[webkitgtk4] Disable the SSLv3 to address the POODLE vulnerability
Tomas Popela
tpopela at fedoraproject.org
Tue Oct 21 08:43:11 UTC 2014
commit b01709ffd3eab52d08f9d711b39e4bffd365517f
Author: Tomas Popela <tpopela at redhat.com>
Date: Tue Oct 21 10:36:22 2014 +0200
Disable the SSLv3 to address the POODLE vulnerability
webkitgtk-2.6.1-poodle.patch | 52 ++++++++++++++++++++++++++++++++++++++++++
webkitgtk4.spec | 7 +++++-
2 files changed, 58 insertions(+), 1 deletions(-)
---
diff --git a/webkitgtk-2.6.1-poodle.patch b/webkitgtk-2.6.1-poodle.patch
new file mode 100644
index 0000000..e100b0b
--- /dev/null
+++ b/webkitgtk-2.6.1-poodle.patch
@@ -0,0 +1,52 @@
+diff --git a/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp b/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp
+index 8d4287b3713ee93c0db80d178089112e1589e53b..c42baa8e94e16d8e8e97ae256d9a2496f144f958 100644
+--- a/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp
++++ b/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp
+@@ -25,9 +25,21 @@
+
+ #include "NetworkProcessMainUnix.h"
+
++#include <cstdlib>
++
+ using namespace WebKit;
+
+ int main(int argc, char** argv)
+ {
++ // Disable SSLv3 very early because it is practically impossible to safely
++ // use setenv() when multiple threads are running, as another thread calling
++ // getenv() could cause a crash, and many functions use getenv() internally.
++ // This workaround will stop working if glib-networking switches away from
++ // GnuTLS or simply stops parsing this variable. We intentionally do not
++ // overwrite this priority string if it's already set by the user.
++ // Keep this in sync with WebProcessMain.cpp.
++ // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+ return NetworkProcessMainUnix(argc, argv);
+ }
+diff --git a/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp b/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp
+index 6c637fd237c3d75a5332d1e190cbc9e8226cbcae..260620a766911a8162cbb10717aa137cba3a9271 100644
+--- a/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp
++++ b/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp
+@@ -25,9 +25,21 @@
+
+ #include "WebProcessMainUnix.h"
+
++#include <cstdlib>
++
+ using namespace WebKit;
+
+ int main(int argc, char** argv)
+ {
++ // Disable SSLv3 very early because it is practically impossible to safely
++ // use setenv() when multiple threads are running, as another thread calling
++ // getenv() could cause a crash, and many functions use getenv() internally.
++ // This workaround will stop working if glib-networking switches away from
++ // GnuTLS or simply stops parsing this variable. We intentionally do not
++ // overwrite this priority string if it's already set by the user.
++ // Keep this in sync with NetworkProcessMain.cpp.
++ // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+ return WebProcessMainUnix(argc, argv);
+ }
diff --git a/webkitgtk4.spec b/webkitgtk4.spec
index ad71b23..3e22b49 100644
--- a/webkitgtk4.spec
+++ b/webkitgtk4.spec
@@ -7,7 +7,7 @@
Name: webkitgtk4
Version: 2.6.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: GTK+ Web content engine library
License: LGPLv2
@@ -17,6 +17,7 @@ Source0: http://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz
Patch0: webkit-1.1.14-nspluginwrapper.patch
Patch2: webkitgtk-2.5.90-cloop_fix.patch
Patch3: webkitgtk-2.5.2-commit_align.patch
+Patch4: webkitgtk-2.6.1-poodle.patch
BuildRequires: at-spi2-core-devel
BuildRequires: bison
@@ -79,6 +80,7 @@ files for developing applications that use %{name}.
%setup -q -n webkitgtk-%{version}
%patch0 -p1 -b .nspluginwrapper
%patch2 -p1 -b .cloop_fix
+%patch4 -p1 -b .poodle
%ifarch %{power64} aarch64 ppc
%patch3 -p1 -b .commit_align
%endif
@@ -163,6 +165,9 @@ make %{?_smp_mflags} -C %{_target_platform}
%{_datadir}/gir-1.0/WebKit2WebExtension-4.0.gir
%changelog
+* Tue Oct 21 2014 Tomas Popela <tpopela at redhat.com> - 2.6.1-2
+- Disable the SSLv3 to address the POODLE vulnerability
+
* Tue Oct 14 2014 Tomas Popela <tpopela at redhat.com> - 2.6.1-1
- Update to 2.6.1
More information about the scm-commits
mailing list