Debian Bug report logs - #843462
emacs25: Please disable xwidgets/webkit

version graph

Package: emacs25; Maintainer for emacs25 is Rob Browning <rlb@defaultvalue.org>; Source for emacs25 is src:emacs (PTS, buildd, popcon).

Reported by: David Bremner <bremner@debian.org>

Date: Sun, 6 Nov 2016 19:21:02 UTC

Severity: important

Tags: security

Found in version emacs25/25.1+1-2

Fixed in version emacs25/25.1+1-3

Done: Rob Browning <rlb@defaultvalue.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#843462; Package emacs25. (Sun, 06 Nov 2016 19:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to David Bremner <bremner@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Rob Browning <rlb@defaultvalue.org>. (Sun, 06 Nov 2016 19:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Bremner <bremner@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: emacs25: Please disable xwidgets/webkit
Date: Sun, 06 Nov 2016 15:17:00 -0400
Package: emacs25
Version: 25.1+1-2
Severity: important
Tags: security

according to check-support-status (package debian-security-support)

* Source:webkitgtk
  Details: No security support upstream and backports not feasible, only for use on trusted content
  Affected binary packages:
  - libjavascriptcoregtk-3.0-0:amd64 (installed version: 2.4.11-3)
  - libwebkitgtk-3.0-0:amd64 (installed version: 2.4.11-3)

Although there is apparently some sandboxing in the use of webkit in
emacs (I read that it uses a seperate process, although not anywhere
authoritative), this still seems to be equivalent to shipping a
JavaScript enabled browser without any security support.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages emacs25 depends on:
ii  emacs25-bin-common          25.1+1-2
ii  gconf-service               3.2.6-4
ii  libacl1                     2.2.52-3
ii  libasound2                  1.1.2-1
ii  libatk1.0-0                 2.22.0-1
ii  libc6                       2.24-5
ii  libcairo-gobject2           1.14.6-1+b1
ii  libcairo2                   1.14.6-1+b1
ii  libdbus-1-3                 1.10.12-1
ii  libfontconfig1              2.11.0-6.7
ii  libfreetype6                2.6.3-3+b1
ii  libgconf-2-4                3.2.6-4
ii  libgdk-pixbuf2.0-0          2.36.0-1
ii  libgif7                     5.1.4-0.4
ii  libglib2.0-0                2.50.1-1
ii  libgnutls30                 3.5.5-6
ii  libgomp1                    6.2.0-10
ii  libgpm2                     1.20.4-6.2
ii  libgtk-3-0                  3.22.2-1
ii  libice6                     2:1.0.9-1+b1
ii  libjavascriptcoregtk-3.0-0  2.4.11-3
ii  libjpeg62-turbo             1:1.5.1-2
ii  libm17n-0                   1.7.0-3+b1
ii  libmagickcore-6.q16-2       8:6.9.6.2+dfsg-2
ii  libmagickwand-6.q16-2       8:6.9.6.2+dfsg-2
ii  libotf0                     0.9.13-3
ii  libpango-1.0-0              1.40.3-2
ii  libpangocairo-1.0-0         1.40.3-2
ii  libpng16-16                 1.6.25-2
ii  librsvg2-2                  2.40.16-1
ii  libselinux1                 2.6-1
ii  libsm6                      2:1.2.2-1+b1
ii  libsoup2.4-1                2.56.0-1
ii  libtiff5                    4.0.6-3
ii  libtinfo5                   6.0+20160917-1
ii  libwebkitgtk-3.0-0          2.4.11-3
ii  libx11-6                    2:1.6.3-1
ii  libx11-xcb1                 2:1.6.3-1
ii  libxcb1                     1.12-1
ii  libxcomposite1              1:0.4.4-1
ii  libxfixes3                  1:5.0.2-1
ii  libxft2                     2.3.2-1
ii  libxinerama1                2:1.1.3-1+b1
ii  libxml2                     2.9.4+dfsg1-2.1
ii  libxpm4                     1:3.5.11-1+b1
ii  libxrandr2                  2:1.5.0-1
ii  libxrender1                 1:0.9.9-2
ii  zlib1g                      1:1.2.8.dfsg-2+b3

emacs25 recommends no packages.

Versions of packages emacs25 suggests:
pn  emacs25-common-non-dfsg  <none>

-- no debconf information

Reply sent to Rob Browning <rlb@defaultvalue.org>:
You have taken responsibility. (Thu, 01 Dec 2016 01:36:11 GMT) (full text, mbox, link).

Notification sent to David Bremner <bremner@debian.org>:
Bug acknowledged by developer. (Thu, 01 Dec 2016 01:36:11 GMT) (full text, mbox, link).

Message #10 received at 843462-close@bugs.debian.org (full text, mbox, reply):

From: Rob Browning <rlb@defaultvalue.org>
To: 843462-close@bugs.debian.org
Subject: Bug#843462: fixed in emacs25 25.1+1-3
Date: Thu, 01 Dec 2016 01:33:56 +0000
Source: emacs25
Source-Version: 25.1+1-3

We believe that the bug you reported is fixed in the latest version of
emacs25, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 843462@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rob Browning <rlb@defaultvalue.org> (supplier of updated emacs25 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 30 Nov 2016 18:15:33 -0600
Source: emacs25
Binary: emacs25-lucid emacs25-lucid-dbg emacs25-nox emacs25-nox-dbg emacs25 emacs25-dbg emacs25-bin-common emacs25-common emacs25-el
Architecture: source amd64 all
Version: 25.1+1-3
Distribution: unstable
Urgency: medium
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Rob Browning <rlb@defaultvalue.org>
Description:
 emacs25    - GNU Emacs editor (with GTK+ GUI support)
 emacs25-bin-common - GNU Emacs editor's shared, architecture dependent files
 emacs25-common - GNU Emacs editor's shared, architecture independent infrastructur
 emacs25-dbg - Debugging symbols for emacs25
 emacs25-el - GNU Emacs LISP (.el) files
 emacs25-lucid - GNU Emacs editor (with Lucid GUI support)
 emacs25-lucid-dbg - Debugging symbols for emacs25-lucid
 emacs25-nox - GNU Emacs editor (without GUI support)
 emacs25-nox-dbg - Debugging symbols for emacs25-nox
Closes: 840702 842728 843462
Changes:
 emacs25 (25.1+1-3) unstable; urgency=medium
 .
   * Configure with REL_ALLOC=no to fix crashes.  Thanks to Santiago
     Vila for reporting the problem, and Sean Whitton for helping test
     the fix. (Closes: 842728)
 .
   * Disable xwidget (webkit) support.  Thanks to David Bremner for
     reporting the issue. (Closes: 843462)
 .
   * Depend on liboss4-salsa-dev on hurd and kfreebsd.  Thanks to Aaron
     M. Ucko for reporting the problem and Svante Signell for providing
     the fix. (Closes: 840702)
Checksums-Sha1:
 f604991d7073a159955914e6a300c9318a104e7b 2813 emacs25_25.1+1-3.dsc
 6e349602624b52ca332a579751d210eb7150d467 49848 emacs25_25.1+1-3.debian.tar.xz
 645b6d6f46ed34606f07fd04b6c5c78012d8709a 281320 emacs25-bin-common-dbgsym_25.1+1-3_amd64.deb
 b4252fd1a0d0623a1a997c70ffd6341391654ad2 146922 emacs25-bin-common_25.1+1-3_amd64.deb
 ad158acc8777feb5c7407056121e883c305f55d8 13158736 emacs25-common_25.1+1-3_all.deb
 00ace98ee1603eb4377bf65de58b89239302d500 5199712 emacs25-dbg_25.1+1-3_amd64.deb
 a2b1d13f455530a2fb942ce53eecfd5396f0d209 15656516 emacs25-el_25.1+1-3_all.deb
 cbe6aeebd348d8b321a2a430f56df72382d5c03b 5294592 emacs25-lucid-dbg_25.1+1-3_amd64.deb
 dfa1e25714038df338d2c1f2d6990a87faf6d027 3517022 emacs25-lucid_25.1+1-3_amd64.deb
 7d9c8b602f13e646743e4f5ff6745f0c93015eab 3665696 emacs25-nox-dbg_25.1+1-3_amd64.deb
 f8968bb8f73a056a8ad0e04b1f1752a912cf8529 3079756 emacs25-nox_25.1+1-3_amd64.deb
 0683c6ea4994ce710a5a214c882c9e06102463bc 18012 emacs25_25.1+1-3_amd64.buildinfo
 3af0b4d9cc334e8b2b19ae593cc1967c6a10c5b0 3504888 emacs25_25.1+1-3_amd64.deb
Checksums-Sha256:
 98e36553e1ce5d4a3c867ae53a6d79f07844887612a1dce6fdd58b55e4953911 2813 emacs25_25.1+1-3.dsc
 6bb8882e591334364fc93c16e97c2e3f86ab7b5462f5344bcbf7850750632adb 49848 emacs25_25.1+1-3.debian.tar.xz
 502fa9acf8857a9a20960783753311d3076df006db3353247730eab35327820d 281320 emacs25-bin-common-dbgsym_25.1+1-3_amd64.deb
 d51df832b205d2a5dd335970bf5d136b847240b02050fa9581ca9aa1db71af77 146922 emacs25-bin-common_25.1+1-3_amd64.deb
 9a3dfb4ad53bdb401efc4064187d12fb67afc1a2f842b78a6c58c86be3980aaa 13158736 emacs25-common_25.1+1-3_all.deb
 1d84384a42db6c69310cc64e945f22aa9cf6eaf693845882913354063d5cebbf 5199712 emacs25-dbg_25.1+1-3_amd64.deb
 909be4b86e05ad633b0ba942f9dd7d7f7047cdf06a5e9461dca6038ea4e44b59 15656516 emacs25-el_25.1+1-3_all.deb
 8e88943ac9a6a23555ff9fb8afad54ff0c2fd2925cf05ab1134ee8b95e39f177 5294592 emacs25-lucid-dbg_25.1+1-3_amd64.deb
 86ba7f72f8cbfcbdaab1a2d92d71a45c944393136381f0bb77904d7c5e6d856e 3517022 emacs25-lucid_25.1+1-3_amd64.deb
 afbd110e98f8d5346e94da7b692d8e9bcf61650b53da476104e6895e0aa76695 3665696 emacs25-nox-dbg_25.1+1-3_amd64.deb
 29ace4a1f9f9d62bc1efe20bedcf142af300034e69fae3bcfe8a580baa3ce019 3079756 emacs25-nox_25.1+1-3_amd64.deb
 1a7ace15803fe2bd72e5188bfc599b914beddc0046e4a869ccfad0fdc9f98032 18012 emacs25_25.1+1-3_amd64.buildinfo
 a60c5611a5e9338ad2e149df911f029e59358c4a734627ced162bbb453dd4bc5 3504888 emacs25_25.1+1-3_amd64.deb
Files:
 3fe4b5bb32c88072f452b07c95ca6e61 2813 editors optional emacs25_25.1+1-3.dsc
 72f117f04be8bfcf41a1fdd54d29cdb6 49848 editors optional emacs25_25.1+1-3.debian.tar.xz
 7ccb4617aa770f9959b535d25c653bd8 281320 debug extra emacs25-bin-common-dbgsym_25.1+1-3_amd64.deb
 f95bfe837fd77b9ed782741c8552fae3 146922 editors optional emacs25-bin-common_25.1+1-3_amd64.deb
 cde6ea6bf66b6ca270fc5afe0c3afe9a 13158736 editors optional emacs25-common_25.1+1-3_all.deb
 2b90bb7586b01ef06865520b51a748c0 5199712 debug extra emacs25-dbg_25.1+1-3_amd64.deb
 b2ce9ad458d014b9374e1369661b06e2 15656516 editors optional emacs25-el_25.1+1-3_all.deb
 e037b7e387f3bb04576e6cf04ddea9a2 5294592 debug extra emacs25-lucid-dbg_25.1+1-3_amd64.deb
 d4cef73684ab9308239088207b1b6aa9 3517022 editors optional emacs25-lucid_25.1+1-3_amd64.deb
 2d88344fb97a30cfce5efaf57699e45b 3665696 debug extra emacs25-nox-dbg_25.1+1-3_amd64.deb
 ed0a5aa35385793c2c4fe4fe8461792e 3079756 editors optional emacs25-nox_25.1+1-3_amd64.deb
 79e07030d18196a1d2774ed86817e7d9 18012 editors optional emacs25_25.1+1-3_amd64.buildinfo
 5f2bb19f59b7c20f82e87fbaa495fe1b 3504888 editors optional emacs25_25.1+1-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIyBAEBCAAcBQJYP3k4FRxybGJAZGVmYXVsdHZhbHVlLm9yZwAKCRDu8RbFWlpC
8Z+2D/4mOMfN74P2om8iT9c15Pz9OTX2Rf0OUqPwZic14pCO04AjEbF1y6OKdGsg
G81qhr/i/WXLXyUnNdaYINNY20oVO12ADJtNvyT+a2LLYhSWdHOCue2wq7AUO7Y+
ELJMtGPdW+DrVaAmkXwzQYqghjIW7wV1GanYl0CdKTUf/PIzWwSC8MHNIklsktxu
s4F69UNNOXUb2UXWCaMIbmMQrB2+FB8EejUJw1N0nX5cvYQ9wfOddLaBFQAse2Uy
qkR1CpzLiD6OI0t02DPNwNFUBQdRZIgRK9Ue+FVyA292e5QBtRi6uZtNfvPzGJrl
UYJXRNVmnMhtQBSBZ2kklwqCBtgM7cuDfmFJqb4mYtE9CMdHYajPg5nj9v4l6PfI
EWer8LsJEglYIgwJMqSb7F69ZGWPDxGCgOaMUdxdCo+HVtU11zODe97m8WXdcX1a
jKiJRr+YFL2pBcT811zme6HZ/xZ8svNYqdukBEMZpj82PXEaG6IQ5qeK+XZxzGZT
rjMmobvugs1B3rIlTbw9OFzUolHDXnJK9fNzMt+vGukL9r1SKsmnO7fJyln+6Laz
uGx3rmLrtlzlftTGQi5udA1MNfQ08PXWFXznzZ3B7kVlnA71t86Bcu+gRZzJT35k
dXPhcQ7h/ghyQR6waXChZ7Rvcn5+YCMy0Yu3zLgsLx+zVMozIA==
=EJcU
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Dec 2016 08:59:27 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Oct 14 14:59:46 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.