Upstream has issued an advisory today (January 21): https://webkitgtk.org/security/WSA-2022-0001.html The issues are fixed upstream in 2.34.4: https://webkitgtk.org/2022/01/21/webkitgtk2.34.4-released.html Mageia 8 is also affected.
CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954, CVE-2021-30984 are the CVEs fixed in this update, plus a not-yet-assigned CVE-2022-XXXXX identifier to come later. Updates submitted to the build system. Package list will be: webkit2-2.34.4-1.mga8 webkit2-jsc-2.34.4-1.mga8 libwebkit2gtk-gir4.0-2.34.4-1.mga8 libjavascriptcore-gir4.0-2.34.4-1.mga8 libjavascriptcoregtk4.0_18-2.34.4-1.mga8 libwebkit2gtk4.0_37-2.34.4-1.mga8 libwebkit2-devel-2.34.4-1.mga8 from SRPM: webkit2-2.34.4-1.mga8.src.rpm Cauldron is giving a build error: + /usr/bin/cmake --build build -j6 --verbose ninja: error: '/unstable/pointer-constraints/pointer-constraints-unstable-v1.xml', needed by 'WebKit2Gtk/DerivedSources/pointer-constraints-unstable-v1-protocol.c', missing and no known rule to make it http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20220121182201.luigiwalser.duvel.3961065/log/webkit2-2.34.4-1.mga9/build.x86_64.0.20220121182207.log
Status comment: (none) => Build failure in CauldronCC: (none) => nicolas.salgueroWhiteboard: (none) => MGA8TOO
Best to assign (rather than CC) this to NicolasS, the principle packager for this SRPM.
CC: nicolas.salguero => (none)Assignee: bugsquad => nicolas.salguero
(In reply to David Walser from comment #1) > Cauldron is giving a build error: > + /usr/bin/cmake --build build -j6 --verbose > ninja: error: > '/unstable/pointer-constraints/pointer-constraints-unstable-v1.xml', needed > by 'WebKit2Gtk/DerivedSources/pointer-constraints-unstable-v1-protocol.c', > missing and no known rule to make it > > http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/ > 20220121182201.luigiwalser.duvel.3961065/log/webkit2-2.34.4-1.mga9/build. > x86_64.0.20220121182207.log According to this link: https://www.freshports.org/www/webkit2-gtk3 we need to add wayland-protocols as BR.
Thanks, looks like that's working. Package list and CVEs in Comment 1, references in Comment 0.
Status comment: Build failure in Cauldron => (none)Version: Cauldron => 8Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA8TOO => (none)
The following 6 packages are going to be installed: - lib64javascriptcore-gir4.0-2.34.4-1.mga8.x86_64 - lib64javascriptcoregtk4.0_18-2.34.4-1.mga8.x86_64 - lib64webkit2gtk-gir4.0-2.34.4-1.mga8.x86_64 - lib64webkit2gtk4.0_37-2.34.4-1.mga8.x86_64 - webkit2-2.34.4-1.mga8.x86_64 - webkit2-jsc-2.34.4-1.mga8.x86_64 No installation issues. Lots of previous updates for webkit2. Invoking Herman's usual test, the zenity calendar: $ zenity --calendar Selected a date, and this appeared in the terminal: 01/31/2022 On a whim I decided to try another test from bug 21894, using atril: $ $ strace atril 2>&1 | grep webkit openat(AT_FDCWD, "/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 lstat("/home/tom/.local/share/webkitgtk/databases/indexeddb/v0", {st_mode=S_IFLNK|0777, st_size=52, ...}) = 0 stat("/home/tom/.local/share/webkitgtk/databases/indexeddb/v0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 Atril opened a small window, with no document. Loaded a blank IRS Form 1040, filled in a couple of lines, and closed without saving it. No more references to webkit2, but everything worked as it should. Giving this an OK, and validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0034.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Ubuntu has issued an advisory for this on January 27: https://ubuntu.com/security/notices/USN-5255-1
(In reply to David Walser from comment #1) > CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, > CVE-2021-30953, CVE-2021-30954, CVE-2021-30984 are the CVEs fixed in this > update, plus a not-yet-assigned CVE-2022-XXXXX identifier to come later. CVE-2022-22594 has been assigned for that last issue: https://www.openwall.com/lists/oss-security/2022/01/31/6