[webkitgtk3/f20] Disable the SSLv3 to address the POODLE vulnerability
Tomas Popela
tpopela at fedoraproject.org
Tue Oct 21 08:42:43 UTC 2014
commit a77685804410e5438c284ce7373a21069f84c798
Author: Tomas Popela <tpopela at redhat.com>
Date: Tue Oct 21 10:26:54 2014 +0200
Disable the SSLv3 to address the POODLE vulnerability
webkitgtk-2.2.8-poodle.patch | 23 +++++++++++++++++++++++
webkitgtk3.spec | 8 +++++++-
2 files changed, 30 insertions(+), 1 deletions(-)
---
diff --git a/webkitgtk-2.2.8-poodle.patch b/webkitgtk-2.2.8-poodle.patch
new file mode 100644
index 0000000..c136202
--- /dev/null
+++ b/webkitgtk-2.2.8-poodle.patch
@@ -0,0 +1,23 @@
+diff -up webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp.poodle webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp
+--- webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp.poodle 2014-10-21 10:08:32.851222903 +0200
++++ webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp 2014-10-21 10:08:31.234199110 +0200
+@@ -26,7 +26,19 @@
+
+ #include "WebProcessMainGtk.h"
+
++#include <cstdlib>
++
+ int main(int argc, char** argv)
+ {
++ // Disable SSLv3 very early because it is practically impossible to safely
++ // use setenv() when multiple threads are running, as another thread calling
++ // getenv() could cause a crash, and many functions use getenv() internally.
++ // This workaround will stop working if glib-networking switches away from
++ // GnuTLS or simply stops parsing this variable. We intentionally do not
++ // overwrite this priority string if it's already set by the user.
++ // Keep this in sync with NetworkMainUnix.cpp.
++ // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+ return WebKit::WebProcessMainGtk(argc, argv);
+ }
diff --git a/webkitgtk3.spec b/webkitgtk3.spec
index 16538fd..ba1ee36 100644
--- a/webkitgtk3.spec
+++ b/webkitgtk3.spec
@@ -7,7 +7,7 @@
Name: webkitgtk3
Version: 2.2.8
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: GTK+ Web content engine library
Group: Development/Libraries
@@ -21,6 +21,8 @@ Patch0: webkit-1.1.14-nspluginwrapper.patch
Patch4: webkit-2.1.90-double2intsPPC32.patch
Patch5: webkitgtk-2.2.7-cloop_fix.patch
Patch6: webkitgtk-2.2.7-ppc64_align.patch
+# https://bugs.webkit.org/show_bug.cgi?id=137859
+Patch7: webkitgtk-2.2.8-poodle.patch
BuildRequires: at-spi2-core-devel
BuildRequires: bison
@@ -92,6 +94,7 @@ This package contains developer documentation for %{name}.
%setup -qn "webkitgtk-%{version}"
%patch0 -p1 -b .nspluginwrapper
%patch5 -p1 -b .cloop_fix
+%patch7 -p1 -b .poodle
%ifarch ppc s390
%patch4 -p1 -b .double2intsPPC32
%endif
@@ -217,6 +220,9 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -delete
%changelog
+* Tue Oct 21 2014 Tomas Popela <tpopela at redhat.com> - 2.2.8-2
+- Disable the SSLv3 to address the POODLE vulnerability
+
* Wed Oct 01 2014 Tomas Popela <tpopela at redhat.com> - 2.2.8-1
- Update to 2.2.8
More information about the scm-commits
mailing list