packages/epiphany
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:54b593b5a7977e5bbe66b41f06b07cd695aaef8b
Branches Tags
packages:main
..
compare: packages:a1d9ceb4d030124bf5f7f9979f49a80f264784ce
Branches Tags
packages:main

No commits in common. "54b593b5a7977e5bbe66b41f06b07cd695aaef8b" and "a1d9ceb4d030124bf5f7f9979f49a80f264784ce" have entirely different histories.
54b593b5a7 ... a1d9ceb4d0

4 changed files with 21 additions and 124 deletions
Show Stats Expand all files Collapse all files

85
CVE-2023-26081.patch
View File

@ -1,85 +0,0 @@
From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Fri, 3 Feb 2023 13:07:15 -0600
Subject: [PATCH] Don't autofill passwords in sandboxed contexts
If using the sandbox CSP or iframe tag, the web content is supposed to
be not trusted by the main resource origin. Therefore, we'd better
disable the password manager entirely so the untrusted web content
cannot exfiltrate passwords.
https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
---
.../resources/js/ephy.js | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
index 6fccd3d94..d1c42adbc 100644
--- a/embed/web-process-extension/resources/js/ephy.js
+++ b/embed/web-process-extension/resources/js/ephy.js
@@ -354,6 +354,12 @@ Ephy.hasModifiedForms = function()
}
};
+Ephy.isSandboxedWebContent = function()
+{
+ // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+ return self.origin === null || self.origin === 'null';
+};
+
Ephy.PasswordManager = class PasswordManager
{
constructor(pageID, frameID)
@@ -387,6 +393,11 @@ Ephy.PasswordManager = class PasswordManager
query(origin, targetOrigin, username, usernameField, passwordField)
{
+ if (Ephy.isSandboxedWebContent()) {
+ Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
+ return Promise.resolve(null);
+ }
+
Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
return new Promise((resolver, reject) => {
@@ -398,6 +409,11 @@ Ephy.PasswordManager = class PasswordManager
save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
{
+ if (Ephy.isSandboxedWebContent()) {
+ Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
+ return;
+ }
+
Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
window.webkit.messageHandlers.passwordManagerSave.postMessage({
@@ -409,6 +425,11 @@ Ephy.PasswordManager = class PasswordManager
// FIXME: Why is pageID a parameter here?
requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
{
+ if (Ephy.isSandboxedWebContent()) {
+ Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
+ return;
+ }
+
Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
@@ -428,6 +449,11 @@ Ephy.PasswordManager = class PasswordManager
queryUsernames(origin)
{
+ if (Ephy.isSandboxedWebContent()) {
+ Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
+ return Promise.resolve(null);
+ }
+
Ephy.log(`Requesting usernames for origin=${origin}`);
return new Promise((resolver, reject) => {
--
GitLab

BIN
epiphany-42.2.tar.xz Normal file
View File

Binary file not shown.

BIN
epiphany-43.0.tar.xz
View File

Binary file not shown.

60
epiphany.spec
View File

@ -1,21 +1,20 @@
%global glib2_version 2.67.4 %global glib2_version 2.64.0
%global gtk3_version 3.24.0 %global gtk3_version 3.24.0
%global webkit2gtk3_version 2.37.1 %global webkit2gtk3_version 2.31.1
Name: epiphany Name: epiphany
Epoch: 1 Epoch: 1
Version: 43.0 Version: 42.2
Release: 5 Release: 1
Summary: Web browser for GNOME Summary: Web browser for GNOME
License: GPLv3+ License: GPLv3+
URL: https://wiki.gnome.org/Apps/Web URL: https://wiki.gnome.org/Apps/Web
Source0: https://download.gnome.org/sources/epiphany/43/%{name}-%{version}.tar.xz Source0: https://download.gnome.org/sources/epiphany/42/%{name}-%{version}.tar.xz
Patch0: epiphany-default-bookmarks-openeuler.patch Patch0: epiphany-default-bookmarks-openeuler.patch
Patch1: CVE-2023-26081.patch
BuildRequires: desktop-file-utils gcc gettext-devel iso-codes-devel itstool BuildRequires: desktop-file-utils gcc gettext-devel iso-codes-devel itstool
BuildRequires: libappstream-glib-devel meson pkgconfig(cairo) pkgconfig(evince-document-3.0) BuildRequires: libappstream-glib-devel meson pkgconfig(cairo) pkgconfig(evince-document-3.0)
BuildRequires: gcr-devel pkgconfig(gdk-3.0) >= %{gtk3_version} BuildRequires: pkgconfig(gcr-3) pkgconfig(gdk-3.0) >= %{gtk3_version}
BuildRequires: pkgconfig(gdk-pixbuf-2.0) pkgconfig(gio-unix-2.0) >= %{glib2_version} BuildRequires: pkgconfig(gdk-pixbuf-2.0) pkgconfig(gio-unix-2.0) >= %{glib2_version}
BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version} BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version}
BuildRequires: pkgconfig(gnome-desktop-3.0) >= %{glib2_version} BuildRequires: pkgconfig(gnome-desktop-3.0) >= %{glib2_version}
@ -24,12 +23,21 @@ BuildRequires: pkgconfig(gtk+-unix-print-3.0) >= %{gtk3_version} pkgconfig
BuildRequires: pkgconfig(icu-uc) pkgconfig(json-glib-1.0) pkgconfig(libdazzle-1.0) BuildRequires: pkgconfig(icu-uc) pkgconfig(json-glib-1.0) pkgconfig(libdazzle-1.0)
BuildRequires: pkgconfig(libhandy-1) pkgconfig(libnotify) pkgconfig(libsecret-1) BuildRequires: pkgconfig(libhandy-1) pkgconfig(libnotify) pkgconfig(libsecret-1)
BuildRequires: pkgconfig(libportal-gtk3) >= 0.5 BuildRequires: pkgconfig(libportal-gtk3) >= 0.5
BuildRequires: pkgconfig(libsoup-3.0) pkgconfig(libxml-2.0) pkgconfig(libxslt) BuildRequires: pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) pkgconfig(libxslt)
BuildRequires: pkgconfig(nettle) pkgconfig(sqlite3) BuildRequires: pkgconfig(nettle) pkgconfig(sqlite3)
BuildRequires: pkgconfig(webkit2gtk-4.1) >= %{webkit2gtk3_version} BuildRequires: pkgconfig(webkit2gtk-4.0) >= %{webkit2gtk3_version}
BuildRequires: pkgconfig(webkit2gtk-web-extension-4.1) >= %{webkit2gtk3_version} chrpath BuildRequires: pkgconfig(webkit2gtk-web-extension-4.0) >= %{webkit2gtk3_version} chrpath
Requires: %{name}-runtime%{?_isa} = %{epoch}:%{version}-%{release} Requires: %{name}-runtime%{?_isa} = %{epoch}:%{version}-%{release}
Requires: gtk3%{?_isa} >= %{gtk3_version}
Requires: webkit2gtk3%{?_isa} >= %{webkit2gtk3_version}
Requires: gsettings-desktop-schemas
Requires: iso-codes
Provides: bundled(gvdb)
Provides: bundled(highlightjs)
Provides: bundled(pdfjs)
Provides: bundled(readabilityjs)
%description %description
Epiphany is the web browser for the GNOME desktop. Its goal is to be Epiphany is the web browser for the GNOME desktop. Its goal is to be
@ -40,10 +48,7 @@ application.
%package runtime %package runtime
Summary: Epiphany runtime suitable for web applications Summary: Epiphany runtime suitable for web applications
Requires: gsettings-desktop-schemas gtk3%{?_isa} >= %{gtk3_version} iso-codes Requires: gsettings-desktop-schemas gtk3%{?_isa} >= %{gtk3_version} iso-codes
Requires: webkit2gtk4.1%{?_isa} >= %{webkit2gtk3_version} Requires: webkit2gtk3%{?_isa} >= %{webkit2gtk3_version}
Provides: bundled(gvdb)
Provides: bundled(highlightjs)
Provides: bundled(readabilityjs)
%description runtime %description runtime
This package provides a runtime for web applications without actually This package provides a runtime for web applications without actually
@ -64,11 +69,8 @@ chrpath -d %{buildroot}%{_libdir}/epiphany/*.so
chrpath -d %{buildroot}%{_libdir}/epiphany/web-process-extensions/*.so chrpath -d %{buildroot}%{_libdir}/epiphany/web-process-extensions/*.so
chrpath -d %{buildroot}%{_libexecdir}/epiphany/* chrpath -d %{buildroot}%{_libexecdir}/epiphany/*
chrpath -d %{buildroot}%{_libexecdir}/epiphany-search-provider chrpath -d %{buildroot}%{_libexecdir}/epiphany-search-provider
chrpath -d %{buildroot}%{_libexecdir}/epiphany-webapp-provider
chrpath -d %{buildroot}%{_bindir}/epiphany chrpath -d %{buildroot}%{_bindir}/epiphany
sed -i 's/Exec=/Exec=env WEBKIT_FORCE_SANDBOX=0 /g' %{buildroot}%{_datadir}/applications/org.gnome.Epiphany.desktop
mkdir -p %{buildroot}%{_sysconfdir}/ld.so.conf.d mkdir -p %{buildroot}%{_sysconfdir}/ld.so.conf.d
echo "%{_libdir}/epiphany" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf echo "%{_libdir}/epiphany" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
@ -89,43 +91,23 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/*.desktop
%dir %{_datadir}/gnome-shell/ %dir %{_datadir}/gnome-shell/
%dir %{_datadir}/gnome-shell/search-providers/ %dir %{_datadir}/gnome-shell/search-providers/
%{_datadir}/gnome-shell/search-providers/org.gnome.Epiphany.SearchProvider.ini %{_datadir}/gnome-shell/search-providers/org.gnome.Epiphany.SearchProvider.ini
#%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%files runtime %files runtime
%license COPYING %license COPYING
%doc NEWS README.md %doc NEWS README.md
%{_datadir}/dbus-1/services/org.gnome.Epiphany.WebAppProvider.service
%{_datadir}/icons/hicolor/*/apps/org.gnome.Epiphany* %{_datadir}/icons/hicolor/*/apps/org.gnome.Epiphany*
%{_datadir}/glib-2.0/schemas/org.gnome.epiphany.gschema.xml %{_datadir}/glib-2.0/schemas/org.gnome.epiphany.gschema.xml
%{_datadir}/glib-2.0/schemas/org.gnome.Epiphany.enums.xml %{_datadir}/glib-2.0/schemas/org.gnome.Epiphany.enums.xml
%{_bindir}/epiphany %{_bindir}/epiphany
%{_libexecdir}/epiphany/ %{_libexecdir}/epiphany/
%{_libexecdir}/epiphany-webapp-provider
%{_libdir}/epiphany/ %{_libdir}/epiphany/
%{_datadir}/epiphany %{_datadir}/epiphany
%{_mandir}/man*/* %{_mandir}/man*/*
%config(noreplace)%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %config(noreplace)%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog %changelog
* Thu Dec 26 2024 Funda Wang <fundawang@yeah.net> - 1:43.0-5 * Mon Mar 28 2022 lin zhang <lin.zhang@turbolinux.com.cn> 1:42.2-1
- fix wrong requires on webkit2gtk3
* Thu Mar 02 2023 yaoxin <yaoxin30@h-partners.com> - 1:43.0-4
- Remove rpath
* Thu Mar 2 2023 zhuang li <zhuang.li@turbolinux.com.cn> - 1:43.0-3
- Modified configuration file Uncomment 43.0-3
* Thu Feb 23 2023 liweiganga <liweiganga@uniontech.com> - 1:43.0-2
- fix CVE-2023-26081
* Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 1:43.0-1
- Update to 43.0
* Fri Sep 9 2022 lin zhang <lin.zhang@turbolinux.com.cn> - 1:42.2-2
- fix issue #I5QHPI
* Mon Mar 28 2022 lin zhang <lin.zhang@turbolinux.com.cn> - 1:42.2-1
- Update to 42.2 - Update to 42.2
* Fri Sep 10 2021 lingsheng <lingsheng@huawei.com> - 3.38.5-2 * Fri Sep 10 2021 lingsheng <lingsheng@huawei.com> - 3.38.5-2