community/webkit2gtk: security upgrade to 2.32.4

while 2.32.4 upgrade itself does not fix anything, the versions between 2.32.0 and 2.32.4 fix quite a few CVEs
2026-05-05 20:36:40 +02:00 · 2021-09-17 20:45:26 -03:00 · 2021-09-17 20:45:26 -03:00 · f168ad374f
commit f168ad374f
parent f6accde870
4 changed files with 35 additions and 227 deletions
--- a/community/webkit2gtk/APKBUILD
+++ b/community/webkit2gtk/APKBUILD
@ -3,11 +3,12 @@
 # Contributor: Jiri Horner <laeqten@gmail.com>
 # Maintainer: Rasmus Thomsen <oss@cogitri.dev>
 pkgname=webkit2gtk
-pkgver=2.32.0
-pkgrel=1
+pkgver=2.32.4
+pkgrel=0
 pkgdesc="Portable web rendering engine WebKit for GTK+"
 url="https://webkitgtk.org/"
-arch="all !mips !mips64"
+# mips64 and riscv64 blocked by gst-plugins-bad
+arch="all !mips64 !riscv64"
 license="LGPL-2.0-or-later AND BSD-2-Clause"
 depends="bubblewrap xdg-dbus-proxy dbus:org.freedesktop.Secrets"
 makedepends="
@ -54,18 +55,30 @@ makedepends="
 replaces="webkit"
 options="!check" # upstream doesn't package them in release tarballs: Tools/Scripts/run-gtk-tests: Command not found
 subpackages="$pkgname-dev $pkgname-lang $pkgname-dbg"
-source="https://webkitgtk.org/releases/webkitgtk-$pkgver.tar.xz
-	musl-fixes.patch
-	musl-stack-fix.patch
-	musl-wordsize.patch
-	"
+source="https://webkitgtk.org/releases/webkitgtk-$pkgver.tar.xz"
 builddir="$srcdir/webkitgtk-$pkgver"

 # secfixes:
+#   2.32.3-r0:
+#     - CVE-2021-21775
+#     - CVE-2021-21779
+#     - CVE-2021-30663
+#     - CVE-2021-30665
+#     - CVE-2021-30689
+#     - CVE-2021-30720
+#     - CVE-2021-30734
+#     - CVE-2021-30744
+#     - CVE-2021-30749
+#     - CVE-2021-30795
+#     - CVE-2021-30797
+#     - CVE-2021-30799
+#   2.32.2-r0:
+#     - CVE-2021-30758
 #   2.32.0-r0:
 #     - CVE-2021-1788
 #     - CVE-2021-1844
 #     - CVE-2021-1871
+#     - CVE-2021-30682
 #   2.30.6-r0:
 #     - CVE-2020-27918
 #     - CVE-2020-29623
@ -74,16 +87,22 @@ builddir="$srcdir/webkitgtk-$pkgver"
 #     - CVE-2021-1799
 #     - CVE-2021-1801
 #     - CVE-2021-1870
+#     - CVE-2021-21806
 #   2.30.5-r0:
-#     - CVE-2020-13558
 #     - CVE-2020-9947
+#     - CVE-2020-13558
 #   2.30.3-r0:
+#     - CVE-2020-9983
 #     - CVE-2020-13543
 #     - CVE-2020-13584
-#     - CVE-2020-9983
 #   2.30.0-r0:
 #     - CVE-2020-9948
 #     - CVE-2020-9951
+#     - CVE-2021-1817
+#     - CVE-2021-1820
+#     - CVE-2021-1825
+#     - CVE-2021-1826
+#     - CVE-2021-30661
 #   2.28.4-r0:
 #     - CVE-2020-9862
 #     - CVE-2020-9893
@ -105,6 +124,7 @@ builddir="$srcdir/webkitgtk-$pkgver"
 #     - CVE-2020-11793
 #   2.28.0-r0:
 #     - CVE-2020-10018
+#     - CVE-2021-30762
 #   2.26.3-r0:
 #     - CVE-2019-8835
 #     - CVE-2019-8844
@ -131,6 +151,8 @@ builddir="$srcdir/webkitgtk-$pkgver"
 #     - CVE-2019-8771
 #     - CVE-2019-8782
 #     - CVE-2019-8815
+#     - CVE-2021-30666
+#     - CVE-2021-30761
 #   2.24.4-r0:
 #     - CVE-2019-8674
 #     - CVE-2019-8707
@ -254,7 +276,6 @@ package() {
 	DESTDIR="$pkgdir" ninja -C "$builddir"/build install
 }

-sha512sums="4832a4614be24481028ca8a6480a8e6cfacd8e22f5ba9f936703c09944550056f06f75ccf8fffa7dee3f5a1d11ab1870841407745be2e61ebad6557a0934db15  webkitgtk-2.32.0.tar.xz
-49512e1b7cdd101971795437d04448e59a0c532955c271694675d53bc80a32a8f4166e46942ed148185ac0ac6be07acae8083605f8fed7b1bb4b224afb089b5d  musl-fixes.patch
-b80bcf92618992350e225cd635b503f963a299c2a1f80f17c3b6dd232ac300c8e2dd96aecfdf0a4d7f3e1bd7ed38247460a3b6f9e5871add119301cbca65d596  musl-stack-fix.patch
-787ec4a7f8f005808e8fb8dc65cfcf676a5afbc8b9fbc40e203a155ed8da9b7d5cf7d559637e1d2738d5ff3af6764e8cd1af186f8bd946444f344a8be5ab5ad0  musl-wordsize.patch"
+sha512sums="
+c2d72850097da72a82faab0a1218b312668b88bc8b67fcd62f08368c71d46bc833e08b3e095eb286beeae59ee88ac74c8393caee8a4ec5a8e90e02425e43350b  webkitgtk-2.32.4.tar.xz
+"
--- a/community/webkit2gtk/musl-fixes.patch
+++ b/community/webkit2gtk/musl-fixes.patch
@ -1,80 +0,0 @@
-Upstream: yes
-
--- a/Source/JavaScriptCore/runtime/MachineContext.h
-+++ b/Source/JavaScriptCore/runtime/MachineContext.h
-@@ -196,7 +196,7 @@ static inline void*& stackPointerImpl(mcontext_t& machineContext)
- #error Unknown Architecture
- #endif
- 
-#elif OS(FUCHSIA) || defined(__GLIBC__) || defined(__BIONIC__)
-+#elif OS(FUCHSIA) || OS(LINUX)
- 
- #if CPU(X86)
-     return reinterpret_cast<void*&>((uintptr_t&) machineContext.gregs[REG_ESP]);
-@@ -347,7 +347,7 @@ static inline void*& framePointerImpl(mcontext_t& machineContext)
- #error Unknown Architecture
- #endif
- 
-#elif OS(FUCHSIA) || defined(__GLIBC__) || defined(__BIONIC__)
-+#elif OS(FUCHSIA) || OS(LINUX)
- 
- // The following sequence depends on glibc's sys/ucontext.h.
- #if CPU(X86)
-@@ -498,7 +498,7 @@ static inline void*& instructionPointerImpl(mcontext_t& machineContext)
- #error Unknown Architecture
- #endif
- 
-#elif OS(FUCHSIA) || defined(__GLIBC__) || defined(__BIONIC__)
-+#elif OS(FUCHSIA) || OS(LINUX)
- 
- // The following sequence depends on glibc's sys/ucontext.h.
- #if CPU(X86)
-@@ -656,7 +656,7 @@ inline void*& argumentPointer<1>(mcontext_t& machineContext)
- #error Unknown Architecture
- #endif
- 
-#elif OS(FUCHSIA) || defined(__GLIBC__) || defined(__BIONIC__)
-+#elif OS(FUCHSIA) || OS(LINUX)
- 
- // The following sequence depends on glibc's sys/ucontext.h.
- #if CPU(X86)
-@@ -773,7 +773,7 @@ inline void*& llintInstructionPointer(mcontext_t& machineContext)
- #error Unknown Architecture
- #endif
- 
-#elif OS(FUCHSIA) || defined(__GLIBC__) || defined(__BIONIC__)
-+#elif OS(FUCHSIA) || OS(LINUX)
- 
- // The following sequence depends on glibc's sys/ucontext.h.
- #if CPU(X86)
--- a/Source/WebCore/xml/XPathGrammar.cpp
-+++ b/Source/WebCore/xml/XPathGrammar.cpp
-@@ -966,7 +966,7 @@ int yydebug;
- #if YYERROR_VERBOSE
- 
- # ifndef yystrlen
-#  if defined __GLIBC__ && defined _STRING_H
-+#  if defined __linux__ && defined _STRING_H
- #   define yystrlen strlen
- #  else
- /* Return the length of YYSTR.  */
-@@ -989,7 +989,7 @@ yystrlen (yystr)
- # endif
- 
- # ifndef yystpcpy
-#  if defined __GLIBC__ && defined _STRING_H && defined _GNU_SOURCE
-+#  if defined __linux__ && defined _STRING_H && defined _GNU_SOURCE
- #   define yystpcpy stpcpy
- #  else
- /* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
--- a/Source/WTF/wtf/PlatformHave.h
-+++ b/Source/WTF/wtf/PlatformHave.h
-@@ -206,7 +206,7 @@
- #define HAVE_HOSTED_CORE_ANIMATION 1
- #endif
- 
-#if OS(DARWIN) || OS(FUCHSIA) || ((OS(FREEBSD) || defined(__GLIBC__) || defined(__BIONIC__)) && (CPU(X86) || CPU(X86_64) || CPU(ARM) || CPU(ARM64) || CPU(MIPS)))
-+#if OS(DARWIN) || OS(FUCHSIA) || ((OS(FREEBSD) || OS(LINUX)) && (CPU(X86) || CPU(X86_64) || CPU(ARM) || CPU(ARM64) || CPU(MIPS)))
- #define HAVE_MACHINE_CONTEXT 1
- #endif
- 
--- a/community/webkit2gtk/musl-stack-fix.patch
+++ b/community/webkit2gtk/musl-stack-fix.patch
@ -1,74 +0,0 @@
-https://bugs.webkit.org/show_bug.cgi?id=225099
-
-From ab7e2bfae280b151ac173d6fc9d8eaa3da2e92a8 Mon Sep 17 00:00:00 2001
-From: q66 <daniel@octaforge.org>
-Date: Tue, 27 Apr 2021 22:51:22 +0200
-Subject: [PATCH] fix stack size issues on musl
-
---
- Source/WTF/wtf/StackBounds.cpp | 26 +++++++++++++++++++++++++-
- Source/WTF/wtf/Threading.cpp   |  4 ++++
- 2 files changed, 29 insertions(+), 1 deletion(-)
-
-diff --git Source/WTF/wtf/StackBounds.cpp Source/WTF/wtf/StackBounds.cpp
-index e6f7095..58bdb18 100644
--- a/Source/WTF/wtf/StackBounds.cpp
-+++ b/Source/WTF/wtf/StackBounds.cpp
-@@ -36,6 +36,12 @@
- #include <pthread_np.h>
- #endif
- 
-+#if OS(LINUX)
-+#include <sys/resource.h>
-+#include <sys/syscall.h>
-+#include <unistd.h>
-+#endif
-+
- #endif
- 
- namespace WTF {
-@@ -107,7 +113,25 @@ StackBounds StackBounds::newThreadStackBounds(PlatformThreadHandle thread)
- 
- StackBounds StackBounds::currentThreadStackBoundsInternal()
- {
-    return newThreadStackBounds(pthread_self());
-+    auto ret = newThreadStackBounds(pthread_self());
-+#if OS(LINUX)
-+    // on glibc, pthread_attr_getstack will generally return the limit size (minus a guard page)
-+    // for the main thread; this is however not necessarily always true on every libc - for example
-+    // on musl, it will return the currently reserved size - since the stack bounds are expected to
-+    // be constant (and they are for every thread except main, which is allowed to grow), check
-+    // resource limits and use that as the boundary instead (and prevent stack overflows in JSC)
-+    if (getpid() == static_cast<pid_t>(syscall(SYS_gettid))) {
-+        void* origin = ret.origin();
-+        rlimit limit;
-+        getrlimit(RLIMIT_STACK, &limit);
-+        rlim_t size = limit.rlim_cur;
-+        // account for a guard page
-+        size -= static_cast<rlim_t>(sysconf(_SC_PAGESIZE));
-+        void* bound = static_cast<char*>(origin) - size;
-+        return StackBounds { origin, bound };
-+    }
-+#endif
-+    return ret;
- }
- 
- #elif OS(WINDOWS)
-diff --git Source/WTF/wtf/Threading.cpp Source/WTF/wtf/Threading.cpp
-index 99d09c0..362bf35 100644
--- a/Source/WTF/wtf/Threading.cpp
-+++ b/Source/WTF/wtf/Threading.cpp
-@@ -58,6 +58,10 @@ static Optional<size_t> stackSize(ThreadType threadType)
- 
- #if defined(DEFAULT_THREAD_STACK_SIZE_IN_KB) && DEFAULT_THREAD_STACK_SIZE_IN_KB > 0
-     return DEFAULT_THREAD_STACK_SIZE_IN_KB * 1024;
-+#elif OS(LINUX) && !defined(__BIONIC__) && !defined(__GLIBC__)
-+    // on libc's other than glibc and bionic (e.g. musl) we are either unsure how big
-+    // the default thread stack is, or we know it's too small - pick a robust default
-+    return 1 * MB;
- #else
-     // Use the platform's default stack size
-     return WTF::nullopt;
-- 
-2.30.1
-
--- a/community/webkit2gtk/musl-wordsize.patch
+++ b/community/webkit2gtk/musl-wordsize.patch
@ -1,59 +0,0 @@
-Upstream: yes
-
-From 1b7144916774dbb4cc4705ba9a4377844e35f47d Mon Sep 17 00:00:00 2001
-From: q66 <daniel@octaforge.org>
-Date: Tue, 27 Apr 2021 22:56:33 +0200
-Subject: [PATCH] remove __WORDSIZE usage
-
---
- Source/WebCore/crypto/algorithms/CryptoAlgorithmAES_GCM.cpp | 6 +++---
- Source/WebCore/rendering/RenderLayerBacking.h               | 2 +-
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git Source/WebCore/crypto/algorithms/CryptoAlgorithmAES_GCM.cpp Source/WebCore/crypto/algorithms/CryptoAlgorithmAES_GCM.cpp
-index cfe3698..e5bc870 100644
--- a/Source/WebCore/crypto/algorithms/CryptoAlgorithmAES_GCM.cpp
-+++ b/Source/WebCore/crypto/algorithms/CryptoAlgorithmAES_GCM.cpp
-@@ -39,7 +39,7 @@ namespace CryptoAlgorithmAES_GCMInternal {
- static const char* const ALG128 = "A128GCM";
- static const char* const ALG192 = "A192GCM";
- static const char* const ALG256 = "A256GCM";
-#if __WORDSIZE >= 64
-+#if CPU(ADDRESS64)
- static const uint64_t PlainTextMaxLength = 549755813632ULL; // 2^39 - 256
- #endif
- static const uint8_t DefaultTagLength = 128;
-@@ -77,7 +77,7 @@ void CryptoAlgorithmAES_GCM::encrypt(const CryptoAlgorithmParameters& parameters
- 
-     auto& aesParameters = downcast<CryptoAlgorithmAesGcmParams>(parameters);
- 
-#if __WORDSIZE >= 64
-+#if CPU(ADDRESS64)
-     if (plainText.size() > PlainTextMaxLength) {
-         exceptionCallback(OperationError);
-         return;
-@@ -120,7 +120,7 @@ void CryptoAlgorithmAES_GCM::decrypt(const CryptoAlgorithmParameters& parameters
-         return;
-     }
- 
-#if __WORDSIZE >= 64
-+#if CPU(ADDRESS64)
-     if (aesParameters.ivVector().size() > UINT64_MAX) {
-         exceptionCallback(OperationError);
-         return;
-diff --git Source/WebCore/rendering/RenderLayerBacking.h Source/WebCore/rendering/RenderLayerBacking.h
-index 9960724..193c5d1 100644
--- a/Source/WebCore/rendering/RenderLayerBacking.h
-+++ b/Source/WebCore/rendering/RenderLayerBacking.h
-@@ -43,7 +43,7 @@ class TiledBacking;
- class TransformationMatrix;
- 
- 
-#if __WORDSIZE == 64 && PLATFORM(COCOA)
-+#if CPU(ADDRESS64) && PLATFORM(COCOA)
- #define USE_OWNING_LAYER_BEAR_TRAP 1
- #define BEAR_TRAP_VALUE 0xEEEEEEEEEEEEEEEE
- #else
-- 
-2.30.1
-