4 changed files with 21 additions and 124 deletions
--- a/CVE-2023-26081.patch
+++ b/CVE-2023-26081.patch
@ -1,85 +0,0 @@
-From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
-From: Michael Catanzaro <mcatanzaro@redhat.com>
-Date: Fri, 3 Feb 2023 13:07:15 -0600
-Subject: [PATCH] Don't autofill passwords in sandboxed contexts
-
-If using the sandbox CSP or iframe tag, the web content is supposed to
-be not trusted by the main resource origin. Therefore, we'd better
-disable the password manager entirely so the untrusted web content
-cannot exfiltrate passwords.
-
-https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
-
-Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
---
- .../resources/js/ephy.js                      | 26 +++++++++++++++++++
- 1 file changed, 26 insertions(+)
-
-diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
-index 6fccd3d94..d1c42adbc 100644
--- a/embed/web-process-extension/resources/js/ephy.js
-+++ b/embed/web-process-extension/resources/js/ephy.js
-@@ -354,6 +354,12 @@ Ephy.hasModifiedForms = function()
-     }
- };
- 
-+Ephy.isSandboxedWebContent = function()
-+{
-+    // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
-+    return self.origin === null || self.origin === 'null';
-+};
-+
- Ephy.PasswordManager = class PasswordManager
- {
-     constructor(pageID, frameID)
-@@ -387,6 +393,11 @@ Ephy.PasswordManager = class PasswordManager
- 
-     query(origin, targetOrigin, username, usernameField, passwordField)
-     {
-+        if (Ephy.isSandboxedWebContent()) {
-+            Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
-+            return Promise.resolve(null);
-+        }
-+
-         Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
- 
-         return new Promise((resolver, reject) => {
-@@ -398,6 +409,11 @@ Ephy.PasswordManager = class PasswordManager
- 
-     save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
-     {
-+        if (Ephy.isSandboxedWebContent()) {
-+            Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
-+            return;
-+        }
-+
-         Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
- 
-         window.webkit.messageHandlers.passwordManagerSave.postMessage({
-@@ -409,6 +425,11 @@ Ephy.PasswordManager = class PasswordManager
-     // FIXME: Why is pageID a parameter here?
-     requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
-     {
-+        if (Ephy.isSandboxedWebContent()) {
-+            Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
-+            return;
-+        }
-+
-         Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
- 
-         window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
-@@ -428,6 +449,11 @@ Ephy.PasswordManager = class PasswordManager
- 
-     queryUsernames(origin)
-     {
-+        if (Ephy.isSandboxedWebContent()) {
-+            Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
-+            return Promise.resolve(null);
-+        }
-+
-         Ephy.log(`Requesting usernames for origin=${origin}`);
- 
-         return new Promise((resolver, reject) => {
-- 
-GitLab
-
--- a/epiphany-42.2.tar.xz
+++ b/epiphany-42.2.tar.xz
--- a/epiphany-43.0.tar.xz
+++ b/epiphany-43.0.tar.xz
--- a/epiphany.spec
+++ b/epiphany.spec
@ -1,21 +1,20 @@
-%global glib2_version 2.67.4
+%global glib2_version 2.64.0
 %global gtk3_version 3.24.0
-%global webkit2gtk3_version 2.37.1
+%global webkit2gtk3_version 2.31.1

 Name:                epiphany
 Epoch:               1
-Version:             43.0
-Release:             5
+Version:             42.2
+Release:             1
 Summary:             Web browser for GNOME
 License:             GPLv3+
 URL:                 https://wiki.gnome.org/Apps/Web
-Source0:             https://download.gnome.org/sources/epiphany/43/%{name}-%{version}.tar.xz
+Source0:             https://download.gnome.org/sources/epiphany/42/%{name}-%{version}.tar.xz
 Patch0:              epiphany-default-bookmarks-openeuler.patch
-Patch1:              CVE-2023-26081.patch

 BuildRequires:       desktop-file-utils gcc gettext-devel iso-codes-devel itstool
 BuildRequires:       libappstream-glib-devel meson pkgconfig(cairo) pkgconfig(evince-document-3.0)
-BuildRequires:       gcr-devel pkgconfig(gdk-3.0) >= %{gtk3_version}
+BuildRequires:       pkgconfig(gcr-3) pkgconfig(gdk-3.0) >= %{gtk3_version}
 BuildRequires:       pkgconfig(gdk-pixbuf-2.0) pkgconfig(gio-unix-2.0) >= %{glib2_version}
 BuildRequires:       pkgconfig(glib-2.0) >= %{glib2_version}
 BuildRequires:       pkgconfig(gnome-desktop-3.0) >= %{glib2_version}
@ -24,12 +23,21 @@ BuildRequires:       pkgconfig(gtk+-unix-print-3.0) >= %{gtk3_version} pkgconfig
 BuildRequires:       pkgconfig(icu-uc) pkgconfig(json-glib-1.0) pkgconfig(libdazzle-1.0)
 BuildRequires:       pkgconfig(libhandy-1) pkgconfig(libnotify) pkgconfig(libsecret-1)
 BuildRequires:       pkgconfig(libportal-gtk3) >= 0.5
-BuildRequires:       pkgconfig(libsoup-3.0) pkgconfig(libxml-2.0) pkgconfig(libxslt)
+BuildRequires:       pkgconfig(libsoup-2.4) pkgconfig(libxml-2.0) pkgconfig(libxslt)
 BuildRequires:       pkgconfig(nettle) pkgconfig(sqlite3)
-BuildRequires:       pkgconfig(webkit2gtk-4.1) >= %{webkit2gtk3_version}
-BuildRequires:       pkgconfig(webkit2gtk-web-extension-4.1) >= %{webkit2gtk3_version} chrpath
+BuildRequires:       pkgconfig(webkit2gtk-4.0) >= %{webkit2gtk3_version}
+BuildRequires:       pkgconfig(webkit2gtk-web-extension-4.0) >= %{webkit2gtk3_version} chrpath

 Requires:            %{name}-runtime%{?_isa} = %{epoch}:%{version}-%{release}
+Requires:            gtk3%{?_isa} >= %{gtk3_version}
+Requires:            webkit2gtk3%{?_isa} >= %{webkit2gtk3_version}
+Requires:            gsettings-desktop-schemas
+Requires:            iso-codes
+
+Provides: bundled(gvdb)
+Provides: bundled(highlightjs)
+Provides: bundled(pdfjs)
+Provides: bundled(readabilityjs)

 %description
 Epiphany is the web browser for the GNOME desktop. Its goal is to be
@ -40,10 +48,7 @@ application.
 %package runtime
 Summary:             Epiphany runtime suitable for web applications
 Requires:            gsettings-desktop-schemas gtk3%{?_isa} >= %{gtk3_version} iso-codes
-Requires:            webkit2gtk4.1%{?_isa} >= %{webkit2gtk3_version}
-Provides:            bundled(gvdb)
-Provides:            bundled(highlightjs)
-Provides:            bundled(readabilityjs)
+Requires:            webkit2gtk3%{?_isa} >= %{webkit2gtk3_version}

 %description runtime
 This package provides a runtime for web applications without actually
@ -64,11 +69,8 @@ chrpath -d %{buildroot}%{_libdir}/epiphany/*.so
 chrpath -d %{buildroot}%{_libdir}/epiphany/web-process-extensions/*.so
 chrpath -d %{buildroot}%{_libexecdir}/epiphany/*
 chrpath -d %{buildroot}%{_libexecdir}/epiphany-search-provider
-chrpath -d %{buildroot}%{_libexecdir}/epiphany-webapp-provider
 chrpath -d %{buildroot}%{_bindir}/epiphany

-sed -i 's/Exec=/Exec=env WEBKIT_FORCE_SANDBOX=0 /g' %{buildroot}%{_datadir}/applications/org.gnome.Epiphany.desktop
-
 mkdir -p %{buildroot}%{_sysconfdir}/ld.so.conf.d
 echo "%{_libdir}/epiphany" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf

@ -89,43 +91,23 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/*.desktop
 %dir %{_datadir}/gnome-shell/
 %dir %{_datadir}/gnome-shell/search-providers/
 %{_datadir}/gnome-shell/search-providers/org.gnome.Epiphany.SearchProvider.ini
-#%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
+%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf

 %files runtime
 %license COPYING
 %doc NEWS README.md
-%{_datadir}/dbus-1/services/org.gnome.Epiphany.WebAppProvider.service
 %{_datadir}/icons/hicolor/*/apps/org.gnome.Epiphany*
 %{_datadir}/glib-2.0/schemas/org.gnome.epiphany.gschema.xml
 %{_datadir}/glib-2.0/schemas/org.gnome.Epiphany.enums.xml
 %{_bindir}/epiphany
 %{_libexecdir}/epiphany/
-%{_libexecdir}/epiphany-webapp-provider
 %{_libdir}/epiphany/
 %{_datadir}/epiphany
 %{_mandir}/man*/*
 %config(noreplace)%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf

 %changelog
-* Thu Dec 26 2024 Funda Wang <fundawang@yeah.net> - 1:43.0-5
- fix wrong requires on webkit2gtk3
-
-* Thu Mar 02 2023 yaoxin <yaoxin30@h-partners.com> - 1:43.0-4
- Remove rpath
-
-* Thu Mar 2 2023 zhuang li  <zhuang.li@turbolinux.com.cn> - 1:43.0-3
- Modified configuration file Uncomment  43.0-3
-
-* Thu Feb 23 2023 liweiganga <liweiganga@uniontech.com> - 1:43.0-2
- fix CVE-2023-26081
-
-* Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 1:43.0-1
- Update to 43.0
-
-* Fri Sep 9 2022 lin zhang <lin.zhang@turbolinux.com.cn> - 1:42.2-2
- fix issue #I5QHPI
-
-* Mon Mar 28 2022 lin zhang <lin.zhang@turbolinux.com.cn> - 1:42.2-1
+* Mon Mar 28 2022 lin zhang <lin.zhang@turbolinux.com.cn> 1:42.2-1
 - Update to 42.2

 * Fri Sep 10 2021 lingsheng <lingsheng@huawei.com> - 3.38.5-2