[webkitgtk3/f20] Disable the SSLv3 to address the POODLE vulnerability

Tomas Popela tpopela at fedoraproject.org
Tue Oct 21 08:42:43 UTC 2014 

commit a77685804410e5438c284ce7373a21069f84c798
Author: Tomas Popela <tpopela at redhat.com>
Date:   Tue Oct 21 10:26:54 2014 +0200

    Disable the SSLv3 to address the POODLE vulnerability

 webkitgtk-2.2.8-poodle.patch |   23 +++++++++++++++++++++++
 webkitgtk3.spec              |    8 +++++++-
 2 files changed, 30 insertions(+), 1 deletions(-)
---
diff --git a/webkitgtk-2.2.8-poodle.patch b/webkitgtk-2.2.8-poodle.patch
new file mode 100644
index 0000000..c136202
--- /dev/null
+++ b/webkitgtk-2.2.8-poodle.patch
@@ -0,0 +1,23 @@
+diff -up webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp.poodle webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp
+--- webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp.poodle	2014-10-21 10:08:32.851222903 +0200
++++ webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp	2014-10-21 10:08:31.234199110 +0200
+@@ -26,7 +26,19 @@
+ 
+ #include "WebProcessMainGtk.h"
+ 
++#include <cstdlib>
++
+ int main(int argc, char** argv)
+ {
++    // Disable SSLv3 very early because it is practically impossible to safely
++    // use setenv() when multiple threads are running, as another thread calling
++    // getenv() could cause a crash, and many functions use getenv() internally.
++    // This workaround will stop working if glib-networking switches away from
++    // GnuTLS or simply stops parsing this variable. We intentionally do not
++    // overwrite this priority string if it's already set by the user.
++    // Keep this in sync with NetworkMainUnix.cpp.
++    // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+     return WebKit::WebProcessMainGtk(argc, argv);
+ }
diff --git a/webkitgtk3.spec b/webkitgtk3.spec
index 16538fd..ba1ee36 100644
--- a/webkitgtk3.spec
+++ b/webkitgtk3.spec
@@ -7,7 +7,7 @@
 
 Name:           webkitgtk3
 Version:        2.2.8
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        GTK+ Web content engine library
 
 Group:          Development/Libraries
@@ -21,6 +21,8 @@ Patch0:         webkit-1.1.14-nspluginwrapper.patch
 Patch4:         webkit-2.1.90-double2intsPPC32.patch
 Patch5:         webkitgtk-2.2.7-cloop_fix.patch
 Patch6:         webkitgtk-2.2.7-ppc64_align.patch
+# https://bugs.webkit.org/show_bug.cgi?id=137859
+Patch7:         webkitgtk-2.2.8-poodle.patch
 
 BuildRequires:  at-spi2-core-devel
 BuildRequires:  bison
@@ -92,6 +94,7 @@ This package contains developer documentation for %{name}.
 %setup -qn "webkitgtk-%{version}"
 %patch0 -p1 -b .nspluginwrapper
 %patch5 -p1 -b .cloop_fix
+%patch7 -p1 -b .poodle
 %ifarch ppc s390
 %patch4 -p1 -b .double2intsPPC32
 %endif
@@ -217,6 +220,9 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -delete
 
 
 %changelog
+* Tue Oct 21 2014 Tomas Popela <tpopela at redhat.com> - 2.2.8-2
+- Disable the SSLv3 to address the POODLE vulnerability
+
 * Wed Oct 01 2014 Tomas Popela <tpopela at redhat.com> - 2.2.8-1
 - Update to 2.2.8

More information about the scm-commits mailing list