[webkitgtk4/f21] Disable the SSLv3 to address the POODLE vulnerability

Tomas Popela tpopela at fedoraproject.org
Tue Oct 21 08:43:34 UTC 2014 

commit fd05532f6cfff447033908bb81a88827708aa12c
Author: Tomas Popela <tpopela at redhat.com>
Date:   Tue Oct 21 10:36:22 2014 +0200

    Disable the SSLv3 to address the POODLE vulnerability

 webkitgtk-2.6.1-poodle.patch |   52 ++++++++++++++++++++++++++++++++++++++++++
 webkitgtk4.spec              |    7 +++++-
 2 files changed, 58 insertions(+), 1 deletions(-)
---
diff --git a/webkitgtk-2.6.1-poodle.patch b/webkitgtk-2.6.1-poodle.patch
new file mode 100644
index 0000000..e100b0b
--- /dev/null
+++ b/webkitgtk-2.6.1-poodle.patch
@@ -0,0 +1,52 @@
+diff --git a/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp b/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp
+index 8d4287b3713ee93c0db80d178089112e1589e53b..c42baa8e94e16d8e8e97ae256d9a2496f144f958 100644
+--- a/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp
++++ b/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp
+@@ -25,9 +25,21 @@
+ 
+ #include "NetworkProcessMainUnix.h"
+ 
++#include <cstdlib>
++
+ using namespace WebKit;
+ 
+ int main(int argc, char** argv)
+ {
++    // Disable SSLv3 very early because it is practically impossible to safely
++    // use setenv() when multiple threads are running, as another thread calling
++    // getenv() could cause a crash, and many functions use getenv() internally.
++    // This workaround will stop working if glib-networking switches away from
++    // GnuTLS or simply stops parsing this variable. We intentionally do not
++    // overwrite this priority string if it's already set by the user.
++    // Keep this in sync with WebProcessMain.cpp.
++    // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+     return NetworkProcessMainUnix(argc, argv);
+ }
+diff --git a/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp b/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp
+index 6c637fd237c3d75a5332d1e190cbc9e8226cbcae..260620a766911a8162cbb10717aa137cba3a9271 100644
+--- a/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp
++++ b/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp
+@@ -25,9 +25,21 @@
+ 
+ #include "WebProcessMainUnix.h"
+ 
++#include <cstdlib>
++
+ using namespace WebKit;
+ 
+ int main(int argc, char** argv)
+ {
++    // Disable SSLv3 very early because it is practically impossible to safely
++    // use setenv() when multiple threads are running, as another thread calling
++    // getenv() could cause a crash, and many functions use getenv() internally.
++    // This workaround will stop working if glib-networking switches away from
++    // GnuTLS or simply stops parsing this variable. We intentionally do not
++    // overwrite this priority string if it's already set by the user.
++    // Keep this in sync with NetworkProcessMain.cpp.
++    // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+     return WebProcessMainUnix(argc, argv);
+ }
diff --git a/webkitgtk4.spec b/webkitgtk4.spec
index 9a96dc2..d1558a9 100644
--- a/webkitgtk4.spec
+++ b/webkitgtk4.spec
@@ -7,7 +7,7 @@
 
 Name:           webkitgtk4
 Version:        2.6.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        GTK+ Web content engine library
 
 License:        LGPLv2
@@ -17,6 +17,7 @@ Source0:        http://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz
 Patch0:         webkit-1.1.14-nspluginwrapper.patch
 Patch2:         webkitgtk-2.5.90-cloop_fix.patch
 Patch3:         webkitgtk-2.5.2-commit_align.patch
+Patch4:         webkitgtk-2.6.1-poodle.patch
 
 BuildRequires:  at-spi2-core-devel
 BuildRequires:  bison
@@ -79,6 +80,7 @@ files for developing applications that use %{name}.
 %setup -q -n webkitgtk-%{version}
 %patch0 -p1 -b .nspluginwrapper
 %patch2 -p1 -b .cloop_fix
+%patch4 -p1 -b .poodle
 %ifarch %{power64} aarch64 ppc
 %patch3 -p1 -b .commit_align
 %endif
@@ -163,6 +165,9 @@ make %{?_smp_mflags} -C %{_target_platform}
 %{_datadir}/gir-1.0/WebKit2WebExtension-4.0.gir
 
 %changelog
+* Tue Oct 21 2014 Tomas Popela <tpopela at redhat.com> - 2.6.1-2
+- Disable the SSLv3 to address the POODLE vulnerability
+
 * Tue Oct 14 2014 Tomas Popela <tpopela at redhat.com> - 2.6.1-1
 - Update to 2.6.1

More information about the scm-commits mailing list