CLSA-2026-1777544437
See a problem?- Import Source
- https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/almalinux9.2esu/CLSA-2026-1777544437.json
- JSON Data
- https://api.osv.dev/v1/vulns/CLSA-2026-1777544437
- Upstream
- Published
- 2026-04-30T10:20:42Z
- Modified
- 2026-06-01T00:32:28.272283266Z
- Summary
- webkit2gtk3: Fix of 35 CVEs
- Details
-
- Rebase to webkitgtk 2.52.3 to address WebKitGTK security advisories WSA-2026-0001 and WSA-2026-0002 (matches RHSA-2026:9692).
- Drop all CVE-2025-* backport patches (Patch100..Patch112); the fixes are included in 2.52.3 upstream.
- Drop fix-missing-typename.patch: target source file was removed upstream.
- Adapt fix-compositemode-init.patch, fix-renderelement-binding.patch, and fix-renderflexbox-typename.patch to 2.52.3 line offsets (same semantic clang15 / libstdc++ compat fix).
- Refresh all CentOS Stream 9-derived patches to the versions that ship with c9s webkit2gtk3-2.52.3 (glib-2-68, libsoup2, icu-67, g-ir-scanner-nonfatal, evolution-sandbox-warning, aarch64-build) and reorder them to match c9s so they apply with rpm's --fuzz=0 --strict mode. Our previously-carried versions targeted the 2.50.1 source tree and broke when applied against 2.52.3.
- Switch build toolchain from Clang 15 to gcc-toolset-12 (GCC 12).
AlmaLinux 9.2 ESU ships Clang 15 as its system compiler, but Clang 15
does not implement C++20 P0634R3 ("implicit typename") nor the
requires-clause name-lookup fix needed to compile WebKit 2.52+. GCC 12 implements both and is fully supported upstream. %global toolchain is now gcc; BuildRequires updated accordingly; gcc-toolset-12 is enabled in %build via /opt/rh/gcc-toolset-12/enable. - Drop tarball signature/hash verification from %prep. Upstream's 2.52.3 .asc was signed with an expired DSA key (key expired 2026-04-14, signature made 2026-04-16), so gpgv 2.3.x refuses it. The tarball lives in Gerrit under change control, so the per-build verify step is redundant. Source1 (.asc) and Source2 (keyring) are removed along with their files.
- CVEs resolved by this rebase (30 total): WSA-2026-0001 (fixed upstream in 2.50.5 / 2.50.6): CVE-2025-43433, CVE-2025-43438, CVE-2025-43441, CVE-2025-43457, CVE-2025-43511, CVE-2025-46299, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, CVE-2026-20652, CVE-2026-20676 WSA-2026-0002 (fixed in 2.52.1): CVE-2026-20643, CVE-2026-20664, CVE-2026-20665, CVE-2026-20691, CVE-2026-28857, CVE-2026-28859, CVE-2026-28871 Older Apple waves superseded by this rebase (from WSA-2025-0008/0009/0010, previously tracked by WIP Gerrit change 245288): CVE-2025-13947, CVE-2025-14174, CVE-2025-43431, CVE-2025-43443, CVE-2025-43458, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541 CVEs from these advisories that were already fixed in 2.50.1 (no action needed): CVE-2023-43010 (2.44.0), CVE-2025-31223 / CVE-2025-31277 (2.50.0), CVE-2025-43213 / CVE-2025-43214 (cherry-picked onto the webkitglib/2.50 branch before the 2.50.0 tag).
- References
Affected packages
TuxCare:AlmaLinux:9.2 / webkit2gtk3
Package
- Name
- webkit2gtk3
- Purl
- pkg:rpm/tuxcare/webkit2gtk3?distro=almalinux-9.2
TuxCare:AlmaLinux:9.2 / webkit2gtk3-devel
Package
- Name
- webkit2gtk3-devel
- Purl
- pkg:rpm/tuxcare/webkit2gtk3-devel?distro=almalinux-9.2
TuxCare:AlmaLinux:9.2 / webkit2gtk3-jsc
Package
- Name
- webkit2gtk3-jsc
- Purl
- pkg:rpm/tuxcare/webkit2gtk3-jsc?distro=almalinux-9.2