32202 – webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[012]), WSA-2024-000[12]

Bug 32202 - webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[012]), WSA-2024-000[12]

Summary: webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[012])...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-08-29 11:06 CEST by Nicolas Salguero
Modified:	2024-04-26 08:48 CEST (History)
CC List:	7 users (show)

See Also:
Source RPM:	webkit2-2.40.3-1.mga9.src.rpm
CVE:	CVE-2023-37450, CVE-2023-38133, CVE-2023-38572, CVE-2023-38592, CVE-2023-38594, CVE-2023-38595, CVE-2023-38597, CVE-2023-38599, CVE-2023-38600, CVE-2023-38611, CVE-2023-40397, CVE-2023-39928, CVE-2023-39434, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993, CVE-2023-42916
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-08-29 11:06:50 CEST

Upstream has issued two advisories.
The first one on July 21:
https://webkitgtk.org/security/WSA-2023-0006.html
The second one on August 02:
https://webkitgtk.org/security/WSA-2023-0007.html

See also:
https://webkitgtk.org/2023/07/21/webkitgtk2.40.4-released.html
https://webkitgtk.org/2023/08/01/webkitgtk2.40.5-released.html

Nicolas Salguero 2023-08-29 11:08:13 CEST

CC: (none) => nicolas.salguero
Assignee: bugsquad => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO
Source RPM: (none) => webkit2-2.40.3-1.mga8.src.rpm

Comment 1 Nicolas Salguero 2023-09-15 16:13:14 CEST

Upstream has issued another advisory on September 11:
https://webkitgtk.org/security/WSA-2023-0008.html

Moreover, WebKitGTK 2.42.0 was released on September 15:
https://webkitgtk.org/2023/09/15/webkitgtk2.42.0-released.html

Summary: webkit2 security issues fixed upstream (WSA-2023-0006 and WSA-2023-0007) => webkit2 security issues fixed upstream (WSA-2023-0006, WSA-2023-0007 and WSA-2023-0008)

Comment 2 Nicolas Salguero 2023-09-29 15:29:19 CEST

Upstream has issued another advisory on September 28:
https://webkitgtk.org/security/WSA-2023-0009.html

See also:
https://webkitgtk.org/2023/09/27/webkitgtk2.42.1-released.html

Summary: webkit2 security issues fixed upstream (WSA-2023-0006, WSA-2023-0007 and WSA-2023-0008) => webkit2 security issues fixed upstream (WSA-2023-0006, WSA-2023-0007, WSA-2023-0008 and WSA-2023-0009)

Nicolas Salguero 2023-10-12 13:57:39 CEST

Assignee: nicolas.salguero => pkg-bugs

Nicolas Salguero 2023-10-17 08:52:22 CEST

Severity: normal => critical

Nicolas Salguero 2023-10-19 10:27:56 CEST

Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Version: Cauldron => 9
Source RPM: webkit2-2.40.3-1.mga8.src.rpm => webkit2-2.40.3-1.mga9.src.rpm

Comment 3 Nicolas Salguero 2023-10-19 14:05:28 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities and other issues.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32393
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38595
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38600
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38611
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28198
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32370
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40397
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40451
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41993
https://webkitgtk.org/security/WSA-2023-0006.html
https://webkitgtk.org/security/WSA-2023-0007.html
https://webkitgtk.org/security/WSA-2023-0008.html
https://webkitgtk.org/security/WSA-2023-0009.html
https://webkitgtk.org/2023/07/21/webkitgtk2.40.4-released.html
https://webkitgtk.org/2023/08/01/webkitgtk2.40.5-released.html
https://webkitgtk.org/2023/09/15/webkitgtk2.42.0-released.html
https://webkitgtk.org/2023/09/27/webkitgtk2.42.1-released.html
========================

Updated packages in 8/core/updates_testing:
========================
lib(64)javascriptcore-gir4.0-2.42.1-1.mga8
lib(64)javascriptcoregtk4.0_18-2.42.1-1.mga8
lib(64)webkit2-devel-2.42.1-1.mga8
lib(64)webkit2gtk-gir4.0-2.42.1-1.mga8
lib(64)webkit2gtk4.0_37-2.42.1-1.mga8
webkit2-2.42.1-1.mga8
webkit2-jsc-2.42.1-1.mga8

from SRPM:
webkit2-2.42.1-1.mga8.src.rpm

Comment 4 Nicolas Salguero 2023-10-19 14:19:13 CEST

For Mageia 9, since nobody cares about fixing the BS timeout, despite my 4 requests by mail and IRC, building webkit2 is not more possible because the build is killed for aarch64.

It is a little annoying for a distribution that is supposed to be supported until March 31st, 2025.

Comment 5 Morgan Leijström 2023-10-19 17:37:55 CEST

@Sysadmins
Please fix timeout.
High priority.

CC: (none) => fri, sysadmin-bugs

Comment 6 Nicolas Salguero 2023-11-14 14:53:27 CET

WebKitGTK 2.42.2 was released on November 10:
https://webkitgtk.org/2023/11/10/webkitgtk2.42.2-released.html

Comment 7 Nicolas Salguero 2023-11-15 10:27:24 CET

Updated packages in 8/core/updates_testing:
========================
lib(64)javascriptcore-gir4.0-2.42.2-1.mga8
lib(64)javascriptcoregtk4.0_18-2.42.2-1.mga8
lib(64)webkit2-devel-2.42.2-1.mga8
lib(64)webkit2gtk-gir4.0-2.42.2-1.mga8
lib(64)webkit2gtk4.0_37-2.42.2-1.mga8
webkit2-2.42.2-1.mga8
webkit2-jsc-2.42.2-1.mga8

from SRPM:
webkit2-2.42.2-1.mga8.src.rpm

Comment 8 Morgan Leijström 2023-11-15 10:58:59 CET

Setting to QA for testing mga8 packages.
I assume mga9 packages are coming.

Assignee: pkg-bugs => qa-bugs

Comment 9 Nicolas Salguero 2023-11-15 15:50:47 CET

webkit2  is missing for Mageia 9 so I do not send the packages to QA for the moment.

Assignee: qa-bugs => pkg-bugs

Comment 10 Nicolas Salguero 2023-11-21 10:21:42 CET

Upstream has issued another advisory on November 15:
https://webkitgtk.org/security/WSA-2023-0010.html

Summary: webkit2 security issues fixed upstream (WSA-2023-0006, WSA-2023-0007, WSA-2023-0008 and WSA-2023-0009) => webkit2 security issues fixed upstream (WSA-2023-0006, WSA-2023-0007, WSA-2023-0008, WSA-2023-0009 and WSA-2023-0010)

Comment 11 Nicolas Salguero 2023-12-05 17:40:11 CET

Upstream has issued another advisory on December 5:
https://webkitgtk.org/security/WSA-2023-0011.html

Summary: webkit2 security issues fixed upstream (WSA-2023-0006, WSA-2023-0007, WSA-2023-0008, WSA-2023-0009 and WSA-2023-0010) => webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[01])

Comment 12 Nicolas Salguero 2023-12-19 16:00:27 CET

Upstream has issued another advisory on December 18:
https://webkitgtk.org/security/WSA-2023-0012.html

See also:
https://webkitgtk.org/2023/12/15/webkitgtk2.42.4-released.html

Summary: webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[01]) => webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[012])

Comment 13 Nicolas Salguero 2024-02-06 13:37:19 CET

Upstream has issued another advisory on February 05:
https://webkitgtk.org/security/WSA-2024-0001.html

See also:
https://webkitgtk.org/2024/02/05/webkitgtk2.42.5-released.html

Version: 9 => Cauldron
Summary: webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[012]) => webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[012]), WSA-2024-0001
Whiteboard: MGA8TOO => MGA9TOO

Comment 14 Nicolas Salguero 2024-03-26 11:04:46 CET

Upstream has issued another advisory on March 26:
https://webkitgtk.org/security/WSA-2024-0002.html

See also:
https://webkitgtk.org/2024/03/16/webkitgtk2.44.0-released.html

Whiteboard: MGA9TOO => (none)
Summary: webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[012]), WSA-2024-0001 => webkit2 security issues fixed upstream (WSA-2023-000[6-9], WSA-2023-001[012]), WSA-2024-000[12]
Version: Cauldron => 9

katnatek 2024-03-28 21:24:46 CET

CC: (none) => dan

Comment 15 katnatek 2024-03-28 21:25:54 CET

Dan Fandrich  could you help with this? 
Nicolas what is the amount of time you require?

katnatek 2024-03-28 21:33:33 CET

CC: (none) => j.alberto.vc

Comment 16 Dan Fandrich 2024-03-28 23:49:15 CET

What's the issue? Can it not be handled as a simple upgrade?

Comment 17 katnatek 2024-03-29 02:00:43 CET

(In reply to Dan Fandrich from comment #16)
> What's the issue? Can it not be handled as a simple upgrade?

The issue is the build not finish because it reaches the time limit, that is why I question to Nicolas what is the necessary value for the time

Comment 18 Dan Fandrich 2024-03-29 02:42:55 CET

Sure, I can do that.

Comment 19 katnatek 2024-03-29 02:47:49 CET

Nicolas Salguero the ball is in your side now, please provide the information to Dan, and make rpms that fix the vulnerabilities

Thanks to both for their works

Comment 20 Mageia Robot 2024-03-29 02:50:22 CET

commit 9984777b668e604a5201ac3c728bceeea57d0b6e
Author: Dan Fandrich <danf@...>
Date:   Thu Mar 28 18:49:41 2024 -0700

    (buildsystem) Set webkit2 timeout to 57600 (mga#32202)
---
 Commit Link:
   https://gitweb.mageia.org/infrastructure/puppet/commit/?id=9984777b668e604a5201ac3c728bceeea57d0b6e

Comment 21 katnatek 2024-04-01 20:39:28 CEST

 Nicolas Salguero if I understand well the increment in time is now set, please update this package for mageia 9 when you can

Comment 22 Nicolas Salguero 2024-04-02 11:48:51 CEST

Hi,

I tried to build webkit2 (starting Friday evening) but once again it failed for aarch64 with the same message:
"""
Killed! (probably because of the 36000 timeout)
"""

See: http://pkgsubmit.mageia.org/uploads/failure/9/core/updates_testing/20240329185726.ns80.duvel.3673181/botcmd.1711751241.aarch64.ociaa1.log

The only difference between aarch64 and the other arches I see in the SPEC file is those lines:
"""
# JIT is broken on ARM systems with new ARMv8.5 BTI extension at the moment
# Cf. https://bugzilla.redhat.com/show_bug.cgi?id=2130009
# Cf. https://bugs.webkit.org/show_bug.cgi?id=245697
# Disable BTI until this is fixed upstream.
%ifarch aarch64
%global optflags %(echo %{optflags} | sed 's/-mbranch-protection=standard /-mbranch-protection=pac-ret /')
%endif
"""

Maybe a solution could be to replace those lines by:
"""
%ifarch aarch64
   -DENABLE_JIT=OFF \
   -DENABLE_C_LOOP=ON \
   -DENABLE_SAMPLING_PROFILER=OFF \
%endif
"""
in each cmake

The problem with that solution is it will be a major performance degradation (See: https://github.com/leifliddy/asahi-fedora-builder/issues/10).

Best regards,

Nico.

Comment 23 David GEIGER 2024-04-02 12:42:54 CEST

I fixed aarch64 build on cauldron with:
https://svnweb.mageia.org/packages/cauldron/webkit2/current/SPECS/webkit2.spec?r1=2051253&r2=2051252&pathrev=2051253

I'll submit it tonight with the same fix for mga9!

CC: (none) => geiger.david68210

Comment 24 Nicolas Salguero 2024-04-02 15:00:00 CEST

In the SPEC file which caused the build failure, I put:

(https://svnweb.mageia.org/packages/updates/9/webkit2/current/SPECS/webkit2.spec?revision=2053123&view=markup#l36)
"""
%global debug_package %{nil}
"""

and:
https://svnweb.mageia.org/packages/updates/9/webkit2/current/SPECS/webkit2.spec?revision=2053123&view=markup#l382
"""
%global optflags %(echo %{optflags} | sed 's/-g /-g0 /') 
"""

Comment 25 katnatek 2024-04-05 20:06:33 CEST

(In reply to Nicolas Salguero from comment #22)
> Hi,
> 
> I tried to build webkit2 (starting Friday evening) but once again it failed
> for aarch64 with the same message:
> """
> Killed! (probably because of the 36000 timeout)
> """
> 
> See:
> http://pkgsubmit.mageia.org/uploads/failure/9/core/updates_testing/
> 20240329185726.ns80.duvel.3673181/botcmd.1711751241.aarch64.ociaa1.log

I don't understand what happen, the change that Dan F. made in comment#20 must set 57600 as time limit but perhaps is not honored because the build still say  Killed! (probably because of the 36000 timeout)

Comment 26 Dan Fandrich 2024-04-05 20:36:56 CEST

I don't know if the error message takes the new time into account or not, but iurt logged on line 1469 that it's using a 36000 second timeout so at least it matches. The cmake time stamps show the configuration plus two main parts of the build taking 23+22+21=14788+6069 = 20923 seconds before the build was terminated, which is 4 hours less time than 36000 seconds it said, and 10 hours less time than that requested with the config change (which should have been 57600 seconds). I have no idea why the build would be killed so early.

Comment 27 Jani Välimaa 2024-04-08 22:08:49 CEST

As puppet is not installed into aarch64 builder ociaa1 I modified the timeout value by hand to 57600.

[root@ociaa1 ~]# grep webkit2 /etc/iurt/build/*.conf
/etc/iurt/build/8.conf:   'webkit2' => 57600,
/etc/iurt/build/9.conf:   'webkit2' => 57600,
/etc/iurt/build/cauldron.conf:   'webkit2' => 57600,

CC: (none) => jani.valimaa

Comment 28 Nicolas Salguero 2024-04-11 15:41:22 CEST

Version 2.44.1 was released on April 9:
https://webkitgtk.org/2024/04/09/webkitgtk2.44.1-released.html

Comment 29 katnatek 2024-04-12 00:39:16 CEST

(In reply to Nicolas Salguero from comment #28)
> Version 2.44.1 was released on April 9:
> https://webkitgtk.org/2024/04/09/webkitgtk2.44.1-released.html

Comment#27 make me think that is the moment to give it another try

Comment 30 katnatek 2024-04-20 19:55:28 CEST

Nicolas Salguero, can please try again?

Comment 31 Jani Välimaa 2024-04-24 18:51:30 CEST

Version 2.44.1 is now available in mga9 core/updates_testing.

SRPMS:
webkit2-2.44.1-1.mga9

RPMS:
lib(64)javascriptcore-gir4.0-2.44.1-1.mga9
lib(64)javascriptcore-gir4.1-2.44.1-1.mga9
lib(64)javascriptcore-gir6.0-2.44.1-1.mga9
lib(64)javascriptcoregtk4.0_18-2.44.1-1.mga9
lib(64)javascriptcoregtk4.1_0-2.44.1-1.mga9
lib(64)javascriptcoregtk6.0_1-2.44.1-1.mga9
lib(64)webkit2gtk-gir4.0-2.44.1-1.mga9
lib(64)webkit2gtk-gir4.1-2.44.1-1.mga9
lib(64)webkit2gtk4.0-devel-2.44.1-1.mga9
lib(64)webkit2gtk4.0_37-2.44.1-1.mga9
lib(64)webkit2gtk4.1-devel-2.44.1-1.mga9
lib(64)webkit2gtk4.1_0-2.44.1-1.mga9
lib(64)webkitgtk-gir6.0-2.44.1-1.mga9
lib(64)webkitgtk6.0-devel-2.44.1-1.mga9
lib(64)webkitgtk6.0_4-2.44.1-1.mga9
webkit2-driver-2.44.1-1.mga9
webkit2gtk4.0-2.44.1-1.mga9
webkit2gtk4.0-jsc-2.44.1-1.mga9
webkit2gtk4.1-2.44.1-1.mga9
webkit2gtk4.1-jsc-2.44.1-1.mga9
webkitgtk6.0-2.44.1-1.mga9
webkitgtk6.0-jsc-2.44.1-1.mga9

Assignee: pkg-bugs => qa-bugs

Comment 32 Morgan Leijström 2024-04-24 19:44:13 CEST

drakconf aborts with:
 
WARNING **: Failed to load shared library 'libwebkit2gtk-4.1.so.0' referenced by the typelib: /lib64/libwebkit2gtk-4.1.so.0: undefined symbol: _ZN3JSC14JSGlobalObject14deletePropertyEPNS_6JSCellEPS0_NS_12PropertyNameERNS_18DeletePropertySlotE at /usr/lib64/perl5/vendor_perl/Glib/Object/Introspection.pm line 110.

Keywords: (none) => feedback

Comment 33 katnatek 2024-04-24 20:39:49 CEST

(In reply to Morgan Leijström from comment #32)
> drakconf aborts with:
>  
> WARNING **: Failed to load shared library 'libwebkit2gtk-4.1.so.0'
> referenced by the typelib: /lib64/libwebkit2gtk-4.1.so.0: undefined symbol:
> _ZN3JSC14JSGlobalObject14deletePropertyEPNS_6JSCellEPS0_NS_12PropertyNameERNS
> _18DeletePropertySlotE at
> /usr/lib64/perl5/vendor_perl/Glib/Object/Introspection.pm line 110.

I wonder if you miss a package in your test

VM mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release" is up-to-date
medium "Core Updates" is up-to-date
medium "Nonfree Release" is up-to-date
medium "Nonfree Updates" is up-to-date
medium "Tainted Release" is up-to-date
medium "Tainted Updates" is up-to-date

installing lib64javascriptcore-gir4.1-2.44.1-1.mga9.x86_64.rpm webkit2gtk4.1-2.44.1-1.mga9.x86_64.rpm lib64webkit2gtk-gir4.1-2.44.1-1.mga9.x86_64.rpm lib64webkit2gtk4.1_0-2.44.1-1.mga9.x86_64.rpm webkit2-driver-2.44.1-1.mga9.x86_64.rpm lib64javascriptcoregtk4.1_0-2.44.1-1.mga9.x86_64.rpm from //home/qateam/qa-testing/x86_64
Preparing...                     ###########################################################################################
      1/6: lib64javascriptcoregtk4.1_0
                                 ###########################################################################################
      2/6: lib64javascriptcore-gir4.1
                                 ###########################################################################################
      3/6: webkit2-driver        ###########################################################################################
      4/6: lib64webkit2gtk4.1_0  ###########################################################################################
      5/6: webkit2gtk4.1         ###########################################################################################
      6/6: lib64webkit2gtk-gir4.1
                                 ###########################################################################################
      1/6: removing lib64webkit2gtk-gir4.1-2.40.3-1.mga9.x86_64
                                 ###########################################################################################
      2/6: removing lib64javascriptcore-gir4.1-2.40.3-1.mga9.x86_64
                                 ###########################################################################################
      3/6: removing lib64webkit2gtk4.1_0-2.40.3-1.mga9.x86_64
                                 ###########################################################################################
      4/6: removing webkit2gtk4.1-2.40.3-1.mga9.x86_64
                                 ###########################################################################################
      5/6: removing lib64javascriptcoregtk4.1_0-2.40.3-1.mga9.x86_64
                                 ###########################################################################################
      6/6: removing webkit2-driver-2.40.3-1.mga9.x86_64
                                 ###########################################################################################

drakconf 

Too late to run INIT block at /usr/lib64/perl5/vendor_perl/Glib/Object/Introspection.pm line 257.
Ignore the following Glib::Object::Introspection & Gtk3 warnings
Subroutine Gtk3::main redefined at /usr/share/perl5/vendor_perl/Gtk3.pm line 539.
GLib-GObject-CRITICAL **: g_boxed_type_register_static: assertion 'g_type_from_name (name) == 0' failed at /usr/lib64/perl5/DynaLoader.pm line 223.
GLib-GObject-CRITICAL **: g_boxed_type_register_static: assertion 'g_type_from_name (name) == 0' failed at /usr/lib64/perl5/DynaLoader.pm line 223.
GLib-GObject-CRITICAL **: g_boxed_type_register_static: assertion 'g_type_from_name (name) == 0' failed at /usr/lib64/perl5/DynaLoader.pm line 223.
GLib-GObject-CRITICAL **: g_boxed_type_register_static: assertion 'g_type_from_name (name) == 0' failed at /usr/lib64/perl5/DynaLoader.pm line 223.
libEGL warning: DRI2: failed to authenticate
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
MESA: error: ZINK: failed to choose pdev
libEGL warning: egl: failed to create dri2 screen
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
MESA: error: ZINK: failed to choose pdev
glx: failed to create drisw screen
"cannot run /usr/sbin/isodumper" since it is not installed [Writing ISO] at /usr/libexec/drakconf line 833.
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal

drakconf start 
I'll test in real hardware

Comment 34 katnatek 2024-04-24 20:46:36 CEST

RH mageia 8 x86_64

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing webkit2-driver-2.44.1-1.mga9.x86_64.rpm lib64javascriptcore-gir4.1-2.44.1-1.mga9.x86_64.rpm lib64javascriptcoregtk4.1_0-2.44.1-1.mga9.x86_64.rpm lib64webkit2gtk-gir4.1-2.44.1-1.mga9.x86_64.rpm lib64webkit2gtk4.1_0-2.44.1-1.mga9.x86_64.rpm webkit2gtk4.1-2.44.1-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/6: lib64javascriptcoregtk4.1_0
                                 ##################################################################################################
      2/6: lib64javascriptcore-gir4.1
                                 ##################################################################################################
      3/6: webkit2-driver        ##################################################################################################
      4/6: lib64webkit2gtk4.1_0  ##################################################################################################
      5/6: webkit2gtk4.1         ##################################################################################################
      6/6: lib64webkit2gtk-gir4.1
                                 ##################################################################################################
      1/6: removing lib64webkit2gtk-gir4.1-2.40.3-1.mga9.x86_64
                                 ##################################################################################################
      2/6: removing lib64javascriptcore-gir4.1-2.40.3-1.mga9.x86_64
                                 ##################################################################################################
      3/6: removing lib64webkit2gtk4.1_0-2.40.3-1.mga9.x86_64
                                 ##################################################################################################
      4/6: removing webkit2gtk4.1-2.40.3-1.mga9.x86_64
                                 ##################################################################################################
      5/6: removing lib64javascriptcoregtk4.1_0-2.40.3-1.mga9.x86_64
                                 ##################################################################################################
      6/6: removing webkit2-driver-2.40.3-1.mga9.x86_64
                                 ##################################################################################################

drakconf
Too late to run INIT block at /usr/lib64/perl5/vendor_perl/Glib/Object/Introspection.pm line 257.
Ignore the following Glib::Object::Introspection & Gtk3 warnings
Subroutine Gtk3::main redefined at /usr/share/perl5/vendor_perl/Gtk3.pm line 539.
GLib-GObject-CRITICAL **: g_boxed_type_register_static: assertion 'g_type_from_name (name) == 0' failed at /usr/lib64/perl5/DynaLoader.pm line 223.
GLib-GObject-CRITICAL **: g_boxed_type_register_static: assertion 'g_type_from_name (name) == 0' failed at /usr/lib64/perl5/DynaLoader.pm line 223.
GLib-GObject-CRITICAL **: g_boxed_type_register_static: assertion 'g_type_from_name (name) == 0' failed at /usr/lib64/perl5/DynaLoader.pm line 223.
GLib-GObject-CRITICAL **: g_boxed_type_register_static: assertion 'g_type_from_name (name) == 0' failed at /usr/lib64/perl5/DynaLoader.pm line 223.
"cannot run /usr/sbin/isodumper" since it is not installed [Writing ISO] at /usr/libexec/drakconf line 833.
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal

No problem with drakconf

Comment 35 katnatek 2024-04-24 21:00:53 CEST

RH mageia 9 x86_64

gnome-boxes is included in the list of

urpmq --whatrequires lib64webkit2gtk4.1_0

So I close the VM, close the application

Start gnome-boxes from console 
Start the VM

Look like all what works before is still working

Comment 36 katnatek 2024-04-24 21:12:18 CEST

(In reply to katnatek from comment #34)
> RH mageia 8 x86_64
Today I get a trauma or something with the 8 :P is mageia 9 as can see in the packages

Comment 37 Morgan Leijström 2024-04-24 21:36:54 CEST

Thanks. Correct: I had forgot the lib64javascriptcore packages!

Now it launches.

On this system the icons go hiding more than with previous version, but the workaround suggested by Martin works.

Bug 32185 Comment 25

katnatek 2024-04-24 22:11:19 CEST

CVE: (none) => CVE-2023-37450, CVE-2023-38133, CVE-2023-38572, CVE-2023-38592, CVE-2023-38594, CVE-2023-38595, CVE-2023-38597, CVE-2023-38599, CVE-2023-38600, CVE-2023-38611, CVE-2023-40397, CVE-2023-39928, CVE-2023-39434, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993, CVE-2023-42916

Comment 38 katnatek 2024-04-24 22:12:42 CEST

Still more CVEs, but that is the limit of the field, the rest will be added in the advisory

katnatek 2024-04-24 22:43:58 CEST

Keywords: feedback => advisory

katnatek 2024-04-25 03:02:45 CEST

CC: j.alberto.vc => (none)

katnatek 2024-04-25 19:02:37 CEST

CC: (none) => andrewsfarm

Comment 39 katnatek 2024-04-25 19:03:28 CEST

Looks OK

Whiteboard: (none) => MGA9-64-OK

Comment 40 Morgan Leijström 2024-04-25 19:26:15 CEST

If it degrades the appearance of MCC on many systems like it do on mine, Comment 37, I think we ought to fix the drakconf issue Bug 32185 ASAP.

webkit being a security update, it should not wait for it though.

Comment 41 katnatek 2024-04-25 19:43:28 CEST

(In reply to Morgan Leijström from comment #40)
> If it degrades the appearance of MCC on many systems like it do on mine,
> Comment 37, I think we ought to fix the drakconf issue Bug 32185 ASAP.
> 
> webkit being a security update, it should not wait for it though.

I never see that bug, but is a bad thing for the affected users

Comment 42 Thomas Andrews 2024-04-25 20:34:17 CEST

I saw it with Foolishness in Mageia 8, but haven't with Mageia 9. I wanted to do a test with Foolishness before validating, just to be sure, but have not had the chance yet. Not a bad idea to test this one with i586, anyway.

Comment 43 katnatek 2024-04-25 20:36:40 CEST

(In reply to Thomas Andrews from comment #42)
> I saw it with Foolishness in Mageia 8, but haven't with Mageia 9. I wanted
> to do a test with Foolishness before validating, just to be sure, but have
> not had the chance yet. Not a bad idea to test this one with i586, anyway.

After the meeting, I'll do

Comment 44 katnatek 2024-04-25 22:32:52 CEST

RH mageia 9 i586

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date


installing libjavascriptcoregtk4.0_18-2.44.1-1.mga9.i586.rpm libjavascriptcore-gir4.1-2.44.1-1.mga9.i586.rpm libjavascriptcoregtk4.1_0-2.44.1-1.mga9.i586.rpm libjavascriptcore-gir4.0-2.44.1-1.mga9.i586.rpm libwebkit2gtk4.0_37-2.44.1-1.mga9.i586.rpm webkit2gtk4.1-2.44.1-1.mga9.i586.rpm libwebkit2gtk4.1_0-2.44.1-1.mga9.i586.rpm libwebkit2gtk-gir4.0-2.44.1-1.mga9.i586.rpm webkit2gtk4.0-2.44.1-1.mga9.i586.rpm libwebkit2gtk-gir4.1-2.44.1-1.mga9.i586.rpm webkit2-driver-2.44.1-1.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     ################################################################
     1/11: libjavascriptcoregtk4.1_0
                                 ################################################################
     2/11: libjavascriptcoregtk4.0_18
                                 ################################################################
     3/11: webkit2-driver        ################################################################
     4/11: libjavascriptcore-gir4.0
                                 ################################################################
     5/11: libjavascriptcore-gir4.1
                                 ################################################################
     6/11: webkit2gtk4.1         ################################################################
     7/11: libwebkit2gtk4.1_0    ################################################################
     8/11: libwebkit2gtk4.0_37   ################################################################
     9/11: webkit2gtk4.0         ################################################################
    10/11: libwebkit2gtk-gir4.0  ################################################################
    11/11: libwebkit2gtk-gir4.1  ################################################################
     1/11: removing libwebkit2gtk-gir4.1-2.40.3-1.mga9.i586
                                 ################################################################
     2/11: removing libwebkit2gtk-gir4.0-2.40.3-1.mga9.i586
                                 ################################################################
     3/11: removing webkit2gtk4.1-2.40.3-1.mga9.i586
                                 ################################################################
     4/11: removing libwebkit2gtk4.0_37-2.40.3-1.mga9.i586
                                 ################################################################
     5/11: removing webkit2gtk4.0-2.40.3-1.mga9.i586
                                 ################################################################
     6/11: removing libjavascriptcore-gir4.0-2.40.3-1.mga9.i586
                                 ################################################################
     7/11: removing libjavascriptcore-gir4.1-2.40.3-1.mga9.i586
                                 ################################################################
     8/11: removing libwebkit2gtk4.1_0-2.40.3-1.mga9.i586
                                 ################################################################
     9/11: removing libjavascriptcoregtk4.1_0-2.40.3-1.mga9.i586
                                 ################################################################
    10/11: removing libjavascriptcoregtk4.0_18-2.40.3-1.mga9.i586
                                 ################################################################
    11/11: removing webkit2-driver-2.40.3-1.mga9.i586
                                 ################################################################

poedit is in the list of urpmq --whatrequires-recursive libwebkit2gtk4.1_0

strace poedit show the library is open and the application starts without issues

openat(AT_FDCWD, "/lib/libwebkit2gtk-4.1.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3

mcc starts without issues from root terminal and from the launcher in the panel

OK for me

Comment 45 Thomas Andrews 2024-04-26 01:25:50 CEST

Also tested on Foolishness, my Dell Inspiron 5100, P4, MGA9-32-Xfce. No issues with anything, including MCC. Giving this a 32-bit OK and validating.

Keywords: (none) => validated_update
Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK

Comment 46 Mageia Robot 2024-04-26 08:48:07 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0148.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.