Bug 1303944 - WebKit 1 is insecure, please stop using it
Summary: WebKit 1 is insecure, please stop using it
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: techtalk-pse   
(Show other bugs)
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Reopened
: 1375824 (view as bug list)
Depends On: 1373410
Blocks: webkit1-removal
TreeView+ depends on / blocked
 
Reported: 2016-02-02 13:23 UTC by Christian Stadelmann
Modified: 2017-08-20 23:51 UTC (History)
4 users (show)

Fixed In Version: techtalk-pse-1.2.0-1.fc26 techtalk-pse-1.2.0-1.fc25
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-20 18:25:43 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Christian Stadelmann 2016-02-02 13:23:29 UTC
Description of problem:
According to Michael Catanzaro, a developer of WebKitGtk, WebKit 1 Gtk bindings (in this case Gtk2 bindings through perl-Gtk2-WebKit) are missing many security updates and are discouraged to use [1]. For this reason techtalk-pse should stop using WebKit 1.

[1] https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

Version-Release number of selected component (if applicable):
1.1.0

How reproducible:
always

Comment 1 Richard W.M. Jones 2016-02-02 13:54:33 UTC
We have WebKit2 in Fedora?  I get no matches from a dnf search.

Comment 2 Christian Stadelmann 2016-02-02 14:41:25 UTC
Yes. It is packaged in webkitgtk4 which is WebKit 2 with Gtk3 bindings. There is no Gtk2 binding for WebKit 2 and probably never will be (see link above).

Comment 3 Jan Kurik 2016-02-24 14:23:29 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 4 Andrew Engelbrecht 2016-03-26 17:33:31 UTC
Specifically which packages/versions are affected in Fedora and RHEL?

Comment 5 Christian Stadelmann 2016-03-31 09:31:07 UTC
(In reply to Andrew Engelbrecht from comment #4)
> Specifically which packages/versions are affected in Fedora and RHEL?

I don't think I understand your question. Do you mean techtalk-pse packages or distribution packages?

For techtalk-pse, version 1.1.0-8.fc23 has a dependency on perl(Gtk2::WebKit) which is provided by perl-Gtk2-WebKit-0.09-13.fc23.x86_64 which in turn uses WebKit1. WebKit2 won't be ported to Gtk2, it is available only to Gtk3.

I haven't had the time to track down all Fedora packages using WebKit1 and file bugs against them yet.

Comment 6 Richard W.M. Jones 2016-09-06 08:00:46 UTC
(In reply to Christian Stadelmann from comment #2)
> Yes. It is packaged in webkitgtk4 which is WebKit 2 with Gtk3 bindings.
> There is no Gtk2 binding for WebKit 2 and probably never will be (see link
> above).

Is there a *Perl* binding for WebKit2 in Fedora?

Comment 7 Christian Stadelmann 2016-09-06 08:17:19 UTC
(In reply to Richard W.M. Jones from comment #6)
> (In reply to Christian Stadelmann from comment #2)
> > Yes. It is packaged in webkitgtk4 which is WebKit 2 with Gtk3 bindings.
> > There is no Gtk2 binding for WebKit 2 and probably never will be (see link
> > above).
> 
> Is there a *Perl* binding for WebKit2 in Fedora?

I only found perl-Gtk3-WebKit which is a Gtk3 binding for WebKit1.

I've filed bug #1373410 against perl-Gtk3-WebKit, which has to be ported to WebKit2 or be replaced by another package providing WebKit2 support.

Comment 8 Christian Stadelmann 2016-09-06 08:30:20 UTC
On the other hand, isn't perl-Glib-Object-Introspection enough to use WebKit2 with Gtk3? I'm not quite sure but on python, GObject-Introspection works for pretty much every core gnome library including WebKit{1,2}. Haven't tried on perl though.

Comment 9 Richard W.M. Jones 2016-09-14 09:36:33 UTC
*** Bug 1375824 has been marked as a duplicate of this bug. ***

Comment 10 Michael Catanzaro 2016-09-14 12:58:26 UTC
(In reply to Christian Stadelmann from comment #8)
> On the other hand, isn't perl-Glib-Object-Introspection enough to use
> WebKit2 with Gtk3? I'm not quite sure but on python, GObject-Introspection
> works for pretty much every core gnome library including WebKit{1,2}.
> Haven't tried on perl though.

Probably would work. gobject-introspection is certainly the expected way to use WebKitGTK+ from outside C/C++.

Comment 11 Fedora End Of Life 2017-07-25 19:53:01 UTC
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 12 Christian Stadelmann 2017-07-26 19:15:50 UTC
If this package is not being fixed soon, it will be removed from Fedora 27. See the tracking bug for details.

Comment 13 Richard W.M. Jones 2017-07-26 20:32:07 UTC
Sure, we're expecting it to be removed as it has had broken deps
for a long time.

Comment 14 Richard W.M. Jones 2017-08-09 12:04:11 UTC
Unexpectedly this is fixed in F25+ (techtalk-pse-1.2.0-1.fc25/26/27).

Comment 15 Fedora Update System 2017-08-12 01:27:58 UTC
techtalk-pse-1.2.0-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cba3a638f7

Comment 16 Fedora Update System 2017-08-13 04:03:38 UTC
techtalk-pse-1.2.0-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-116dfaa369

Comment 17 Jan Kurik 2017-08-15 09:33:52 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 18 Fedora Update System 2017-08-20 18:25:43 UTC
techtalk-pse-1.2.0-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-08-20 23:51:46 UTC
techtalk-pse-1.2.0-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.