Bug 34747 - webkit2 still have security vulnerabilities
Summary: webkit2 still have security vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: High normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-11-14 18:21 CET by katnatek
Modified: 2025-11-25 20:41 CET (History)
5 users (show)

See Also:
Source RPM: webkit2-2.44.4-1.mga9
CVE: CVE-2024-23271, CVE-2024-27808, CVE-2024-27820, CVE-2024-27833, CVE-2024-40866, CVE-2024-44187, CVE-2024-44185, CVE-2024-44244, CVE-2024-44296, CVE-2024-44308, CVE-2024-44309, CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54534, C, CVE-2024-54543VE-2024-27856
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description katnatek 2025-11-14 18:21:38 CET 
Description of problem:

We couldn't provide the 2.50.1 version in bug#33513
This produce mageia 9 users to be affected by security vulnerabilities
katnatek 2025-11-14 18:25:25 CET

Assignee: qa-bugs => pkg-bugs

Morgan Leijström 2025-11-14 20:04:39 CET

CC: (none) => fri

Comment 1 katnatek 2025-11-15 03:53:16 CET 
I not want to make me fake hopes but the build time for i586 pass now the build time of previous test that did fail, if end good, I'll test restore the disable sse2 patch
Comment 2 katnatek 2025-11-15 18:18:19 CET 
i586 Fail near to end with

extracting debug info from /builddir/build/BUILDROOT/webkit2-2.50.1-1.mga9.i386/usr/bin/WebKitWebDriver
/usr/bin/debugedit: /builddir/build/BUILDROOT/webkit2-2.50.1-1.mga9.i386/usr/bin/WebKitWebDriver: Unknown DWARF DW_FORM_0x25
extracting debug info from /builddir/build/BUILDROOT/webkit2-2.50.1-1.mga9.i386/usr/lib/libjavascriptcoregtk-4.0.so.18.28.6
/usr/bin/debugedit: /builddir/build/BUILDROOT/webkit2-2.50.1-1.mga9.i386/usr/lib/libjavascriptcoregtk-4.0.so.18.28.6: Unknown DWARF DW_FORM_0x25
eu-strip: while writing '/builddir/build/BUILDROOT/webkit2-2.50.1-1.mga9.i386/usr/lib/debug/usr/lib/libjavascriptcoregtk-4.0.so.18.28.6-2.50.1-1.mga9.i386.debug.TUXMOt': invalid section entry size
error: Bad exit status from /var/tmp/rpm-tmp.UOfSir (%install)
    Bad exit status from /var/tmp/rpm-tmp.UOfSir (%install)

Did you have recommendations?
Comment 3 katnatek 2025-11-15 22:51:50 CET 
Find something, building again
Comment 4 katnatek 2025-11-17 19:52:05 CET 
All the links related

https://webkitgtk.org/2025/10/10/webkitgtk2.50.1-released.html
https://webkitgtk.org/security/WSA-2025-0007.html
https://webkitgtk.org/2025/09/17/webkitgtk2.50.0-released.html
https://webkitgtk.org/security/WSA-2025-0006.html
https://webkitgtk.org/2025/07/31/webkitgtk2.49.4-released.html
https://webkitgtk.org/2025/09/03/webkitgtk2.48.6-released.html
https://webkitgtk.org/2025/08/01/webkitgtk2.48.5-released.html
https://webkitgtk.org/security/WSA-2025-0005.html
https://webkitgtk.org/2025/05/28/webkitgtk2.48.3-released.html
https://webkitgtk.org/2025/05/14/webkitgtk2.48.2-released.html
https://webkitgtk.org/security/WSA-2025-0004.html
https://webkitgtk.org/2025/04/02/webkitgtk2.48.1-released.html
https://webkitgtk.org/security/WSA-2025-0003.html
https://webkitgtk.org/2025/03/14/webkitgtk2.48.0-released.html
https://webkitgtk.org/security/WSA-2025-0002.html
https://webkitgtk.org/2025/02/07/webkitgtk2.46.6-released.html
https://webkitgtk.org/security/WSA-2025-0001.html
https://webkitgtk.org/2024/12/18/webkitgtk2.46.5-released.html
https://webkitgtk.org/security/WSA-2024-0008.html
https://webkitgtk.org/2024/11/27/webkitgtk2.46.4-released.html
https://webkitgtk.org/security/WSA-2024-0007.html
https://webkitgtk.org/2024/10/30/webkitgtk2.46.3-released.html
https://webkitgtk.org/security/WSA-2024-0006.html
https://webkitgtk.org/2024/09/30/webkitgtk2.46.1-released.html
https://webkitgtk.org/2024/09/17/webkitgtk2.46.0-released.html
https://webkitgtk.org/security/WSA-2024-0005.html

I'll send to our BS due I can't determine if fail due lack of sse2 or load charge in copr
Comment 5 katnatek 2025-11-24 18:46:02 CET 
RPMS:
lib(64)javascriptcore-gir4.0-2.50.1-1.2.mga9
lib(64)javascriptcore-gir4.1-2.50.1-1.2.mga9
lib(64)javascriptcore-gir6.0-2.50.1-1.2.mga9
lib(64)javascriptcoregtk4.0_18-2.50.1-1.2.mga9
lib(64)javascriptcoregtk4.1_0-2.50.1-1.2.mga9
lib(64)javascriptcoregtk6.0_1-2.50.1-1.2.mga9
lib(64)webkit2gtk-gir4.0-2.50.1-1.2.mga9
lib(64)webkit2gtk-gir4.1-2.50.1-1.2.mga9
lib(64)webkit2gtk4.0-devel-2.50.1-1.2.mga9
lib(64)webkit2gtk4.0_37-2.50.1-1.2.mga9
lib(64)webkit2gtk4.1-devel-2.50.1-1.2.mga9
lib(64)webkit2gtk4.1_0-2.50.1-1.2.mga9
lib(64)webkitgtk-gir6.0-2.50.1-1.2.mga9
lib(64)webkitgtk6.0-devel-2.50.1-1.2.mga9
lib(64)webkitgtk6.0_4-2.50.1-1.2.mga9
webkit2-driver-2.50.1-1.2.mga9
webkit2gtk4.0-2.50.1-1.2.mga9
webkit2gtk4.0-jsc-2.50.1-1.2.mga9
webkit2gtk4.1-2.50.1-1.2.mga9
webkit2gtk4.1-jsc-2.50.1-1.2.mga9
webkitgtk6.0-2.50.1-1.2.mga9
webkitgtk6.0-jsc-2.50.1-1.2.mga9

SRPM:
webkit2-2.50.1-1.2.mga9

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

katnatek 2025-11-24 19:08:32 CET

CVE: (none) => CVE-2024-23271, CVE-2024-27808, CVE-2024-27820, CVE-2024-27833, CVE-2024-40866, CVE-2024-44187, CVE-2024-44185, CVE-2024-44244, CVE-2024-44296

katnatek 2025-11-24 19:22:58 CET

CVE: CVE-2024-23271, CVE-2024-27808, CVE-2024-27820, CVE-2024-27833, CVE-2024-40866, CVE-2024-44187, CVE-2024-44185, CVE-2024-44244, CVE-2024-44296 => CVE-2024-23271, CVE-2024-27808, CVE-2024-27820, CVE-2024-27833, CVE-2024-40866, CVE-2024-44187, CVE-2024-44185, CVE-2024-44244, CVE-2024-44296, CVE-2024-44308, CVE-2024-44309, CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54534, C, CVE-2024-54543VE-2024-27856

katnatek 2025-11-24 20:04:53 CET

Keywords: (none) => advisory

Comment 6 katnatek 2025-11-24 20:24:43 CET 
RH x86_64

installing webkit2gtk4.1-2.50.1-1.2.mga9.x86_64.rpm webkit2-driver-2.50.1-1.2.mga9.x86_64.rpm lib64webkit2gtk-gir4.1-2.50.1-1.2.mga9.x86_64.rpm lib64webkit2gtk4.1_0-2.50.1-1.2.mga9.x86_64.rpm lib64javascriptcoregtk4.1_0-2.50.1-1.2.mga9.x86_64.rpm lib64javascriptcore-gir4.1-2.50.1-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/6: lib64javascriptcoregtk4.1_0
                                 ###################################################################################################
      2/6: lib64javascriptcore-gir4.1
                                 ###################################################################################################
      3/6: webkit2-driver        ###################################################################################################
      4/6: lib64webkit2gtk4.1_0  ###################################################################################################
      5/6: webkit2gtk4.1         ###################################################################################################
      6/6: lib64webkit2gtk-gir4.1
                                 ###################################################################################################
      1/6: removing lib64webkit2gtk-gir4.1-2.44.4-1.mga9.x86_64
                                 ###################################################################################################
      2/6: removing lib64javascriptcore-gir4.1-2.44.4-1.mga9.x86_64
                                 ###################################################################################################
      3/6: removing lib64webkit2gtk4.1_0-2.44.4-1.mga9.x86_64
                                 ###################################################################################################
      4/6: removing webkit2gtk4.1-2.44.4-1.mga9.x86_64
                                 ###################################################################################################
      5/6: removing lib64javascriptcoregtk4.1_0-2.44.4-1.mga9.x86_64
                                 ###################################################################################################
      6/6: removing webkit2-driver-2.44.4-1.mga9.x86_64
                                 ###################################################################################################

mcc works from root terminal and from the launcher

strace gnome-boxes
openat(AT_FDCWD, "/usr/lib64/libwebkit2gtk-4.1.so.0", O_RDONLY|O_CLOEXEC) = 3

install evolution

strace evolution
openat(AT_FDCWD, "/usr/lib64/libwebkit2gtk-4.1.so.0", O_RDONLY|O_CLOEXEC) = 3

No deep test as I not use the application

install epiphany

strace epiphany
openat(AT_FDCWD, "/usr/lib64/libwebkitgtk-6.0.so.4", O_RDONLY|O_CLOEXEC) = 3

Load mageia.org without issues but no deep test

Looks good to me
Comment 7 katnatek 2025-11-24 21:20:23 CET 
RH i586

Updated with other packages

rpm -qa|grep 2.50.1
libjavascriptcoregtk4.1_0-2.50.1-1.2.mga9
libjavascriptcoregtk4.0_18-2.50.1-1.2.mga9
webkit2-driver-2.50.1-1.2.mga9
libjavascriptcore-gir4.0-2.50.1-1.2.mga9
libjavascriptcore-gir4.1-2.50.1-1.2.mga9
webkit2gtk4.0-2.50.1-1.2.mga9
libwebkit2gtk4.0_37-2.50.1-1.2.mga9
webkit2gtk4.1-2.50.1-1.2.mga9
libwebkit2gtk4.1_0-2.50.1-1.2.mga9
libwebkit2gtk-gir4.1-2.50.1-1.2.mga9
libwebkit2gtk-gir4.0-2.50.1-1.2.mga9


strace poedit
openat(AT_FDCWD, "/lib/libwebkit2gtk-4.1.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3

I still have the issues reported with poedit in 32bit but the application works

mcc works
Comment 8 Herman Viaene 2025-11-25 14:55:43 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 33513 for testing.
Jumped around in MCC as test, opened a pdf with atril and used:
$ zenity --calendar
27/11/25

This all looks good. In view of katnatek's tests, give the OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2025-11-25 19:18:02 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Mageia Robot 2025-11-25 20:41:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0313.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.