already installed so I tinkered with it to get the feel of it.
Updated to shotwell-0.22.1-0.20160310.1 and tried out a few functions:
import from folders, remove redeye, rotate, zoom.  Set images as background did not work but that is not surprising.

At a basic level it certainly works.

CC: (none) => tarazed25

Len Lawrence 2016-03-13 19:03:33 CET

Whiteboard: (none) => MGA5-64-OK

Comment 4 Len Lawrence 2016-03-13 19:15:48 CET

mga5  i586 virtualbox  Mate

This works fine on 32-bit architecture as well.
Validating the update.  Please push to 5 updates.

Len Lawrence 2016-03-13 19:16:12 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA-32-OK
CC: (none) => sysadmin-bugs

Len Lawrence 2016-03-13 19:17:17 CET

Whiteboard: MGA5-64-OK MGA-32-OK => MGA5-64-OK MGA5-32-OK

Comment 5 claire robinson 2016-03-15 19:54:52 CET

Advisory uploaded.

Whiteboard: MGA5-64-OK MGA5-32-OK => advisory MGA5-64-OK MGA5-32-OK

Comment 6 Mageia Robot 2016-03-16 19:08:08 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0111.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.