Bug#1034870: marked as done (unblock: webkit2gtk/2.40.1-1)

To: Emilio Pozuelo Monfort <pochu@respighi.debian.org>
Subject: Bug#1034870: marked as done (unblock: webkit2gtk/2.40.1-1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 26 Apr 2023 10:54:08 +0000
Message-id: <[🔎] handler.1034870.D1034870.16825062452826245.ackdone@bugs.debian.org>
Reply-to: 1034870@bugs.debian.org
References: <E1prcjR-00Dx2X-K6@respighi.debian.org> <[🔎] 168250563465.149156.12339442539964801838.reportbug@zeus.local>

Your message dated Wed, 26 Apr 2023 10:50:41 +0000
with message-id <E1prcjR-00Dx2X-K6@respighi.debian.org>
and subject line unblock webkit2gtk
has caused the Debian Bug report #1034870,
regarding unblock: webkit2gtk/2.40.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034870: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034870
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: webkit2gtk/2.40.1-1
From: Alberto Garcia <berto@igalia.com>
Date: Wed, 26 Apr 2023 12:40:34 +0200
Message-id: <[🔎] 168250563465.149156.12339442539964801838.reportbug@zeus.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package webkit2gtk

[ Reason ]
Fix five CVEs, one of them reported to have been actively exploited.

[ Impact ]
webkit2gtk, like all other major browser engines, is affected by a
constant stream of security bugs so it's not recommended to browse the
web using an outdated version of the package. For this reason the
security team has been providing webkit2gtk updates using the upstream
stable releases sice Debian buster.

2.40.1 is the first stable point release after 2.40.0 (already in
bookworm). It contains fixes for several bugs including 5 CVEs:

  CVE-2022-0108

    Impact: An HTML document may be able to render iframes with
    sensitive user information.

  CVE-2022-32885

    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution.

  CVE-2023-27932

    Impact: Processing maliciously crafted web content may bypass Same
    Origin Policy.

  CVE-2023-27954

    Impact: A website may be able to track sensitive user information.

  CVE-2023-28205

    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Apple is aware of a report that this
    issue may have been actively exploited.

This new version also works in bullseye and the the corresponding
security update is also being prepared.

[ Tests ]
Tested manually using the Epiphany web browser for several days.

[ Risks ]
WebKitGTK evolves very fast and its stable releases contain other
fixes apart from the security ones. Because of this the chance of
regressions is higher than with other packages. That said, upstream
has had a good track record of publishing updates with no major
issues.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

Note that I only include the debian/ part of the debdiff since the
changes to the source itself are larger due to the nature of the
release.

unblock webkit2gtk/2.40.1-1

diff -Nru webkit2gtk-2.40.0/debian/changelog webkit2gtk-2.40.1/debian/changelog
--- webkit2gtk-2.40.0/debian/changelog	2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/changelog	2023-04-20 14:29:23.000000000 +0200
@@ -1,3 +1,15 @@
+webkit2gtk (2.40.1-1) unstable; urgency=high
+
+  * New upstream release.
+  * debian/rules:
+    - Build with -DUSE_GBM=OFF in the Hurd (Closes: #1033999).
+  * Drop fix-script-message-received-marshaller.patch and
+    fix-gst-crash.patch. Refresh all other patches.
+  * debian/copyright:
+    - Update copyright information of all files.
+
+ -- Alberto Garcia <berto@igalia.com>  Thu, 20 Apr 2023 14:29:23 +0200
+
 webkit2gtk (2.40.0-3) unstable; urgency=medium
 
   * debian/{rules,control.in}:
diff -Nru webkit2gtk-2.40.0/debian/copyright webkit2gtk-2.40.1/debian/copyright
--- webkit2gtk-2.40.0/debian/copyright	2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/copyright	2023-04-20 14:29:23.000000000 +0200
@@ -1923,8 +1923,6 @@
        Source/WebCore/rendering/RenderTextInlines.h
        Source/WebCore/rendering/RenderTheme.cpp
        Source/WebCore/rendering/RenderTheme.h
-       Source/WebCore/rendering/RenderThemeGtk.cpp
-       Source/WebCore/rendering/RenderThemeGtk.h
        Source/WebCore/rendering/RenderThemeMac.h
        Source/WebCore/rendering/RenderThemeWin.cpp
        Source/WebCore/rendering/RenderThemeWin.h
diff -Nru webkit2gtk-2.40.0/debian/patches/fix-ftbfs-m68k.patch webkit2gtk-2.40.1/debian/patches/fix-ftbfs-m68k.patch
--- webkit2gtk-2.40.0/debian/patches/fix-ftbfs-m68k.patch	2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/patches/fix-ftbfs-m68k.patch	2023-04-20 14:29:23.000000000 +0200
@@ -158,7 +158,7 @@
  namespace JSC {
  
  template<typename CallOp, typename = std::true_type>
-@@ -5497,3 +5502,6 @@ void printInternal(PrintStream& out, JSC
+@@ -5499,3 +5504,6 @@ void printInternal(PrintStream& out, JSC
  
  } // namespace WTF
  
diff -Nru webkit2gtk-2.40.0/debian/patches/fix-gst-crash.patch webkit2gtk-2.40.1/debian/patches/fix-gst-crash.patch
--- webkit2gtk-2.40.0/debian/patches/fix-gst-crash.patch	2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/patches/fix-gst-crash.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,65 +0,0 @@
-From: Philippe Normand <philn@igalia.com>
-Subject: Fix crash in webkit_media_stream_src_class_init()
-Bug: https://bugs.webkit.org/show_bug.cgi?id=254025
-Origin: https://github.com/WebKit/WebKit/commit/358ce3a4bd7353c8edaa5720c949301f31c9a5e9
-Index: webkitgtk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
-===================================================================
---- webkitgtk.orig/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
-+++ webkitgtk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
-@@ -2647,6 +2647,9 @@ MediaPlayer::SupportsType MediaPlayerPri
- #endif
-     }
- 
-+    if (!ensureGStreamerInitialized())
-+        return result;
-+
-     GST_DEBUG("Checking mime-type \"%s\"", parameters.type.raw().utf8().data());
-     if (parameters.type.isEmpty())
-         return result;
-Index: webkitgtk/Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp
-===================================================================
---- webkitgtk.orig/Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp
-+++ webkitgtk/Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp
-@@ -439,22 +439,13 @@ void MediaPlayerPrivateGStreamerMSE::get
- 
- MediaPlayer::SupportsType MediaPlayerPrivateGStreamerMSE::supportsType(const MediaEngineSupportParameters& parameters)
- {
--    static std::optional<VideoDecodingLimits> videoDecodingLimits;
--#ifdef VIDEO_DECODING_LIMIT
--    static std::once_flag onceFlag;
--    std::call_once(onceFlag, [] {
--        videoDecodingLimits = videoDecoderLimitsDefaults();
--        if (!videoDecodingLimits) {
--            GST_WARNING("Parsing VIDEO_DECODING_LIMIT failed");
--            ASSERT_NOT_REACHED();
--        }
--    });
--#endif
--
-     MediaPlayer::SupportsType result = MediaPlayer::SupportsType::IsNotSupported;
-     if (!parameters.isMediaSource)
-         return result;
- 
-+    if (!ensureGStreamerInitialized())
-+        return result;
-+
-     auto containerType = parameters.type.containerType();
- 
-     // YouTube TV provides empty types for some videos and we want to be selected as best media engine for them.
-@@ -476,6 +467,16 @@ MediaPlayer::SupportsType MediaPlayerPri
-     if (!ok)
-         height = 0;
- 
-+    static std::optional<VideoDecodingLimits> videoDecodingLimits;
-+#ifdef VIDEO_DECODING_LIMIT
-+    static std::once_flag onceFlag;
-+    std::call_once(onceFlag, [] {
-+        videoDecodingLimits = videoDecoderLimitsDefaults();
-+        if (!videoDecodingLimits)
-+            GST_WARNING("Parsing VIDEO_DECODING_LIMIT failed");
-+    });
-+#endif
-+
-     if (videoDecodingLimits && (width > videoDecodingLimits->mediaMaxWidth || height > videoDecodingLimits->mediaMaxHeight))
-         return result;
- 
diff -Nru webkit2gtk-2.40.0/debian/patches/fix-script-message-received-marshaller.patch webkit2gtk-2.40.1/debian/patches/fix-script-message-received-marshaller.patch
--- webkit2gtk-2.40.0/debian/patches/fix-script-message-received-marshaller.patch	2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/patches/fix-script-message-received-marshaller.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,20 +0,0 @@
-From: Michael Catanzaro <mcatanzaro@redhat.com>
-Subject: Fix WebKitUserContentManager::script-message-received marshaller
-Bug: https://bugs.webkit.org/show_bug.cgi?id=254089
-Origin: https://github.com/WebKit/WebKit/commit/fa61ab3f24678c03f96ca6c4a51a8c7e21439f83
-Index: webkitgtk/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp
-===================================================================
---- webkitgtk.orig/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp
-+++ webkitgtk/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp
-@@ -106,7 +106,11 @@ static void webkit_user_content_manager_
-             G_TYPE_FROM_CLASS(gObjectClass),
-             static_cast<GSignalFlags>(G_SIGNAL_RUN_LAST | G_SIGNAL_DETAILED),
-             0, nullptr, nullptr,
-+#if ENABLE(2022_GLIB_API)
-+            g_cclosure_marshal_VOID__OBJECT,
-+#else
-             g_cclosure_marshal_VOID__BOXED,
-+#endif
-             G_TYPE_NONE, 1,
- #if ENABLE(2022_GLIB_API)
-             JSC_TYPE_VALUE);
diff -Nru webkit2gtk-2.40.0/debian/patches/series webkit2gtk-2.40.1/debian/patches/series
--- webkit2gtk-2.40.0/debian/patches/series	2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/patches/series	2023-04-20 14:29:23.000000000 +0200
@@ -5,5 +5,3 @@
 dont-detect-sse2.patch
 reduce-memory-overheads.patch
 fix-ftbfs-hurd.patch
-fix-script-message-received-marshaller.patch
-fix-gst-crash.patch
diff -Nru webkit2gtk-2.40.0/debian/rules webkit2gtk-2.40.1/debian/rules
--- webkit2gtk-2.40.0/debian/rules	2023-03-21 18:11:48.000000000 +0100
+++ webkit2gtk-2.40.1/debian/rules	2023-04-20 14:29:23.000000000 +0200
@@ -55,6 +55,11 @@
 	EXTRA_CMAKE_ARGUMENTS += -DENABLE_WEBGL=OFF
 endif
 
+# libgbm-dev is not available in the Hurd (#1033999)
+ifneq (,$(filter $(DEB_HOST_ARCH),hurd-i386))
+	EXTRA_CMAKE_ARGUMENTS += -DUSE_GBM=OFF
+endif
+
 # Systemd/elogind and libmanette are Linux-only
 ifneq ($(DEB_HOST_ARCH_OS),linux)
 	EXTRA_CMAKE_ARGUMENTS += -DENABLE_JOURNALD_LOG=OFF -DENABLE_GAMEPAD=OFF

--- End Message ---

--- Begin Message ---

To: 1034870-done@bugs.debian.org

Subject: unblock webkit2gtk

From: Emilio Pozuelo Monfort <pochu@respighi.debian.org>

Date: Wed, 26 Apr 2023 10:50:41 +0000

Message-id: <E1prcjR-00Dx2X-K6@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#1034870: unblock: webkit2gtk/2.40.1-1
  - From: Alberto Garcia <berto@igalia.com>

Prev by Date: Bug#1034872: unblock: wpewebkit/2.38.6-1
Next by Date: Processed: tagging 1034664
Previous by thread: Bug#1034870: unblock: webkit2gtk/2.40.1-1
Next by thread: Bug#1034872: unblock: wpewebkit/2.38.6-1
Index(es):
- Date
- Thread