[webkit-gtk] How to fix CVEs of webkitgtk 2.36.x

Adrian Perez de Castro aperez at igalia.com
Wed Mar 22 02:26:56 PDT 2023


On Wed, 22 Mar 2023 11:57:24 +0800 不会弹吉他的KK <kai.7.kang at gmail.com> wrote:

> I am working on Yocto project. In last LTS Yocto release the version of
> webkitgtk is 2.36.8. And there are more than 15 CVE issues for 2.36.8 till
> now. I checked the git log and "WebKitGTK and WPE WebKit Security Advisory"
> pages that I only got info that which CVE has been fixed in which version of
> webkitgtk. But I can NOT get the exact info that it is fixed by which
> commit(s). So if there anywhere or some web page to get the specific
> fix/patch for a CVE, please?

Recently advisories published by Apple include the Bugzilla issue numbers
(e.g. [1]), so with some work you can find out which commits correspond to
the fixes.

You will not be able to see the discussions in Bugzilla because security bugs
are visible by default only to members of the WebKit Security Team [2] for a
number of reasons, like avoiding leaks of information that could be used to
make exploits.
> And the second question is webkitgtk 2.38.x backward compatible with 2.36.8?
> I compare the header files between 2.36.8 and 2.38.4 that it seems no
> function deleted and no interface change for existing functions, only some
> functions are marked deprecated and some new functions added. Does that mean
> upgrade webkitgtk from 2.36.8 to 2.38.4 will not break applications which
> depend on it, please?

WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely update
without needing to change applications. In general, we always keep the API and
ABI backwards compatible.

Note that the current stable releases (2.40.x) introduce a new API level
when using GTK4, but I suppose this is not a problem because most likely you
are still using GTK3.

I hope this helps you with your doubts.


[1] https://support.apple.com/en-us/HT213638
[2] https://webkit.org/security-team/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.webkit.org/pipermail/webkit-gtk/attachments/20230322/567834fb/attachment.bin>

More information about the webkit-gtk mailing list