From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id KLCoKRvtnmT1ZwAASxT56A (envelope-from ) for ; Fri, 30 Jun 2023 16:56:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id GE6dKRvtnmTQVAAA9RJhRA (envelope-from ) for ; Fri, 30 Jun 2023 16:56:27 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 55EFA96B2 for ; Fri, 30 Jun 2023 16:56:27 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qFFXZ-00050q-8S; Fri, 30 Jun 2023 10:56:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qFFXX-00050f-Dq for guix-patches@gnu.org; Fri, 30 Jun 2023 10:56:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qFFXX-0002SJ-5G for guix-patches@gnu.org; Fri, 30 Jun 2023 10:56:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qFFXW-0008Ey-IR for guix-patches@gnu.org; Fri, 30 Jun 2023 10:56:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#64366] [PATCH]: Update webkitgtk to 2.40.3 Resent-From: =?UTF-8?Q?Andr=C3=A9?= A. Gomes Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 30 Jun 2023 14:56:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 64366 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 64366@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.168813691531611 (code B ref -1); Fri, 30 Jun 2023 14:56:02 +0000 Received: (at submit) by debbugs.gnu.org; 30 Jun 2023 14:55:15 +0000 Received: from localhost ([127.0.0.1]:55502 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qFFWk-0008Dm-M5 for submit@debbugs.gnu.org; Fri, 30 Jun 2023 10:55:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:56670) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qFFWi-0008De-9s for submit@debbugs.gnu.org; Fri, 30 Jun 2023 10:55:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qFFWh-0004rl-SB for guix-patches@gnu.org; Fri, 30 Jun 2023 10:55:12 -0400 Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qFFWg-0002BK-5R for guix-patches@gnu.org; Fri, 30 Jun 2023 10:55:11 -0400 Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2b6a5fd1f46so30414601fa.1 for ; Fri, 30 Jun 2023 07:55:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688136907; x=1690728907; h=mime-version:user-agent:message-id:date:subject:to:from:from:to:cc :subject:date:message-id:reply-to; bh=gfYpSjpCPYXhGk1ADddJ0BPUVBBBFtLhuP45YDvuH1s=; b=BlgeS1HtnPNus9iap6r3HRuzOd3C4a+amDAv9Tdo1vo/SBEAchj0jr3nrt7Tx5qm5G L/FtQXaCq2Y01QFvMO5P6zg2IvaosP+EiTcg/y1/wp6qnK6Y8hgn5usslHeHTueXsXMU 6bGjx3Ug9zYcFYEX119/izCeh0+LQ8Mz+73gWa1w5qm/E9EGwdcb/zvRIaeHc8vxUF8z a/dO8c2+nzj/5SGPMeYAsYF0EP53jr+tXylwM0CHu1oXKbdZ4nWbt4FeBZXqi8hFZSx0 S9k//+UuxLPgLyQ+NYn2/pHXdfz1jFs7pwepX0TrhMIZGngIRXsnqnCiJLXJoa0UypG3 6nFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688136907; x=1690728907; h=mime-version:user-agent:message-id:date:subject:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gfYpSjpCPYXhGk1ADddJ0BPUVBBBFtLhuP45YDvuH1s=; b=jlQ4yYzLYxjidMo/77VbqYOPfm71NjNmu8M/V50es9QoDHCPV73+nkM0DlSWI6yer/ NXqDSnl2Kk7pG76rbQtY9zIAP9FohgRwYMN/Q6hSZ1/2xaijDdBVvtr0s/suqFqpuP0a t1zKmzKddo/SamZx6m6mpw4B2jYmIdEmCeUa9oYo37WiabsVDg+QBEm+PHq2l4eKVaG3 8QhEk2HfQyf7hPDIwqXlNpwoZezLuvdHgEAAc2nHy+pg3zqsmh9fqRQARqedkkoJoLCA jbaBwoJ1wGisvfDxHrCgYT8kwtDMhnHcHpMgFe7eVTNRAM4FBS7SaJMh9iHO4dnrKbRb vqRQ== X-Gm-Message-State: ABy/qLZf1CRmMHHEmaBgKnJH5t0SkvkizAYRNdXQtBIwlpZym5PHh5wT LV2xYcAkAdL2wd/kuEaQYq2LhmuvUrixkA== X-Google-Smtp-Source: APBJJlHn4O+35Ou3qxPSHFvWATCH9GdxJ2wd3VLxQClE+pVCwynlcQ+MWhgtEM9aMxVGo7sI/EQ6jw== X-Received: by 2002:a05:6512:3a8b:b0:4fb:b11:c9a2 with SMTP id q11-20020a0565123a8b00b004fb0b11c9a2mr3082834lfu.34.1688136907394; Fri, 30 Jun 2023 07:55:07 -0700 (PDT) Received: from mini (82.131.74.62.cable.starman.ee. [82.131.74.62]) by smtp.gmail.com with ESMTPSA id r7-20020ac25a47000000b004f862732a31sm2787461lfn.110.2023.06.30.07.55.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jun 2023 07:55:06 -0700 (PDT) From: =?UTF-8?Q?Andr=C3=A9?= A. Gomes Date: Fri, 30 Jun 2023 17:55:02 +0300 Message-ID: <878rc1atkp.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=2a00:1450:4864:20::230; envelope-from=andremegafone@gmail.com; helo=mail-lj1-x230.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1688136987; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=gfYpSjpCPYXhGk1ADddJ0BPUVBBBFtLhuP45YDvuH1s=; b=etIBqn/Jg+/dVLZk3ICYHR7hkY4BpUBUSZngsGTXr9KKfOOx3zy+tezxskpURlhP4QF/h0 p1MfX1YsDt/4hITvzBA15mfL3vMlYWLq3Ur9I0Tzd48tttYRSJjrt4IUTeMeXlyQiwf8cG T13FziH+THGF83nnMqgqh5oZM/qduCjkbSInmOzTjBGX8Bsct9cunbqPPtrN23tYFpcLwG EvGCVr3TcD8Pp8YTKiTvnwEg0Xsq6z+D49R3+MwDIj2tYz8TqUvm7wSGy9BfX7AdytYX3U /1A1jCdrV6dcMg6B7Dr5ZSqOYGbuzJ7tLRm2KUBNIR2/Wg+FxlQW4MYkKbBJQg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=BlgeS1Ht; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1688136987; a=rsa-sha256; cv=none; b=eenUMCCYIXMDZWrlMJ2r/IZ9tHKHsdWSKd9YAE5TFXk7Jwg2Iq7gyh93jiJHR7uGD45KsJ 8ecDlc4uXvqRvIv0GaaXj1GuZRQOOWpKYLt8cyBY/of3BsPXjfSVv4U/PWtlEj4uq8ZSC9 vdQpTGZkG4vH57ckzvFBPhG2V3BPTLubVyPb2Z8ezXqwygF3M7jlEFfdXRrsPa8+ix2/G2 PFWb5/7EG8pzHogjQBuMNomItVIVWOS7j3BGY9s6mJyzdbdITFmVcoKhZjoSf5FRDEb4Yk SuZN70ES4Dv0MnSnlVLnzZI17sROwn2StJoxpIFt0/a9hAv9AGvRb/LwN9TtyQ== X-Migadu-Scanner: scn1.migadu.com X-Migadu-Spam-Score: -2.36 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=BlgeS1Ht; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 55EFA96B2 X-Spam-Score: -2.36 X-TUID: Ey1D7K9rTICI --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Guix, We should update webkitgtk ASAP since the vulnerability below has been found. Find the patch attached. I didn't build it locally since my machine isn't powerful enough. CVE-2023-32439 Versions affected: WebKitGTK and WPE WebKit before 2.40.3. Credit to an anonymous researcher. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A type confusion issue was addressed with improved checks. Thanks. --=20 Andr=C3=A9 A. Gomes "You cannot even find the ruins..." --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-gnu-webkitgtk-Update-to-2.40.3.patch >From 2c8928ca83695947cc506b92b3aa65112b497278 Mon Sep 17 00:00:00 2001 From: "Andre A. Gomes" Date: Fri, 30 Jun 2023 17:51:52 +0300 Subject: [PATCH] gnu: webkitgtk: Update to 2.40.3. * gnu/packages/webkit.scm (webkitgtk): Update to 2.40.3. --- gnu/packages/webkit.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm index 5ab93ad9eb..44c29b1446 100644 --- a/gnu/packages/webkit.scm +++ b/gnu/packages/webkit.scm @@ -127,13 +127,13 @@ (define-public wpebackend-fdo (define-public webkitgtk (package (name "webkitgtk") ; webkit2gtk4 - (version "2.40.2") + (version "2.40.3") (source (origin (method url-fetch) (uri (string-append "https://www.webkitgtk.org/releases/" name "-" version ".tar.xz")) (sha256 - (base32 "0070fy5crf7kngy49wz5bqwvp8z9rmnq2cm6wxp41nllv5q8i2cn")) + (base32 "1pcqa3xng8w9bywzqk2jpyfjmgplbawccbp4d8f4rinv80zsh2nc")) (patches (search-patches "webkitgtk-adjust-bubblewrap-paths.patch")))) (build-system cmake-build-system) -- 2.40.1 --=-=-=--