Bug 31986 - webkit2 security issues fixed upstream (WSA-2023-0004)
Summary: webkit2 security issues fixed upstream (WSA-2023-0004)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-06-01 17:59 CEST by David Walser
Modified: 2023-06-15 09:28 CEST (History)
4 users (show)

See Also:
Source RPM: webkit2-2.38.6-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-06-01 17:59:52 CEST
Upstream has issued an advisory on May 30:
https://webkitgtk.org/security/WSA-2023-0004.html

The issues are fixed upstream in 2.40.2:
https://webkitgtk.org/2023/05/29/webkitgtk2.40.2-released.html
David Walser 2023-06-01 18:00:06 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.40.2

Comment 1 Nicolas Salguero 2023-06-02 09:00:46 CEST
Hi,

Version 2.40.2 is already in Cauldron.

Best regards,

Version: Cauldron => 8
Source RPM: webkit2-2.40.1-1.mga9.src.rpm => webkit2-2.38.6-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)

Comment 2 Nicolas Salguero 2023-06-02 11:25:56 CEST
The build fails because it needs unifdef, which is only in Cauldron.
Comment 3 Nicolas Salguero 2023-06-06 15:14:47 CEST
I added the needed BR into Mga8 (unifdef, libwpe, wpebackend-fdo and libavif), disabled other dependencies but the build still failed on sandbox because glib2 is too old, I think:
../Source/WTF/wtf/glib/Sandbox.cpp:60:48: error: 'g_spawn_check_wait_status' was not declared in this scope; did you mean 'g_spawn_check_exit_status'?
Comment 4 Nicolas Salguero 2023-06-08 14:58:23 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities and other issues.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32373
https://webkitgtk.org/security/WSA-2023-0004.html
https://webkitgtk.org/2023/05/29/webkitgtk2.40.2-released.html
========================

Updated packages in core/updates_testing:
========================
unifdef-2.12-1.mga8

lib(64)wpe1-1.14.1-1.mga8
lib(64)wpe-devel-1.14.1-1.mga8

lib(64)wpebackend-fdo1-1.14.2-1.mga8
lib(64)wpebackend-fdo-devel-1.14.2-1.mga8

avif-pixbuf-loader-0.11.1-1.mga8
lib(64)avif15-0.11.1-1.mga8
lib(64)avif-devel-0.11.1-1.mga8
libavif-tools-0.11.1-1.mga8

lib(64)javascriptcoregtk4.0_18-2.40.2-1.mga8
lib(64)javascriptcore-gir4.0-2.40.2-1.mga8
lib(64)webkit2gtk4.0_37-2.40.2-1.mga8
lib(64)webkit2gtk-gir4.0-2.40.2-1.mga8
lib(64)webkit2-devel-2.40.2-1.mga8
webkit2-2.40.2-1.mga8
webkit2-jsc-2.40.2-1.mga8

from SRPMS:
unifdef-2.12-1.mga8.src.rpm
libwpe-1.14.1-1.mga8.src.rpm
wpebackend-fdo-1.14.2-1.mga8.src.rpm
libavif-0.11.1-1.mga8.src.rpm
webkit2-2.40.2-1.mga8.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.40.2 => (none)
CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs

Comment 5 Thomas Andrews 2023-06-12 00:50:55 CEST
On Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics, 32-bit Xfce.

No installation issues.

Because this update included packages that had previously been exclusive to Mageia 9, I had hopes that it would clear up Bug 30332. But alas, it is not to be. This update has actually caused MCC to go back to the behavior that the blank window pane is completely unresponsive.

Zenity and Atril both work normally. Since this update is not supposed to address the issue of Bug 30332, and everything else seems to be OK, I would say it should not be held back because of that issue.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2023-06-12 14:23:36 CEST
HP Pavilion 15, mga8-64 Plasma system.

No installation issues. Tried MCC, zenity, Atril, five-or-more, and four-in-a-row, all without issues.
Comment 7 Thomas Andrews 2023-06-12 23:38:57 CEST
Same hardware as comment 6, but with the kernel updated to 5.15.116-1. No issues noted. Giving this an OK, and validating. Not giving it a 32-bit OK because of comment 5, but not holding it back, either.

Advisory in comment 4

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-06-15 00:33:54 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-06-15 09:28:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0197.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.