[webkitgtk3/f19] Disable the SSLv3 to address the POODLE vulnerability
Tomas Popela
tpopela at fedoraproject.org
Tue Oct 21 08:43:04 UTC 2014
commit 2b77fd1e383de7a5a19597672f2b1b9ff9db9cb9
Author: Tomas Popela <tpopela at redhat.com>
Date: Tue Oct 21 10:30:52 2014 +0200
Disable the SSLv3 to address the POODLE vulnerability
webkitgtk-2.2.8-poodle.patch | 23 +++++++++++++++++++++++
webkitgtk3.spec | 7 ++++++-
2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/webkitgtk-2.2.8-poodle.patch b/webkitgtk-2.2.8-poodle.patch
new file mode 100644
index 0000000..c136202
--- /dev/null
+++ b/webkitgtk-2.2.8-poodle.patch
@@ -0,0 +1,23 @@
+diff -up webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp.poodle webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp
+--- webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp.poodle 2014-10-21 10:08:32.851222903 +0200
++++ webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp 2014-10-21 10:08:31.234199110 +0200
+@@ -26,7 +26,19 @@
+
+ #include "WebProcessMainGtk.h"
+
++#include <cstdlib>
++
+ int main(int argc, char** argv)
+ {
++ // Disable SSLv3 very early because it is practically impossible to safely
++ // use setenv() when multiple threads are running, as another thread calling
++ // getenv() could cause a crash, and many functions use getenv() internally.
++ // This workaround will stop working if glib-networking switches away from
++ // GnuTLS or simply stops parsing this variable. We intentionally do not
++ // overwrite this priority string if it's already set by the user.
++ // Keep this in sync with NetworkMainUnix.cpp.
++ // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+ return WebKit::WebProcessMainGtk(argc, argv);
+ }
diff --git a/webkitgtk3.spec b/webkitgtk3.spec
index 128f47f..650a695 100644
--- a/webkitgtk3.spec
+++ b/webkitgtk3.spec
@@ -7,7 +7,7 @@
Name: webkitgtk3
Version: 2.0.4
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: GTK+ Web content engine library
Group: Development/Libraries
@@ -26,6 +26,7 @@ Patch3: webkitgtk-1.11.5-libatomic.patch
Patch4: webkit-1.11.90-double2intsPPC32.patch
Patch5: webkitgtk-2.0.4-ppc64_align.patch
Patch6: webkitgtk-2.0.4-cloop_fix.patch
+Patch7: webkitgtk-2.2.8-poodle.patch
BuildRequires: bison
BuildRequires: cairo-devel
@@ -103,6 +104,7 @@ This package contains developer documentation for %{name}.
%patch0 -p1 -b .nspluginwrapper
%patch1 -p1 -b .yarr
%patch2 -p1 -b .double2ints
+%patch7 -p1 -b .poodle
%ifarch ppc
%patch3 -p1 -b .libatomic
%endif
@@ -231,6 +233,9 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -delete
%changelog
+* Tue Oct 21 2014 Tomas Popela <tpopela at redhat.com> - 2.0.4-3
+- Disable the SSLv3 to address the POODLE vulnerability
+
* Thu May 15 2014 Tomas Popela <tpopela at redhat.com> - 2.0.4-3
- Fix CLoop on s390x and ppc64
More information about the scm-commits
mailing list