kumquat-buildroot/package/webkitgtk/webkitgtk.mk
Peter Korsgaard de3684f57d package/webkitgtk: security bump to version 2.42.5
Fixes the following security issues:

https://webkitgtk.org/security/WSA-2024-0001.html

- CVE-2024-23222: Processing maliciously crafted web content may lead to
  arbitrary code execution.  Apple is aware of a report that this issue may
  have been exploited.  Description: A type confusion issue was addressed
  with improved checks.

- CVE-2024-23206: A maliciously crafted webpage may be able to fingerprint
  the user.  Description: An access issue was addressed with improved access
  restrictions.

- CVE-2024-23213: Processing web content may lead to arbitrary code execution.
  Description: The issue was addressed with improved memory handling.

- CVE-2023-40414: Processing web content may lead to arbitrary code
  execution.  Description: A use-after-free issue was addressed with
  improved memory management.

- CVE-2023-42833: Processing web content may lead to arbitrary code execution.
  Description: A correctness issue was addressed with improved checks.

- CVE-2014-1745: Processing a file may lead to a denial-of-service or
  potentially disclose memory contents.  Description: The issue was
  addressed with improved checks.

https://webkitgtk.org/security/WSA-2023-0012.html

- CVE-2023-42883: Processing a SVG image may lead to a denial-of-service.
  Description: The issue was addressed with improved memory handling.

- CVE-2023-42890: Processing web content may lead to arbitrary code
  execution.  Description: The issue was addressed with improved memory
  handling.

https://webkitgtk.org/security/WSA-2023-0011.html

- CVE-2023-42916: Processing web content may disclose sensitive information.
  Apple is aware of a report that this issue may have been actively
  exploited.  Description: An out-of-bounds read was addressed with improved
  input validation.

- CVE-2023-42917: Processing web content may lead to arbitrary code
  execution.  Apple is aware of a report that this issue may have been
  actively exploited.  Description: A memory corruption vulnerability was
  addressed with improved locking.

Add an upstream post-2.42.5 patch to fix an issue with an invalid backport
causing a build issue.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-08 13:52:57 +01:00

159 lines
4.4 KiB
Makefile

################################################################################
#
# webkitgtk
#
################################################################################
WEBKITGTK_VERSION = 2.42.5
WEBKITGTK_SITE = https://www.webkitgtk.org/releases
WEBKITGTK_SOURCE = webkitgtk-$(WEBKITGTK_VERSION).tar.xz
WEBKITGTK_INSTALL_STAGING = YES
WEBKITGTK_LICENSE = LGPL-2.1+, BSD-2-Clause
WEBKITGTK_LICENSE_FILES = \
Source/WebCore/LICENSE-APPLE \
Source/WebCore/LICENSE-LGPL-2.1
WEBKITGTK_CPE_ID_VENDOR = webkitgtk
WEBKITGTK_DEPENDENCIES = host-ruby host-python3 host-gperf host-unifdef \
enchant harfbuzz icu jpeg libgcrypt libgtk3 libsecret libsoup3 \
libtasn1 libxml2 libxslt openjpeg sqlite webp woff2
WEBKITGTK_CMAKE_BACKEND = ninja
WEBKITGTK_CONF_OPTS = \
-DENABLE_API_TESTS=OFF \
-DENABLE_DOCUMENTATION=OFF \
-DENABLE_GEOLOCATION=OFF \
-DENABLE_MINIBROWSER=ON \
-DENABLE_SPELLCHECK=ON \
-DENABLE_WEB_RTC=OFF \
-DPORT=GTK \
-DUSE_AVIF=OFF \
-DUSE_LIBHYPHEN=OFF \
-DUSE_OPENJPEG=ON \
-DUSE_WOFF2=ON
ifeq ($(BR2_PACKAGE_WEBKITGTK_SANDBOX),y)
WEBKITGTK_CONF_OPTS += \
-DENABLE_BUBBLEWRAP_SANDBOX=ON \
-DBWRAP_EXECUTABLE=/usr/bin/bwrap \
-DDBUS_PROXY_EXECUTABLE=/usr/bin/xdg-dbus-proxy
WEBKITGTK_DEPENDENCIES += libseccomp
else
WEBKITGTK_CONF_OPTS += -DENABLE_BUBBLEWRAP_SANDBOX=OFF
endif
ifeq ($(BR2_PACKAGE_WEBKITGTK_MULTIMEDIA),y)
WEBKITGTK_CONF_OPTS += \
-DENABLE_VIDEO=ON \
-DENABLE_WEB_AUDIO=ON
WEBKITGTK_DEPENDENCIES += gstreamer1 gst1-libav gst1-plugins-base
else
WEBKITGTK_CONF_OPTS += \
-DENABLE_VIDEO=OFF \
-DENABLE_WEB_AUDIO=OFF
endif
ifeq ($(BR2_PACKAGE_WEBKITGTK_WEBDRIVER),y)
WEBKITGTK_CONF_OPTS += -DENABLE_WEBDRIVER=ON
else
WEBKITGTK_CONF_OPTS += -DENABLE_WEBDRIVER=OFF
endif
ifeq ($(BR2_PACKAGE_LCMS2),y)
WEBKITGTK_CONF_OPTS += -DUSE_LCMS=ON
WEBKITGTK_DEPENDENCIES += lcms2
else
WEBKITGTK_CONF_OPTS += -DUSE_LCMS=OFF
endif
ifeq ($(BR2_PACKAGE_GOBJECT_INTROSPECTION),y)
WEBKITGTK_CONF_OPTS += -DENABLE_INTROSPECTION=ON
WEBKITGTK_DEPENDENCIES += gobject-introspection
else
WEBKITGTK_CONF_OPTS += -DENABLE_INTROSPECTION=OFF
endif
ifeq ($(BR2_PACKAGE_LIBJXL),y)
WEBKITGTK_CONF_OPTS += -DUSE_JPEGXL=ON
WEBKITGTK_DEPENDENCIES += libjxl
else
WEBKITGTK_CONF_OPTS += -DUSE_JPEGXL=OFF
endif
ifeq ($(BR2_PACKAGE_LIBMANETTE),y)
WEBKITGTK_CONF_OPTS += -DENABLE_GAMEPAD=ON
WEBKITGTK_DEPENDENCIES += libmanette
else
WEBKITGTK_CONF_OPTS += -DENABLE_GAMEPAD=OFF
endif
ifeq ($(BR2_PACKAGE_HAS_LIBGLES),y)
WEBKITGTK_CONF_OPTS += -DUSE_OPENGL_OR_ES=ON
WEBKITGTK_DEPENDENCIES += libgles
else
WEBKITGTK_CONF_OPTS += -DUSE_OPENGL_OR_ES=OFF
endif
ifeq ($(BR2_PACKAGE_HAS_LIBGBM),y)
WEBKITGTK_CONF_OPTS += -DUSE_GBM=ON
WEBKITGTK_DEPENDENCIES += libgbm
else
WEBKITGTK_CONF_OPTS += -DUSE_GBM=OFF
endif
ifeq ($(BR2_PACKAGE_LIBGTK3_X11),y)
WEBKITGTK_CONF_OPTS += -DENABLE_X11_TARGET=ON
WEBKITGTK_DEPENDENCIES += libgl \
xlib_libXcomposite xlib_libXdamage xlib_libXrender xlib_libXt
else
WEBKITGTK_CONF_OPTS += -DENABLE_X11_TARGET=OFF
endif
ifeq ($(BR2_PACKAGE_LIBGTK3_WAYLAND),y)
WEBKITGTK_CONF_OPTS += -DENABLE_WAYLAND_TARGET=ON
WEBKITGTK_DEPENDENCIES += libegl
else
WEBKITGTK_CONF_OPTS += -DENABLE_WAYLAND_TARGET=OFF
endif
# If only the GTK Broadway backend is enabled, EGL is still needed.
ifeq ($(BR2_PACKAGE_LIBGTK3_X11):$(BR2_PACKAGE_LIBGTK3_WAYLAND):$(BR2_PACKAGE_LIBGTK3_BROADWAY),::y)
WEBKITGTK_DEPENDENCIES += libegl
endif
ifeq ($(BR2_PACKAGE_WPEBACKEND_FDO),y)
WEBKITGTK_CONF_OPTS += -DUSE_WPE_RENDERER=ON
WEBKITGTK_DEPENDENCIES += wpebackend-fdo
else
WEBKITGTK_CONF_OPTS += -DUSE_WPE_RENDERER=OFF
endif
ifeq ($(BR2_PACKAGE_WEBKITGTK_USE_GSTREAMER_GL),y)
WEBKITGTK_CONF_OPTS += -DUSE_GSTREAMER_GL=ON
else
WEBKITGTK_CONF_OPTS += -DUSE_GSTREAMER_GL=OFF
endif
ifeq ($(BR2_INIT_SYSTEMD),y)
WEBKITGTK_CONF_OPTS += -DENABLE_JOURNALD_LOG=ON
WEBKITGTK_DEPENDENCIES += systemd
else
WEBKITGTK_CONF_OPTS += -DENABLE_JOURNALD_LOG=OFF
endif
# JIT is not supported for MIPS r6, but the WebKit build system does not
# have a check for these processors. The same goes for ARMv5 and ARMv6.
# Disable JIT forcibly here and use the CLoop interpreter instead.
#
# Also, we have to disable the sampling profiler, which does NOT work
# with ENABLE_C_LOOP.
#
# Upstream bugs: https://bugs.webkit.org/show_bug.cgi?id=191258
# https://bugs.webkit.org/show_bug.cgi?id=172765
#
ifeq ($(BR2_ARM_CPU_ARMV5)$(BR2_ARM_CPU_ARMV6)$(BR2_MIPS_CPU_MIPS32R6)$(BR2_MIPS_CPU_MIPS64R6),y)
WEBKITGTK_CONF_OPTS += -DENABLE_JIT=OFF -DENABLE_C_LOOP=ON -DENABLE_SAMPLING_PROFILER=OFF
endif
$(eval $(cmake-package))