[webkitgtk3/f20-gnome-3-12] Disable the SSLv3 to address the POODLE vulnerability
Tomas Popela
tpopela at fedoraproject.org
Tue Oct 21 08:48:03 UTC 2014
commit a8ba36193d2d6409a956a2b282a0920efb266719
Author: Tomas Popela <tpopela at redhat.com>
Date: Tue Oct 21 10:47:58 2014 +0200
Disable the SSLv3 to address the POODLE vulnerability
webkitgtk-2.4.6-poodle.patch | 47 ++++++++++++++++++++++++++++++++++++++++++
webkitgtk3.spec | 7 +++++-
2 files changed, 53 insertions(+), 1 deletions(-)
---
diff --git a/webkitgtk-2.4.6-poodle.patch b/webkitgtk-2.4.6-poodle.patch
new file mode 100644
index 0000000..2404f6f
--- /dev/null
+++ b/webkitgtk-2.4.6-poodle.patch
@@ -0,0 +1,47 @@
+diff -up webkitgtk-2.4.6/Source/WebKit2/gtk/MainGtk.cpp.poodle webkitgtk-2.4.6/Source/WebKit2/gtk/MainGtk.cpp
+--- webkitgtk-2.4.6/Source/WebKit2/gtk/MainGtk.cpp.poodle 2014-10-21 10:08:32.851222903 +0200
++++ webkitgtk-2.4.6/Source/WebKit2/gtk/MainGtk.cpp 2014-10-21 10:08:31.234199110 +0200
+@@ -26,7 +26,19 @@
+
+ #include "WebProcessMainGtk.h"
+
++#include <cstdlib>
++
+ int main(int argc, char** argv)
+ {
++ // Disable SSLv3 very early because it is practically impossible to safely
++ // use setenv() when multiple threads are running, as another thread calling
++ // getenv() could cause a crash, and many functions use getenv() internally.
++ // This workaround will stop working if glib-networking switches away from
++ // GnuTLS or simply stops parsing this variable. We intentionally do not
++ // overwrite this priority string if it's already set by the user.
++ // Keep this in sync with NetworkMainUnix.cpp.
++ // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+ return WebKit::WebProcessMainGtk(argc, argv);
+ }
+diff -up webkitgtk-2.4.6/Source/WebKit2/unix/NetworkMainUnix.cpp.poodle webkitgtk-2.4.6/Source/WebKit2/unix/NetworkMainUnix.cpp
+--- webkitgtk-2.4.6/Source/WebKit2/unix/NetworkMainUnix.cpp.poodle 2014-10-21 10:03:39.622908372 +0200
++++ webkitgtk-2.4.6/Source/WebKit2/unix/NetworkMainUnix.cpp 2014-10-21 10:07:38.017416084 +0200
+@@ -30,8 +30,20 @@
+
+ #include "NetworkProcessMainUnix.h"
+
++#include <cstdlib>
++
+ int main(int argc, char** argv)
+ {
++ // Disable SSLv3 very early because it is practically impossible to safely
++ // use setenv() when multiple threads are running, as another thread calling
++ // getenv() could cause a crash, and many functions use getenv() internally.
++ // This workaround will stop working if glib-networking switches away from
++ // GnuTLS or simply stops parsing this variable. We intentionally do not
++ // overwrite this priority string if it's already set by the user.
++ // Keep this in sync with MainGtk.cpp.
++ // https://bugzilla.gnome.org/show_bug.cgi?id=738633
++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++
+ return WebKit::NetworkProcessMain(argc, argv);
+ }
+
diff --git a/webkitgtk3.spec b/webkitgtk3.spec
index f0f0aeb..a531b5a 100644
--- a/webkitgtk3.spec
+++ b/webkitgtk3.spec
@@ -7,7 +7,7 @@
Name: webkitgtk3
Version: 2.4.6
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: GTK+ Web content engine library
Group: Development/Libraries
@@ -21,6 +21,7 @@ Patch1: webkitgtk-aarch64.patch
Patch2: webkitgtk-2.4.1-cloop_fix.patch
Patch3: webkitgtk-2.4.5-cloop_fix_32.patch
Patch4: webkitgtk-2.4.1-ppc64_align.patch
+Patch5: webkitgtk-2.4.6-poodle.patch
BuildRequires: at-spi2-core-devel
BuildRequires: bison
@@ -99,6 +100,7 @@ This package contains developer documentation for %{name}.
%patch0 -p1 -b .nspluginwrapper
%patch1 -p1 -b .aarch64
%patch2 -p1 -b .cloop_fix
+%patch5 -p1 -b .poodle
%ifarch ppc s390
%patch3 -p1 -b .cloop_fix_32
%endif
@@ -228,6 +230,9 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -delete
%{_datadir}/gtk-doc/html/webkitdomgtk
%changelog
+* Tue Oct 21 2014 Tomas Popela <tpopela at redhat.com> - 2.4.6-2
+- Disable the SSLv3 to address the POODLE vulnerability
+
* Thu Oct 02 2014 Kalev Lember <kalevlember at gmail.com> - 2.4.6-1
- Update to 2.4.6
More information about the scm-commits
mailing list