diff --git a/webkitgtk-2.6.1-poodle.patch b/webkitgtk-2.6.1-poodle.patch new file mode 100644 index 0000000..e100b0b --- /dev/null +++ b/webkitgtk-2.6.1-poodle.patch @@ -0,0 +1,52 @@ +diff --git a/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp b/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp +index 8d4287b3713ee93c0db80d178089112e1589e53b..c42baa8e94e16d8e8e97ae256d9a2496f144f958 100644 +--- a/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp ++++ b/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp +@@ -25,9 +25,21 @@ + + #include "NetworkProcessMainUnix.h" + ++#include ++ + using namespace WebKit; + + int main(int argc, char** argv) + { ++ // Disable SSLv3 very early because it is practically impossible to safely ++ // use setenv() when multiple threads are running, as another thread calling ++ // getenv() could cause a crash, and many functions use getenv() internally. ++ // This workaround will stop working if glib-networking switches away from ++ // GnuTLS or simply stops parsing this variable. We intentionally do not ++ // overwrite this priority string if it's already set by the user. ++ // Keep this in sync with WebProcessMain.cpp. ++ // https://bugzilla.gnome.org/show_bug.cgi?id=738633 ++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0); ++ + return NetworkProcessMainUnix(argc, argv); + } +diff --git a/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp b/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp +index 6c637fd237c3d75a5332d1e190cbc9e8226cbcae..260620a766911a8162cbb10717aa137cba3a9271 100644 +--- a/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp ++++ b/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp +@@ -25,9 +25,21 @@ + + #include "WebProcessMainUnix.h" + ++#include ++ + using namespace WebKit; + + int main(int argc, char** argv) + { ++ // Disable SSLv3 very early because it is practically impossible to safely ++ // use setenv() when multiple threads are running, as another thread calling ++ // getenv() could cause a crash, and many functions use getenv() internally. ++ // This workaround will stop working if glib-networking switches away from ++ // GnuTLS or simply stops parsing this variable. We intentionally do not ++ // overwrite this priority string if it's already set by the user. ++ // Keep this in sync with NetworkProcessMain.cpp. ++ // https://bugzilla.gnome.org/show_bug.cgi?id=738633 ++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0); ++ + return WebProcessMainUnix(argc, argv); + } diff --git a/webkitgtk4.spec b/webkitgtk4.spec index ad71b23..3e22b49 100644 --- a/webkitgtk4.spec +++ b/webkitgtk4.spec @@ -7,7 +7,7 @@ Name: webkitgtk4 Version: 2.6.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: GTK+ Web content engine library License: LGPLv2 @@ -17,6 +17,7 @@ Source0: http://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz Patch0: webkit-1.1.14-nspluginwrapper.patch Patch2: webkitgtk-2.5.90-cloop_fix.patch Patch3: webkitgtk-2.5.2-commit_align.patch +Patch4: webkitgtk-2.6.1-poodle.patch BuildRequires: at-spi2-core-devel BuildRequires: bison @@ -79,6 +80,7 @@ files for developing applications that use %{name}. %setup -q -n webkitgtk-%{version} %patch0 -p1 -b .nspluginwrapper %patch2 -p1 -b .cloop_fix +%patch4 -p1 -b .poodle %ifarch %{power64} aarch64 ppc %patch3 -p1 -b .commit_align %endif @@ -163,6 +165,9 @@ make %{?_smp_mflags} -C %{_target_platform} %{_datadir}/gir-1.0/WebKit2WebExtension-4.0.gir %changelog +* Tue Oct 21 2014 Tomas Popela - 2.6.1-2 +- Disable the SSLv3 to address the POODLE vulnerability + * Tue Oct 14 2014 Tomas Popela - 2.6.1-1 - Update to 2.6.1