Re: [webkit-gtk] Fix CVE-2023-32435 for webkitgtk 2.38.6
On Wed, Sep 6, 2023 at 9:46 PM Michael Catanzaro wrote: > On Wed, Sep 6 2023 at 04:23:17 PM +0800, 不会弹吉他的KK > wrote: > > My question is > > 1. Does webkitgtk 2.38.6 is vulnerable to CVE-2023-32435? > > No clue, sorry. > > > 2. If YES, how to deal the patches with the 2 new files? If just > > ignore and only patch file > > Source/JavaScriptCore/wasm/WasmSectionParser.cpp, could > > CVE-2023-32435 be fixed for 2.38.6, please? > > Patching just that one file is what I would do if tasked with > backporting this fix. OK. That said, keep in mind that only 10-20% of our > security vulnerabilities receive CVEs, so just patching CVEs is not > sufficient to provide a secure version of WebKitGTK. The 2.38 branch is > no longer secure and you should try upgrading to 2.42. (I would skip > 2.40 at this point, since that branch will end next week when 2.42.0 is > released.) > For Yocto project whick I am working on, packages(recipes) can NOT be updated with major version upgrade on Yocto released products/branches. So we still have to fix such kind of CVEs. But for master branch, webkitgtk will be upgraded as soon as it released. Thanks a lot. Kai > > Michael > > > ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
[webkit-gtk] Fix CVE-2023-32435 for webkitgtk 2.38.6
Hi All, CVE-2023-32435 has been fixed in webkitgtk 2.40.0. According to https://bugs.webkit.org/show_bug.cgi?id=251890, the commit is at https://github.com/WebKit/WebKit/commit/50c7aaec2f53ab3b960f1b299aad5009df6f1967 . It patches 3 files, but 2 of them are created/added in 2.40.0 and do NOT exist in 2.38.6: * Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp * Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h My question is 1. Does webkitgtk 2.38.6 is vulnerable to CVE-2023-32435? 2. If YES, how to deal the patches with the 2 new files? If just ignore and only patch file Source/JavaScriptCore/wasm/WasmSectionParser.cpp, could CVE-2023-32435 be fixed for 2.38.6, please? Regards, Kai ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
Re: [webkit-gtk] Webkit bugzilla ID access
Hi Michael, Thanks a lot!. Kai On Wed, Aug 30, 2023 at 11:42 PM Michael Catanzaro wrote: > > Hi, see: https://commits.webkit.org/260455@main > > > ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
Re: [webkit-gtk] Webkit bugzilla ID access
Hi MIchael, Would you like to share the fix commit of CVE-2023-23529, please? It is handled by https://bugs.webkit.org/show_bug.cgi?id=251944 which is still not pulibc. Sorry for duplicate email that previous is rejected by maillist. Thanks, Kai On Wed, May 31, 2023 at 10:17 PM Michael Catanzaro wrote: > > Hi, the bugs are private. I can give you the mappings between bug ID > and fix commit, though: > > 248266 - https://commits.webkit.org/258113@main > 245521 - https://commits.webkit.org/256215@main > 245466 - https://commits.webkit.org/255368@main > 247420 - https://commits.webkit.org/256519@main > 246669 - https://commits.webkit.org/255960@main > 248615 - https://commits.webkit.org/262352@main > 250837 - https://commits.webkit.org/260006@main > > That said, I don't generally recommend backporting fixes yourself > because (a) it can become pretty difficult as time goes on, and (b) > only a tiny fraction of security fixes receive CVE identifiers (maybe > around 5%). So I highly recommend upgrading to WebKitGTK 2.40.2. > WebKitGTK maintains API and ABI stability to the greatest extent > possible in order to encourage safe updates. > > Michael > > > ___ > webkit-gtk mailing list > webkit-gtk@lists.webkit.org > https://lists.webkit.org/mailman/listinfo/webkit-gtk > ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
Re: [webkit-gtk] How to fix CVEs of webkitgtk 2.36.x
On Wed, Mar 22, 2023 at 7:01 PM Michael Catanzaro wrote: > On Wed, Mar 22 2023 at 11:26:56 AM +0200, Adrian Perez de Castro > wrote: > > Recently advisories published by Apple include the Bugzilla issue > > numbers > > (e.g. [1]), so with some work you can find out which commits > > correspond to > > the fixes. > > It finally occurs to me that since Apple now publishes the bug > information, we could start publishing revision information. We'd want > to fix [1] first. > Hi Adrián and Michael, Thanks. I'll try to do more search for the existing CVEs. > > WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely > > update > > without needing to change applications. In general, we always keep > > the API and > > ABI backwards compatible. > > For avoidance of doubt, WebKitGTK 2.40.x is backwards-compatible as > well and that will remain true indefinitely, as long as you continue to > build the same API version [2]. Adrian might be planning one last > 2.38.x release, but it's really time to move on to 2.40. > > On rare occasions, an upgrade might affect the behavior of particular > API functionality within the same API version, but this is unusual and > is avoided whenever possible. I don't think any APIs broke between 2.36 > and 2.40, so that shouldn't be a problem for you this time. The goal is > for upgrades to be as safe as possible. > Great. Your comments will be powerful evidence to upgrade webkitgtk on Yocto lts release. Thanks a lot. Kai > Michael > > [1] https://bugs.webkit.org/show_bug.cgi?id=249672 > [2] > > https://blogs.gnome.org/mcatanzaro/2023/03/21/webkitgtk-api-for-gtk-4-is-now-stable/ > > > ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
[webkit-gtk] How to fix CVEs of webkitgtk 2.36.x
Hi All, I am working on Yocto project. In last LTS Yocto release the version of webkitgtk is 2.36.8. And there are more than 15 CVE issues for 2.36.8 till now. I checked the git log and "WebKitGTK and WPE WebKit Security Advisory" pages that I only got info that which CVE has been fixed in which version of webkitgtk. But I can NOT get the exact info that it is fixed by which commit(s). So if there anywhere or some web page to get the specific fix/patch for a CVE, please? And the second question is webkitgtk 2.38.x backward compatible with 2.36.8? I compare the header files between 2.36.8 and 2.38.4 that it seems no function deleted and no interface change for existing functions, only some functions are marked deprecated and some new functions added. Does that mean upgrade webkitgtk from 2.36.8 to 2.38.4 will not break applications which depend on it, please? Thanks a lot. Kai ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk