Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.09] webkitgtk: 2.28.4 -> 2.30.3 #104820

Merged
merged 6 commits into from Nov 25, 2020
Merged

[20.09] webkitgtk: 2.28.4 -> 2.30.3 #104820

merged 6 commits into from Nov 25, 2020

Conversation

mweinelt
Copy link
Member

Motivation for this change

https://webkitgtk.org/security/WSA-2020-0008.html

It's unclear what patches have to be backported and even Debian backported 2.30.3 to buster-security. I think we should do the same.

I successfully tested this against epiphany.

I'm not sure if all of this should be backported, but it seemed like the least error-prone approach to doing this.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

pbogdan and others added 6 commits November 25, 2020 00:00
@pbogdan @mweinelt
webkitgtk: 2.29.91 -> 2.30.0
5bd3722 
https://webkitgtk.org/2020/08/14/webkitgtk2.29.90-released.html
https://webkitgtk.org/2020/08/14/webkitgtk2.29.91-released.html
https://webkitgtk.org/2020/07/29/webkitgtk2.29.4-released.html
https://webkitgtk.org/2020/09/11/webkitgtk2.30.0-released.html
(cherry picked from commit c1307a0)
@worldofpeace @mweinelt
webkitgtk: add separateDebugInfo, add platforms.darwin
4522aba 
Very strange that stdenv.isDarwin is in this expression but without
platforms including darwin.

(cherry picked from commit af2465a)
@jtojnar @mweinelt
webkitgtk: 2.30.0 → 2.30.1
4fa9bfa 
(cherry picked from commit 297bac6)
@jtojnar @mweinelt
webkitgtk: clean up
c945e45 
Remove gtk2 flag, which is no longer supported.

(cherry picked from commit 8ccd765)
@jtojnar @mweinelt
webkitgtk: 2.30.1 → 2.30.2
9fa1223 
https://webkitgtk.org/2020/10/23/webkitgtk2.30.2-released.html
(cherry picked from commit f70fe4a)
@mweinelt
webkitgtk: 2.30.2 -> 2.30.3
689d06b 
Fixes processing of malicousliy crafted web content which could lead to
- CVE-2020-13584: arbitrary code execution due to a use after free issue
- CVE-2020-9983: code execution due to an out-of-bounds write issue

Advisory at https://webkitgtk.org/security/WSA-2020-0008.html

Fixes: CVE-2090-13584, CVE-2020-9983
(cherry picked from commit 48ba279)
@ofborg ofborg bot requested a review from hedning November 24, 2020 23:48
@mweinelt mweinelt changed the title [20.09]: webkitgtk: 2.28.4 -> 2.30.3 [20.09] webkitgtk: 2.28.4 -> 2.30.3 Nov 25, 2020
@mweinelt mweinelt merged commit 6abfce3 into NixOS:release-20.09 Nov 25, 2020
@mweinelt mweinelt deleted the 20.09/webkitgtk branch November 25, 2020 21:54
@lukegb
Copy link
Contributor

lukegb commented Nov 25, 2020

Result of nixpkgs-review pr 104820 1

6 packages marked as broken and skipped:
  • openmodelica
  • quodlibet
  • quodlibet-full
  • quodlibet-without-gst-plugins
  • quodlibet-xine
  • quodlibet-xine-full
4 packages failed to build:
  • citrix_workspace (citrix_workspace_20_10_0)
  • citrix_workspace_20_04_0
  • citrix_workspace_20_06_0
  • citrix_workspace_20_09_0
149 packages built:
  • adapta-gtk-theme
  • almanah
  • apostrophe
  • areca
  • astroid
  • azureus
  • balsa
  • birdfont
  • bookworm
  • calls
  • chrome-gnome-shell
  • cinnamon.cinnamon-common
  • cinnamon.cinnamon-control-center
  • cinnamon.cinnamon-gsettings-overrides
  • cinnamon.cinnamon-screensaver
  • claws-mail-gtk3
  • deja-dup
  • dropbox-cli
  • eclipse-mat
  • eclipses.eclipse-committers
  • eclipses.eclipse-cpp
  • eclipses.eclipse-java
  • eclipses.eclipse-modeling
  • eclipses.eclipse-platform
  • eclipses.eclipse-scala-sdk
  • eclipses.eclipse-sdk
  • elementary-planner
  • empathy (gnome3.empathy)
  • eolie
  • ephemeral
  • epiphany (gnome3.epiphany)
  • evolution-data-server (gnome3.evolution-data-server ,gnome3.evolution_data_server)
  • evolution-ews
  • feedreader
  • folks (gnome3.folks)
  • gfbgraph (gnome3.gfbgraph)
  • gnome-builder
  • gnome-online-accounts (gnome3.gnome-online-accounts ,gnome3.gnome_online_accounts)
  • gnome-photos (gnome3.gnome-photos)
  • gnome-recipes
  • gnome3.bijiben (gnome3.gnome-notes)
  • gnome3.cheese
  • gnome3.devhelp
  • gnome3.evolution
  • gnome3.file-roller
  • gnome3.geary
  • gnome3.gnome-applets
  • gnome3.gnome-books
  • gnome3.gnome-boxes
  • gnome3.gnome-calendar
  • gnome3.gnome-contacts
  • gnome3.gnome-control-center (gnome3.gnome_control_center)
  • gnome3.gnome-documents
  • gnome3.gnome-flashback
  • gnome3.gnome-initial-setup
  • gnome3.gnome-maps
  • gnome3.gnome-music
  • gnome3.gnome-online-miners
  • gnome3.gnome-panel
  • gnome3.gnome-session (gnome3.gnome_session)
  • gnome3.gnome-shell (gnome3.gnome_shell)
  • gnome3.gnome-software
  • gnome3.gnome-terminal (gnome3.gnome_terminal)
  • gnome3.gnome-todo
  • gnome3.gnome-tweaks (gnome3.gnome-tweak-tool)
  • gnome3.gnome-user-share
  • grilo-plugins (gnome3.grilo-plugins)
  • gnome3.gvfs
  • libgdata (gnome3.libgdata)
  • libgepub (gnome3.libgepub)
  • libzapojit (gnome3.libzapojit)
  • gnome3.nautilus
  • gnome3.nautilus-python
  • gnome3.polari
  • gnome3.pomodoro
  • shotwell (gnome3.shotwell)
  • gnome3.sushi
  • gnome3.totem
  • tracker-miners (gnome3.tracker-miners)
  • webkitgtk (gnome3.webkitgtk)
  • yelp (gnome3.yelp)
  • gnomeExtensions.gsconnect
  • gnomeExtensions.night-theme-switcher
  • gnucash
  • gnvim
  • gnvim-unwrapped
  • gthumb
  • haskellPackages.reflex-dom
  • haskellPackages.webkit2gtk3-javascriptcore
  • ipscan
  • kicad-small
  • kicad-unstable-small
  • liferea
  • luakit
  • lutris
  • lutris-free
  • lutris-unwrapped
  • mailnagWithPlugins
  • mate.atril
  • mate.mate-user-guide
  • mavproxy
  • meteo
  • midori-unwrapped
  • mmex
  • nasc
  • newsflash
  • next
  • notes-up
  • onboard
  • osmo
  • pantheon.elementary-calendar
  • pantheon.elementary-capnet-assist
  • pantheon.elementary-code
  • pantheon.elementary-greeter
  • pantheon.elementary-gsettings-schemas
  • pantheon.elementary-photos
  • pantheon.elementary-session-settings
  • pantheon.extra-elementary-contracts
  • pantheon.notes-up
  • pantheon.switchboard-plug-a11y
  • pantheon.switchboard-plug-onlineaccounts
  • pantheon.switchboard-with-plugs
  • pantheon.wingpanel-applications-menu
  • pantheon.wingpanel-indicator-datetime
  • pantheon.wingpanel-with-indicators
  • portfolio
  • python27Packages.wxPython_4_0
  • python37Packages.kicad
  • python37Packages.wxPython_4_0
  • python38Packages.kicad
  • python38Packages.wxPython_4_0
  • pytrainer
  • quilter
  • rednotebook
  • remmina
  • setzer
  • sparkleshare
  • surf
  • surf-display
  • swt
  • tunefish
  • tuxguitar
  • ulauncher
  • vimb-unwrapped
  • vocal
  • vuze
  • webkit2-sharp
  • xiphos
  • xmonad_log_applet

@mweinelt
Copy link
Member Author

FWIW: Citrix Workspace won't build without prefetching their binary.

***
In order to use Citrix Workspace, you need to comply with the Citrix EULA and download
the 64-bit binaries, .tar.gz from:

https://www.citrix.com/de-de/downloads/workspace-app/linux/workspace-app-for-linux-latest.html

(if you do not find version 20.10.0.6 there, try at
https://www.citrix.com/downloads/workspace-app/

Once you have downloaded the file, please use the following command and re-run the
installation:

nix-prefetch-url file://$PWD/linuxx64-20.10.0.6.tar.gz

***

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtojnar jtojnar Awaiting requested review from jtojnar

@worldofpeace worldofpeace Awaiting requested review from worldofpeace

@hedning hedning Awaiting requested review from hedning

Assignees
No one assigned
Labels
1.severity: security 8.has: package (new) 10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mweinelt @lukegb @pbogdan @worldofpeace @jtojnar