[webkitgtk3/f19] Disable the SSLv3 to address the POODLE vulnerability

Tomas Popela tpopela at fedoraproject.org
Tue Oct 21 08:43:04 UTC 2014 

commit 2b77fd1e383de7a5a19597672f2b1b9ff9db9cb9
Author: Tomas Popela <tpopela at redhat.com>
Date:   Tue Oct 21 10:30:52 2014 +0200

    Disable the SSLv3 to address the POODLE vulnerability

 webkitgtk-2.2.8-poodle.patch |   23 +++++++++++++++++++++++
 webkitgtk3.spec              |    7 ++++++-
 2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/webkitgtk-2.2.8-poodle.patch b/webkitgtk-2.2.8-poodle.patch
new file mode 100644
index 0000000..c136202
--- /dev/null
+++ b/webkitgtk-2.2.8-poodle.patch
@@ -0,0 +1,23 @@
+diff -up webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp.poodle webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp
+--- webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp.poodle	2014-10-21 10:08:32.851222903 +0200
++++ webkitgtk-2.2.8/Source/WebKit2/gtk/MainGtk.cpp	2014-10-21 10:08:31.234199110 +0200
+@@ -26,7 +26,19 @@
+ 
+ #include "WebProcessMainGtk.h"
+ 
++#include <cstdlib>
++
+ int main(int argc, char** argv)
+ {
++    // Disable SSLv3 very early because it is practically impossible to safely
++    // use setenv() when multiple threads are running, as another thread calling
++    // getenv() could cause a crash, and many functions use getenv() internally.
++    // This workaround will stop working if glib-networking switches away from
++    // GnuTLS or simply stops parsing this variable. We intentionally do not
++    // overwrite this priority string if it's already set by the user.
++    // Keep this in sync with NetworkMainUnix.cpp.
++    // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+     return WebKit::WebProcessMainGtk(argc, argv);
+ }
diff --git a/webkitgtk3.spec b/webkitgtk3.spec
index 128f47f..650a695 100644
--- a/webkitgtk3.spec
+++ b/webkitgtk3.spec
@@ -7,7 +7,7 @@
 
 Name:           webkitgtk3
 Version:        2.0.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        GTK+ Web content engine library
 
 Group:          Development/Libraries
@@ -26,6 +26,7 @@ Patch3:         webkitgtk-1.11.5-libatomic.patch
 Patch4:         webkit-1.11.90-double2intsPPC32.patch
 Patch5:         webkitgtk-2.0.4-ppc64_align.patch
 Patch6:         webkitgtk-2.0.4-cloop_fix.patch
+Patch7:         webkitgtk-2.2.8-poodle.patch
 
 BuildRequires:  bison
 BuildRequires:  cairo-devel
@@ -103,6 +104,7 @@ This package contains developer documentation for %{name}.
 %patch0 -p1 -b .nspluginwrapper
 %patch1 -p1 -b .yarr
 %patch2 -p1 -b .double2ints
+%patch7 -p1 -b .poodle
 %ifarch ppc
 %patch3 -p1 -b .libatomic
 %endif
@@ -231,6 +233,9 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -delete
 
 
 %changelog
+* Tue Oct 21 2014 Tomas Popela <tpopela at redhat.com> - 2.0.4-3
+- Disable the SSLv3 to address the POODLE vulnerability
+
 * Thu May 15 2014 Tomas Popela <tpopela at redhat.com> - 2.0.4-3
 - Fix CLoop on s390x and ppc64

More information about the scm-commits mailing list