November 28, 2022

WebKitGTK 2.39.2 released!

by The WebKitGTK Project

This is a development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.2 release?

  • Add API to support asynchronously returning values from user script messages.
  • Deprecate WebKitConsoleMessage API.
  • Deprecate event parameter of WebKitWebView::context-menu and WebKitWebView::show-option-menu signals in favor of a getter in WebKitConextMenu and WebKitOptionMenu.
  • Do not emit context-menu signals for media settings popup menu.
  • Use async scrolling also for keyboard scrolling.
  • Add support for client side certificates on WebSocket connections.
  • Fix first party for cookies set on every media request.
  • Fix a crash on authentication dialog with GTK4.
  • Fix web process leak when webkit_download_set_destination is called with empty destination.
  • Fix several warnings when building for ARMv7 (32-bits).
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

November 28, 2022 12:00 AM



November 11, 2022

WebKitGTK 2.39.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.40 series.

What’s new in the WebKitGTK 2.39.1 release?

  • Use ANGLE for WebGL implementation and enable WebGL2.
  • Remove internal nested wayland compositor making libwpe mandatory when building with wayland enabled.
  • Prefer EGL over X11, intead of GLX, where available.
  • Add support for background-repeat: space.
  • Add API to check if a response policy decision is for the main resource.
  • Fix rendering of checkbox and radio buttons in black backgrounds.
  • Make checkbox, radio and inner spin button scale along by page zoom.
  • Add support for get computed label and get computed role WebDriver commands.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

November 11, 2022 12:00 AM



November 04, 2022

Stop Using QtWebKit

by Michael Catanzaro

Today, WebKit in Linux operating systems is much more secure than it used to be. The problems that I previously discussed in this old, formerly-popular blog post are nowadays a thing of the past. Most major Linux operating systems now update WebKitGTK and WPE WebKit on a regular basis to ensure known vulnerabilities are fixed. (Not all Linux operating systems include WPE WebKit. It’s basically WebKitGTK without the dependency on GTK, and is the best choice if you want to use WebKit on embedded devices.) All major operating systems have removed older, insecure versions of WebKitGTK (“WebKit 1”) that were previously a major security problem for Linux users. And today WebKitGTK and WPE WebKit both provide a webkit_web_context_set_sandbox_enabled() API which, if enabled, employs Linux namespaces to prevent a compromised web content process from accessing your personal data, similar to Flatpak’s sandbox. (If you are a developer and your application does not already enable the sandbox, you should fix that!)

Unfortunately, QtWebKit has not benefited from these improvements. QtWebKit was removed from the upstream WebKit codebase back in 2013. Its current status in Fedora is, unfortunately, representative of other major Linux operating systems. Fedora currently contains two versions of QtWebKit:

  • The qtwebkit package contains upstream QtWebKit 2.3.4 from 2014. I believe this is used by Qt 4 applications. For avoidance of doubt, you should not use applications that depend on a web engine that has not been updated in eight years.
  • The newer qt5-qtwebkit contains Konstantin Tokarev’s fork of QtWebKit, which is de facto the new upstream and without a doubt the best version of QtWebKit available currently. Although it has received occasional updates, most recently 5.212.0-alpha4 from March 2020, it’s still based on WebKitGTK 2.12 from 2016, and the release notes bluntly state that it’s not very safe to use. Looking at WebKitGTK security advisories beginning with WSA-2016-0006, I manually counted 507 CVEs that have been fixed in WebKitGTK 2.14.0 or newer.

These CVEs are mostly (but not exclusively) remote code execution vulnerabilities. Many of those CVEs no doubt correspond to bugs that were introduced more recently than 2.12, but the exact number is not important: what’s important is that it’s a lot, far too many for backporting security fixes to be practical. Since qt5-qtwebkit is two years newer than qtwebkit, the qtwebkit package is no doubt in even worse shape. And because QtWebKit does not have any web process sandbox, any remote code execution is game over: an attacker that exploits QtWebKit gains full access to your user account on your computer, and can steal or destroy all your files, read all your passwords out of your password manager, and do anything else that your user account can do with your computer. In contrast, with WebKitGTK or WPE WebKit’s web process sandbox enabled, attackers only get access to content that’s mounted within the sandbox, which is a much more limited environment without access to your home directory or session bus.

In short, it’s long past time for Linux operating systems to remove QtWebKit and everything that depends on it. Do not feed untrusted data into QtWebKit. Don’t give it any HTML that you didn’t write yourself, and certainly don’t give it anything that contains injected data. Uninstall it and whatever applications depend on it.

Update: I forgot to mention what to do if you are a developer and your application still uses QtWebKit. You should ensure it uses the most recent release of QtWebEngine for Qt 6. Do not use old versions of Qt 6, and do not use QtWebEngine for Qt 5.

by Michael Catanzaro at November 04, 2022 05:20 PM



WebKitGTK and WPE WebKit Security Advisory WSA-2022-0010

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32888
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.0.
    • Credit to P1umer (@p1umer).
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds write issue was addressed with improved bounds checking.
  • CVE-2022-32923
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.0.
    • Credit to Wonyoung Jung (@nonetype_pwn) of KAIST Hacking Lab.
    • Impact: Processing maliciously crafted web content may disclose internal states of the app. Description: A correctness issue in the JIT was addressed with improved checks.
  • CVE-2022-42799
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.2.
    • Credit to Jihwan Kim (@gPayl0ad), Dohyun Lee. (@l33d0hyun).
    • Impact: Visiting a malicious website may lead to user interface spoofing. Description: The issue was addressed with improved UI handling.
  • CVE-2022-42823
    • Versions affected: WebKitGTK and WPE WebKit before 2.38.2.
    • Credit to Dohyun Lee (@l33d0hyun) of SSD Labs.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved memory handling.
  • CVE-2022-42824
    • Versions affected: WebKitGTK before 2.38.2.
    • Credit to Abdulrahman Alqabandi of Microsoft Browser Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University, Dohyun Lee (@l33d0hyun) of DNSLab at Korea University.
    • Impact: Processing maliciously crafted web content may disclose sensitive user information. Description: A logic issue was addressed with improved state management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

November 04, 2022 12:00 AM



WebKitGTK 2.38.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.38 series.

What’s new in the WebKitGTK 2.38.2 release?

  • Fix scrolling issues in some sites having fixed background.
  • Fix prolonged buffering during progressive live playback.
  • Fix the build with accessibility disabled.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

November 04, 2022 12:00 AM



October 20, 2022

WebKitGTK 2.38.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.38 series.

What’s new in the WebKitGTK 2.38.1 release?

  • Make xdg-dbus-proxy work if host session bus address is an abstract socket.
  • Use a single xdg-dbus-proxy process when sandbox is enabled.
  • Fix high resolution video playback due to unimplemented changeType operation.
  • Ensure GSubprocess uses posix_spawn() again and inherit file descriptors.
  • Fix player stucking in buffering (paused) state for progressive streaming.
  • Do not try to preconnect on link click when link preconnect setting is disabled.
  • Fix close status code returned when the client closes a WebSocket in some cases.
  • Fix media player duration calculation.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

October 20, 2022 12:00 AM



October 03, 2022

Mon 2022/Oct/03

by Claudio Saavedra

The series on the WPE port by the WebKit team at Igalia grows, with several new articles that go deep into different areas of the engine:

These articles are an interesting read not only if you're working on WebKit, but also if you are curious on how a modern browser engine works and some of the moving parts beneath the surface. So go check them out!

On a related note, the WebKit team is always on the lookout for talent to join us. Experience with WebKit or browsers is not necessarily a must, as we know from experience that anyone with a strong C/C++ background and enough curiosity will be able to ramp up and start contributing soon enough. If these articles spark your curiosity, feel free to reach out to me to find out more or to apply directly!

October 03, 2022 11:28 AM



September 19, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0009

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32886
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
    • Credit to P1umer, afang5472, xmzyshypnc.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2022-32891
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
    • Credit to @real_as3617, an anonymous researcher.
    • Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
  • CVE-2022-32912
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
    • Credit to Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking. This issue only affects MacOS builds (Linux builds are not affected).

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

September 19, 2022 12:00 AM



September 16, 2022

WebKitGTK 2.38.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.38 series.

Highlights of the WebKitGTK 2.38.0 release

  • New media controls UI style.
  • Add new API to set WebView’s Content-Security-Policy for web extensions support.
  • Make it possible to use the remote inspector from other browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
  • MediaSession is enabled by default, allowing remote media control using MPRIS.
  • Add support for PDF documents using PDF.js.

For more details about all the changes included in WebKitGTK 2.38 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

September 16, 2022 12:00 AM



WebKitGTK 2.36.8 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.8 release?

  • Fix jumpy elements when scrolling GitLab and other web sites.
  • Fix WebKitWebView:web-process-terminated signal not being emitted for the first web view when sandboxing is enabled.
  • Fix hang when opening HTML <select> elements in GTK4 builds.
  • Fix kinetic scrolling with elements that use overflow scrolling.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

September 16, 2022 12:00 AM



September 02, 2022

WebKitGTK 2.37.91 released!

by The WebKitGTK Project

This is a development release leading toward 2.38 series.

What’s new in the WebKitGTK 2.37.91 release?

  • Cache and reuse image-based backing stores to improve memory consumption.
  • Fix printing with bubblewrap sandbox enabled
  • Deprecate enable-frame-flattening setting because the functionality will be removed for 2.40.
  • Fix deadlock when disposing player while handling rotation tag.
  • Fix several crashes and rendering issues.
  • Translation updates: Polish.

Thanks to all the contributors who made possible this release.

September 02, 2022 12:00 AM



August 25, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008

by The WebKitGTK Project

  • Date Reported: August 25, 2022

  • Advisory ID: WSA-2022-0008

  • CVE identifiers: CVE-2022-32893.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32893
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.7.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

August 25, 2022 12:00 AM



August 24, 2022

WebKitGTK 2.36.7 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.7 release?

  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

August 24, 2022 12:00 AM



August 19, 2022

WebKitGTK 2.37.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.38 series.

What’s new in the WebKitGTK 2.37.90 release?

  • Remove libnotify dependency.
  • Add support for service worker notifications.
  • Add support for loading the notification icon.
  • Add support for pac proxy type in WebDriver.
  • Fix several crashes and rendering issues.
  • Translation updates: Swedish.

Thanks to all the contributors who made possible this release.

August 19, 2022 12:00 AM



August 07, 2022

WebKitGTK 2.36.6 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.6 release?

  • Fix handling of touchpad scrolling on GTK4 builds.
  • Fix WebKitGTK not allowing to be used from non-main threads.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

August 07, 2022 12:00 AM



July 28, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-32792
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
    • Credit to Manfred Paul (@_manfp) working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds write issue was addressed with improved input validation.
  • CVE-2022-32816
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
    • Credit to Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.
    • Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
  • CVE-2022-2294
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.5 if USE_LIBWEBRTC is enabled.
    • Credit to Jan Vojtesek of Avast Threat Intelligence team.
    • Heap buffer overflow in LibWebRTC allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. NOTE: The tarballs of WebKitGTK or WPE WebKit don’t ship LibWebRTC. Also the LibWebRTC support is disabled by default. You only are affected by this vulnerability if your build enabled the USE_LIBWEBRTC CMake option and used the repository as source instead of the tarballs.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

July 28, 2022 12:00 AM



WebKitGTK 2.36.5 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.5 release?

  • Add support for PAC proxy in the WebDriver implementation.
  • Fix video playback when loaded through custom URIs, this fixes video playback in the Yelp documentation browser.
  • Fix WebKitWebView::context-menu when using GTK4.
  • Fix LTO builds with GCC.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 28, 2022 12:00 AM



July 20, 2022

Gamepad in WPEWebkit

by Víctor Jáquez

This is the brief story of the Gamepad implementation in WPEWebKit.

It started with an early development done by Eugene Mutavchi (kudos!). Later, by the end of 2021, I retook those patches and dicussed them with my fellow igalian Adrián, and we decided to come with a slightly different approach.

Before going into the details, let’s quickly review the WPE architecture:

  1. cog library — it’s a shell library that simplifies the task of writing a WPE browser from the scratch, by providing common functionality and helper APIs.
  2. WebKit library — that’s the web engine that, given an URI and other following inputs, returns, among other ouputs, graphic buffers with the page rendered.
  3. WPE library — it’s the API that bridges cog (1) (or whatever other browser application) and WebKit (2).
  4. WPE backend — it’s main duty is to provide graphic buffers to WebKit, buffers supported by the hardware, the operating system, windowing system, etc.

Eugene’s implementation has code in WebKit (implementing the gamepad support for WPE port); code in WPE library with an API to communicate WebKit’s gamepad and WPE backend, which provided a custom implementation of gamepad, reading directly the event in the Linux device. Almost everything was there, but there were some issues:

  • WPE backend is mainly designed as a set of protocols, similar to Wayland, to deal with graphic buffers or audio buffers, but not for input events. Cog library is the place where input events are handled and injected to WebKit, such as keyboard.
  • The gamepad handling in a WPE backend was ad-hoc and low level, reading directly the events from Linux devices. This approach is problematic since there are plenty gamepads in the market and each has its own axis and buttons, so remapping them to the standard map is required. To overcome this issue and many others, there’s a GNOME library: libmanette, which is already used by WebKitGTK port.

Today’s status of the gamepad support is that it works but it’s not yet fully upstreamed.

  • merged libwpe pull request.
  • cog pull request — there are two implementations: none and libmanette. None is just a dummy implementation which will ignore any request for a gamepad provider; it’s provided if libmanette is not available or if available libwpe hasn’t gamepad support.
  • WebKit pull request.

To prove you all that it works my exhibit A is this video, where I play asteroids in a RasberryPi 4 64 bits:

The image was done with buildroot, using its master branch (from a week ago) with a bunch of modifications, such as adding libmanette, a kernel patch for my gamepad device, kernel 5.15.55 and its corresponding firmware, etc.

by vjaquez at July 20, 2022 10:08 AM



July 12, 2022

WebKitGTK 2.37.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.38 series.

What’s new in the WebKitGTK 2.37.1 release?

  • Add initial implementation of WebRTC using GstWebRTC if GStreamer 1.20 is available, disabled by default via web view settings.
  • Add new API to set WebView’s Content-Security-Policy for web extensions support.
  • Add new API to run async JavaScript functions.
  • Expose typed arrays in JavaScriptCore GLib API.
  • Add support for PDF documents using PDF.js.
  • Show font name and font variant settings in the inspector.
  • MediaSession is enabled by default, allowing remote media control using MPRIS.
  • Modernized media controls UI.
  • Add Support Google Dynamic Ad Insertion (DAI).
  • Add support for capturing encoded video streams from a webcam.
  • Make it possible to use the remote inspector from other browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
  • Add support for IPv6 in the remote inspector.
  • Update form elements style to match libadwaita.
  • Fix canvas animations and images with threaded rendering enabled.
  • Switch to use gi-docgen for API documentation instead of gtk-doc.
  • Remove the ATK a11y implementation that has been replaced by AT-SPI DBus interfaces.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 12, 2022 12:00 AM



July 05, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22662
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.0.
    • Credit to Prakash (@1lastBr3ath) of Threat Nix.
    • Impact: Processing maliciously crafted web content may disclose sensitive user information. Description: A cookie management issue was addressed with improved state management.
  • CVE-2022-22677
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.4.
    • Credit to an anonymous researcher.
    • Impact: The video in a webRTC call may be interrupted if the audio capture gets interrupted. Description: A logic issue in the handling of concurrent media was addressed with improved state handling. NOTE: The tarballs of WebKitGTK or WPE WebKit don’t ship LibWebRTC. Also the LibWebRTC support is disabled by default. You only are affected by this vulnerability if your build enabled the USE_LIBWEBRTC CMake option and used the repository as source instead of the tarballs.
  • CVE-2022-26710
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.4.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

July 05, 2022 12:00 AM



WebKitGTK 2.36.4 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.4 release?

  • Fix the new ATSPI accessibility implementation to add the missing Collection interface for the loaded document.
  • Fix the MediaSession implementation to make the MPRIS object names more sandbox friendly, which plays better with Flatpak and WebKit’s own Bubblwrap-based sandboxing.
  • Fix leaked Web Processes in some particular situations.
  • Fix the build with media capture support enabled.
  • Fix cross-compilation when targeting 64-bit ARM.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 05, 2022 12:00 AM



July 01, 2022

Fri 2022/Jul/01

by Claudio Saavedra

I wrote a technical overview of the WebKit WPE project for the WPE WebKit blog, for those interested in WPE as a potential solution to the problem of browsers in embedded devices.

This article begins a series of technical writeups on the architecture of WPE, and we hope to publish during the rest of the year further articles breaking down different components of WebKit, including graphics and other subsystems, that will surely be of great help for those interested in getting more familiar with WebKit and its internals.

July 01, 2022 10:39 AM



May 30, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0005

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-26700
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to ryuzaki.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-26709
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-26717
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to Jeonghoon Shin of Theori.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-26716
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to SorryMybad (@S0rryMybad) of Kunlun Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-26719
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.3.
    • Credit to Dongzhuo Zhao working with ADLab of Venustech.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2022-30293
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.1.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution or to a denial of service (application crash). Description: A memory corruption issue that could cause a heap use after free or a heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer was addressed with improved state management.
  • CVE-2022-30294
    • Versions affected: WebKitGTK and WPE WebKit before 2.36.1.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution or to a denial of service (application crash). Description: A memory corruption issue that could cause a heap use after free or a heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer was addressed with improved state management. This is the same issue than CVE-2022-30293.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

May 30, 2022 12:00 AM



May 28, 2022

WebKitGTK 2.36.3 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.3 release?

  • Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
  • Avoid using experimental GStreamer elements for video demuxing.
  • Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
  • Fix playback of YouTube streams which use dynamic ad insertion.
  • Fix display capture with Pipewire.
  • Fix the build without the X11 target when X11 headers are not present.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

May 28, 2022 12:00 AM



May 18, 2022

WebKitGTK 2.36.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.2 release?

  • Fix some pages showing empty content boxes when using GTK4.
  • Fix the build with accessibility disabled.
  • Fix the build with newer Ruby versions.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

May 18, 2022 12:00 AM



May 02, 2022

From gst-build to local-projects

by Víctor Jáquez

Two years ago I wrote a blog post about using gst-build inside of WebKit SDK flatpak. Well, all that has changed. That’s the true upstream spirit.

There were two main reason for the change:

  1. Since the switch to GStreamer mono repository, gst-build has been deprecated. The mechanism in WebKit were added, basically, to allow GStreamer upstream, so keeping gst-build directory just polluted the conceptual framework.
  2. By using gst-build one could override almost any other package in WebKit SDK. For example, for developing gamepad handling in WPE I added libmanette as a GStreamer subproject, to link a modified version of the library rather than the one in flatpak. But that approach added an unneeded conceptual depth in tree.

In order to simplify these operations, by taking advantage of Meson’s subproject support directly, gst-build handling were removed and new mechanism was set in place: Local Dependencies. With local dependencies, you can add or override almost any dependency, while flatting the tree layout, by placing at the same level GStreamer and any other library. Of course, in order add dependencies, they must be built with meson.

For example, to override libsoup and GStreamer, just clone both repositories below of Tools/flatpak/local-projects/subprojects, and declare them in WEBKIT_LOCAL_DEPS environment variable:


$ export WEBKIT_SDK_LOCAL_DEPS=libsoup,gstreamer-full
$ export WEBKIT_SDK_LOCAL_DEPS_OPTIONS="-Dgstreamer-full:introspection=disabled -Dgst-plugins-good:soup=disabled"
$ build-webkit --wpe

by vjaquez at May 02, 2022 11:11 AM



April 21, 2022

WebKitGTK 2.36.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.36 series.

What’s new in the WebKitGTK 2.36.1 release?

  • Fix the build with accessibility disabled.
  • Fix several crashes and rendering issues.
  • Translation updates: Croatian.

Thanks to all the contributors who made possible this release.

April 21, 2022 12:00 AM



April 08, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0004

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22624
    • Versions affected: WebKitGTK before 2.36.0 and WPE WebKit before 2.34.7.
    • Credit to Kirin (@Pwnrin) of Tencent Security Xuanwu Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-22628
    • Versions affected: WebKitGTK before 2.36.0 and WPE WebKit before 2.34.7.
    • Credit to Kirin (@Pwnrin) of Tencent Security Xuanwu Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-22629
    • Versions affected: WebKitGTK before 2.36.0 and WPE WebKit before 2.34.7.
    • Credit to Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2022-22637
    • Versions affected: WebKitGTK before 2.34.4 and WPE WebKit before 2.34.4.
    • Credit to Tom McKee of Google.
    • Impact: A malicious website may cause unexpected cross-origin behavior. Description: A logic issue was addressed with improved state management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

April 08, 2022 12:00 AM



March 21, 2022

WebKitGTK 2.36.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.36 series.

Highlights of the WebKitGTK 2.36.0 release

  • Add new accessibility implementation using ATSPI DBus interfaces instead of ATK.
  • Add support for requestVideoFrameCallback.
  • Change hardware-acceleration-policy setting default value to always.
  • Add support for media session.
  • Add new API to set HTTP response information to custom uri schemes.
  • Make user interactive threads (event handler, scrolling, …) real time in linux.

For more details about all the changes included in WebKitGTK 2.36 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

March 21, 2022 12:00 AM



February 25, 2022

WebKitGTK 2.35.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.90 release?

  • Fix scrolling with the mouse wheel on sites using overscroll-behavior.
  • Suspend web processes after some time in the process cache.
  • Fix renderning of horizontal scrollbars with themes enabling steppers.
  • Ensure EGL displays are terminated before web process exits.
  • Deinitialize gstreamer before web process exits.
  • Make fonts under XDG_DATA_DIRS available in web process sanbox.
  • Canonicalize paths passed to bubblewrap launcher.
  • Fix several crashes and rendering issues.
  • Translation updates: Hebrew.

Thanks to all the contributors who made possible this release.

February 25, 2022 12:00 AM



February 17, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0003

by The WebKitGTK Project

  • Date Reported: February 17, 2022

  • Advisory ID: WSA-2022-0003

  • CVE identifiers: CVE-2022-22620.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22620
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.6.
    • Credit to an anonymous researcher.
    • Impact: processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

February 17, 2022 12:00 AM



WebKitGTK 2.34.6 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.6 release?

  • Fix accessibility not working when the Bubblewrap sandbox is enabled.
  • Fix rendering of scrollbars when overlay scrollbars are disabled.
  • Fix the build when the X11 support is disabled.
  • Fix the build in a number of situations where the main OpenGL library is not called libGL or libgl, as is the case on systems that use libglvnd.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 17, 2022 12:00 AM



February 09, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2022-22589
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
    • Credit to Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com).
    • Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript. Description: A validation issue was addressed with improved input sanitization.
  • CVE-2022-22590
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
    • Credit to Toan Pham from Team Orca of Sea Security (security.sea.com).
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2022-22592
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
    • Credit to Prakash (@1lastBr3ath).
    • Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: A logic issue was addressed with improved state management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

February 09, 2022 12:00 AM



WebKitGTK 2.35.3 released!

by The WebKitGTK Project

This is a development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.3 release?

  • Fix a crash at startup when bubblewrap sandbox is enabled.
  • Fix a crash when starting a drag an drop on touchscreen.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 09, 2022 12:00 AM



WebKitGTK 2.34.5 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.5 release?

  • Improve VP8 codec selection when using GStreamer 1.20.
  • Fix connecting to the accessiblity bus when using the Bubblewrap sandbox.
  • Fix links being incorrectly activated when starting a pinch zoom gesture.
  • Fix touch-based scrolling.
  • Fix the build with recent toolchains based on GCC 12 and on older ones as included e.g. in Ubuntu 18.04.
  • Fix the build with ICU 60, version 61 is no longer required.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 09, 2022 12:00 AM



February 03, 2022

WebKitGTK 2.35.2 released!

by The WebKitGTK Project

This is a development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.2 release?

  • Add new accessibility implementation using ATSPI DBus interfaces instead of ATK.
  • Use native GtkWidgets for form validation popups.
  • Add support for requestVideoFrameCallback.
  • Add support for accent colors.
  • Fix pinch zooming from a link to not activate the link.
  • Fix kinetic scrolling via touch screen.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

February 03, 2022 12:00 AM



January 21, 2022

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30934
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Dani Biro.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2021-30936
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30951
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Pangu.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30952
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to WeBin.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An integer overflow was addressed with improved input validation.
  • CVE-2021-30953
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to VRIJ.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking.
  • CVE-2021-30954
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Kunlun Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved memory handling.
  • CVE-2021-30984
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Kunlun Lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A race condition was addressed with improved state handling.
  • CVE-2022-22594
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
    • Credit to Martin Bajanik of fingerprintjs.com.
    • Impact: A website may be able to track sensitive user information. Description: A cross-origin issue in the IndexDB API was addressed with improved input validation. Notes: There is a public PoC demonstrating this issue at safarileaks.com so it may have been actively exploited.
  • CVE-2021-45481
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Processing maliciously crafted web content may cause an application crash due to an incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
  • CVE-2021-45482
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Processing maliciously crafted web content may cause a memory corruption issue (use-after-free) in WebCore::ContainerNode::firstChild.
  • CVE-2021-45483
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Processing maliciously crafted web content may cause a memory corruption issue (heap-use-after-free) in WebCore::Frame::page.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

January 21, 2022 12:00 AM



WebKitGTK 2.34.4 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.4 release?

  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

January 21, 2022 12:00 AM



December 20, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30809
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30818
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Amar Menezes (@amarekano) of Zon8Research.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.
  • CVE-2021-30823
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to David Gullasch of Recurity Labs.
    • Impact: An attacker in a privileged network position may be able to bypass HSTS. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30836
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Peter Nguyen Vu Hoang of STAR Labs.
    • Impact: Processing a maliciously crafted audio file may disclose restricted memory. Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2021-30884
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to an anonymous researcher.
    • Impact: Visiting a maliciously crafted website may reveal a user’s browsing history. Description: The issue was resolved with additional restrictions on CSS compositing.
  • CVE-2021-30887
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.3.
    • Credit to Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd.
    • Impact: Processing maliciously crafted web content may lead to unexpectedly unenforced Content Security Policy. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30888
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Prakash (@1lastBr3ath).
    • Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior. Description: An information leakage issue was addressed.
  • CVE-2021-30889
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution, Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2021-30890
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.3.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
  • CVE-2021-30897
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to an anonymous researcher.
    • Impact: A malicious website may exfiltrate data cross-origin. Description: An issue existed in the specification for the resource timing API. The specification was updated and the updated specification was implemented.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

December 20, 2021 12:00 AM



WebKitGTK 2.34.3 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.3 release?

  • Make audio tools (like mixers) display the actual name of the application producing sound, instead of a generic one.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

December 20, 2021 12:00 AM



November 25, 2021

WebKitGTK 2.35.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.36 series.

What’s new in the WebKitGTK 2.35.1 release?

  • Make user interactive threads (event handler, scrolling, …) real time in linux.
  • Add new API to set HTTP response information to custom uri schemes.
  • Add support for media session.
  • Change hardware-acceleration-policy setting default value to always.
  • Fix jsc_value_object_define_property_accessor() to work with objects not having a wrapped instance.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

November 25, 2021 12:00 AM



November 24, 2021

WebKitGTK 2.34.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.2 release?

  • Fix scrolling issues when pressing Home and PgDown keys.
  • Update effective appearance after web process switch on navigation.
  • Fix the build with video disabled.

Thanks to all the contributors who made possible this release.

November 24, 2021 12:00 AM



October 26, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30846
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2021-30848
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption issue was addressed with improved memory handling.
  • CVE-2021-30849
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2021-30851
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    • Credit to Samuel Groß of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption vulnerability was addressed with improved locking.
  • CVE-2021-30858
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-42762
    • Versions affected: WebKitGTK and WPE WebKit before 2.34.1.
    • Credit to an anonymous reporter.
    • BubblewrapLauncher.cpp allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

October 26, 2021 12:00 AM



October 21, 2021

WebKitGTK 2.34.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.34 series.

What’s new in the WebKitGTK 2.34.1 release?

  • Update user agent browser versions.
  • Fix a crash with GTK >= 3.24.30.
  • Fix a crash when loading videos on reddit.
  • Fix file type detection when application calls g_desktop_app_info_set_as_default_for_extension() passing html.

Thanks to all the contributors who made possible this release.

October 21, 2021 12:00 AM



September 22, 2021

WebKitGTK 2.34.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.34 series.

Highlights of the WebKitGTK 2.34.0 release

  • Add support for HTTP/2 when building with libsoup3.
  • Add support for CSS Scroll Snap.
  • Add support for date and datetime-local input elements.
  • Add support for display capture.
  • Add support for ICC color management.
  • Add support color-schemes CSS property.
  • Add support for link preconnect when building with libsoup3.
  • Add support for client side certificates when building with libsoup3.
  • Add multi-track support to MSE media backend.
  • Add new API to handle web process unresponsiveness.
  • Add API to disable CORS on a web view for particular domains.
  • Add new API to access/modify capture devices states.
  • Add new API to configure the memory pressure handler.

For more details about all the changes included in WebKitGTK 2.34 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

September 22, 2021 12:00 AM



September 20, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0005

by The WebKitGTK Project

  • Date Reported: September 20, 2021

  • Advisory ID: WSA-2021-0005

  • CVE identifiers: CVE-2021-30858.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-30858
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

September 20, 2021 12:00 AM



September 17, 2021

WebKitGTK 2.33.91 released!

by The WebKitGTK Project

This is a development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.91 release?

  • Use the right display refresh monitor for animations in accelerated compositng mode.
  • Fix several issues in JavaScriptCore on 32bit systems.
  • Prefer python3 over python2 in CMake.

Thanks to all the contributors who made possible this release.

September 17, 2021 12:00 AM



WebKitGTK 2.32.4 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.32 series.

What’s new in the WebKitGTK 2.32.4 release?

  • Do not append .asc extension to downloaded text/plain files.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

September 17, 2021 12:00 AM



September 02, 2021

WebKitGTK 2.33.90 released!

by The WebKitGTK Project

This is a development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.90 release?

  • Show TLS protocol version and ciphersuite name in the inspector when building with libsoup3.
  • Add multi-track support to media backend.
  • Avoid strong alias computations in font fallback code.
  • Fix deadlock tearing down pipeline when using fallback sink.
  • Fix the build with gtk-doc enabled.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

September 02, 2021 12:00 AM



August 16, 2021

WebKitGTK 2.33.3 released!

by The WebKitGTK Project

This is a development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.3 release?

  • Add support for display capture.
  • Add new API to access/modify capture devices states.
  • Add new API to configure the memory pressure handler.
  • Add support for client side certifiates authentication.
  • Add support color-schemes CSS property.
  • Add support for dark scrollbars.
  • Keep GtkSettings used by web processes in sync with the settings set in the UI process.
  • Add support for drawing the scrollbars corner.
  • Allow to opt-out of GL rendering at runtime for media player.
  • Add support for A420 compositing in media player.
  • Improve pinch to zoom gesture in accerlerated compositing mode.
  • Fix cookies configuration after a network process crash.
  • Fix touchscreen navigation swipe when the page scrolls horizontally.
  • Fix rendering of elliptic radial gradients.
  • Fix several crashes and rendering issues.
  • Translation updates: Brazilian Portuguese, French, Swedish, Ukrainian

Thanks to all the contributors who made possible this release.

August 16, 2021 12:00 AM



August 02, 2021

Introducing the GNOME Web Canary flavor

by Philippe Normand

Today I am happy to unveil GNOME Web Canary which aims to provide bleeding edge, most likely very unstable builds of Epiphany, depending on daily builds of the WebKitGTK development version. Read on to know more about this.

Until recently the GNOME Web browser was available for end-users in two …

by Philippe Normand at August 02, 2021 12:00 PM



July 23, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0004

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-1817
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to zhunki.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2021-1820
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to André Bargull.
    • Impact: Processing maliciously crafted web content may result in the disclosure of process memory. Description: A memory initialization issue was addressed with improved memory handling.
  • CVE-2021-1825
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to Alex Camboe of Aon’s Cyber Solutions.
    • Impact: Processing maliciously crafted web content may lead to a cross site scripting attack. Description: An input validation issue was addressed with improved input validation.
  • CVE-2021-1826
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-21775
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Marcin Towalski of Cisco Talos.
    • A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of WebKit. A specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage.
  • CVE-2021-21779
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Marcin Towalski of Cisco Talos.
    • A use-after-free vulnerability exists in the way that WebKit GraphicsContext handles certain events. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
  • CVE-2021-21806
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.6.
    • Credit to Marcin ‘Icewall’ Noga of Cisco Talos.
    • An exploitable use-after-free vulnerability exists in WebKit. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability.
  • CVE-2021-30661
    • Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
    • Credit to yangkang(@dnpushme) of 360 ATA.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30663
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An integer overflow was addressed with improved input validation.
  • CVE-2021-30665
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2021-30666
    • Versions affected: WebKitGTK and WPE WebKit before 2.26.0.
    • Credit to yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2021-30682
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.0.
    • Credit to an anonymous researcher and 1lastBr3ath.
    • Impact: A malicious application may be able to leak sensitive user information. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30689
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
  • CVE-2021-30720
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to David Schütz (@xdavidhu).
    • Impact: A malicious website may be able to access restricted ports on arbitrary servers. Description: A logic issue was addressed with improved restrictions.
  • CVE-2021-30734
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Jack Dates of RET2 Systems, Inc. (@ret2systems) working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2021-30744
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Dan Hite of jsontop.
    • Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A cross-origin issue with iframe elements was addressed with improved tracking of security origins.
  • CVE-2021-30749
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to an anonymous researcher and mipu94 of SEFCOM lab, ASU. working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2021-30758
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.2.
    • Credit to Christoph Guttandin of Media Codings.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.
  • CVE-2021-30761
    • Versions affected: WebKitGTK and WPE WebKit before 2.26.0.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved state management.
  • CVE-2021-30762
    • Versions affected: WebKitGTK and WPE WebKit before 2.28.0.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30795
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30797
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Ivan Fratric of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to code execution. Description: This issue was addressed with improved checks.
  • CVE-2021-30799
    • Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
    • Credit to Sergei Glazunov of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

July 23, 2021 12:00 AM



WebKitGTK 2.32.3 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.32 series.

What’s new in the WebKitGTK 2.32.3 release?

  • Properly set the cookies settings after a network process crash.
  • Fix accessibility tree after a cross site navigation with PSON enabled.
  • Ensure WebKitScriptWorld::window-object-cleared signal is always emitted.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 23, 2021 12:00 AM



July 09, 2021

WebKitGTK 2.32.2 released!

by The WebKitGTK Project

This is a bug fix release in the stable 2.32 series.

What’s new in the WebKitGTK 2.32.2 release?

  • Improve calculation of initial WebKitWebView size.
  • Fix kinetic scrolling on touchpad with async scrolling off.
  • Fix a crash on empty drag operation in X11.
  • Fix rendering on HiDPI /4k screen and scaling.
  • Handle null native surface for for surfaceless rendering.
  • Fix JavaScriptCore crash on 32-bit big endian systems.
  • Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

July 09, 2021 12:00 AM



June 08, 2021

WebKitGTK 2.33.2 released!

by The WebKitGTK Project

This is a development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.2 release?

  • HTTP/2 support when building with libsoup3.
  • Add API to disable CORS on a web view for particular domains.
  • Fix rendering on HiDPI /4k screen and scaling.
  • Improve calculation of initial WebKitWebView size.
  • Fix rendering of VP9 with transparency.
  • Remove dependency on glvideoflip and videoflip.
  • Several fixes on scrolling when async scrolling is enabled.
  • Ensure WebKitScriptWorld::window-object-cleared signal is always emitted.
  • Translation updates: Danish, Swedish, Ukrainian.

Thanks to all the contributors who made possible this release.

June 08, 2021 12:00 AM



May 14, 2021

WebKitGTK 2.33.1 released!

by The WebKitGTK Project

This is the first development release leading toward 2.34 series.

What’s new in the WebKitGTK 2.33.1 release?

  • Add support for CSS Scroll Snap.
  • Add support for date and datetime-local input elements.
  • Add support for ICC color management.
  • Build with libsoup3 by default.
  • Add new API to handle web process unresponsiveness.
  • Add support for link preconnect when building with libsoup3.
  • Refactored Media Source Extensions platform code to increase stability and ease support of more features in the future.

Thanks to all the contributors who made possible this release.

May 14, 2021 12:00 AM



May 10, 2021

WebKitGTK 2.32.1 released!

by The WebKitGTK Project

This is the first bug fix release in the stable 2.32 series.

What’s new in the WebKitGTK 2.32.1 release?

  • Support building against the Musl C library.
  • Support building against ICU version 69 or newer.
  • Improve handling of Media Capture devices.
  • Improve WebAudio playback.
  • Improve video orientation handling.
  • Improve seeking support for MSE playback.
  • Improve flush support in EME decryptors.
  • Fix HTTP status codes for requests done through a custom URI handler.
  • Fix the Bubblewrap sandbox in certain 32-bit systems.
  • Fix inconsistencies between the WebKitWebView.is-muted property state and values returned by webkit_web_view_is_playing_audio().
  • Fix the build with ENABLE_VIDEO=OFF.
  • Fix wrong timestamps for long-lived cookies.
  • Fix UI process crash when failing to load favicons.
  • Fix several crashes and rendering issues.
  • Translation updates: Swedish.

Thanks to all the contributors who made possible this release.

May 10, 2021 12:00 AM



April 21, 2021

Review of Igalia Multimedia activities (2020/H2)

by Víctor Jáquez

As the first quarter of 2021 has aready come to a close, we reckon it’s time to recap our achievements from the second half of 2020, and update you on the improvements we have been making to the multimedia experience on the Web and Linux in general.

Our previous reports:

WPE / WebKitGTK

We have closed ~100 issues related with multimedia in WebKitGTK/WPE, such as fixed seek issues while playback, plugged memory leaks, gardening tests, improved Flatpak-based developing work-flow, enabled new codecs, etc.. Overall, we improved a bit the multimedia’s user experience on these Webkit engine ports.

To highlight a couple tasks, we did some maintenance work on WebAudio backends, and we upstreamed an internal audio mixer, keeping only one connection to the audio server, such as PulseAudio, instead of multiple connections, one for every audio resource. The mixer combines all streams into a single audio server connection.

Adaptive media streaming for the Web (MSE)

We have been working on a new MSE backend for a while, but along the way many related bugs have appeared and they were squashed. Also many code cleanups has been carried out. Though it has been like yak shaving, we are confident that we will reach the end of this long and winding road soonish.

DRM media playback for the Web (EME)

Regarding digital protected media playback, we worked to upstream OpenCDM, support with Widevine, through RDK’s Thunder framework, while continued with the usual maintenance of the others key systems, such as Clear Key, Widevine and PlayReady.

For more details we published a blog post: Serious Encrypted Media Extensions on GStreamer based WebKit ports.

Realtime communications for the Web (WebRTC)

Just as EME, WebRTC is not currently enabled by default in browsers such as Epiphany because license problems, but they are available for custom adopters, and we are maintaining it. For example, we collaborated to upgrade LibWebRTC to M87 and fixed the expected regressions and gardening.

Along the way we experimented a bit with the new GPUProcess for capture devices, but we decided to stop the experimentation while waiting for a broader adoption of the process, for example in graphics rendering, in WPE/WebKitGTK.

GPUProcess work will be retaken at some point, because it’s not, currently, a hard requirement, since we already have moved capture devices handling from the UIProcess to the WebProcess, isolating all GStreamer operations in the latter.

GStreamer

GStreamer is one of our core multimedia technologies, and we contribute on it on a daily basis. We pushed ~400 commits, with similar number of code reviews, along the second half of 2020. Among of those contributions let us highlight the following list:

  • A lot of bug fixing aiming for release 1.18.
  • Reworked and enhanced decodebin3, the GstTranscoder
    API
    and encodebin.
  • Merged av1parse in video parsers plugin.
  • Merged qroverlay plugin.
  • Iterated on the mono-repo
    proposal, which requires consensus and coordination among the whole community.
  • gstwpe element has been greatly improved from new user requests.
  • Contributed on the new libgstcodecs library, which enables stateless video decoders through different platforms (for example, v4l2, d3d11, va, etc.).
  • Developed a new plugin for VA-API using this library, exposing H.264, H.265, VP9, VP8, MPEG2 decoders and a full featured postprocessor, with better performance, according our measurements, than GStreamer-VAAPI.

Conferences

Despite 2020 was not a year for conferences, many of them went virtual. We attended one, the Mile high video conference, and participated in the Slack workspace.

Thank you for reading this report and stay tuned with our work.

by vjaquez at April 21, 2021 04:49 AM



March 29, 2021

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0003

by The WebKitGTK Project

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2021-1788
    • Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
    • Credit to Francisco Alonso (@revskills).
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-1844
    • Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
    • Credit to Clément Lecigne of Google’s Threat Analysis Group, Alison Huffman of Microsoft Browser Vulnerability Research.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved validation.
  • CVE-2021-1871
    • Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
    • Credit to an anonymous researcher.
    • Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A logic issue was addressed with improved restrictions.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

March 29, 2021 12:00 AM



March 26, 2021

WebKitGTK 2.32.0 released!

by The WebKitGTK Project

This is the first stable release in the 2.32 series.

Highlights of the WebKitGTK 2.32.0 release

  • NPAPI plugins support have been removed.
  • System font scaling factor is correctly applied now.
  • New permission request API for MediaKeySystem access.
  • New API to remove individual scripts/stylesheets using WebKitUserContentManager.
  • Web inspector now shows detailed information about main loop frames.
  • The minimum required GStreamer version is now 1.14.
  • The GStreamer runtime is now initialized only when required.
  • Improved platform support for WebAudio (WebAudio->MediaStream, Worklet, Multi-channel).
  • Support for hardware-accelerated video rendering on i.MX8 platforms (using the NXP driver).

For more details about all the changes included in WebKitGTK 2.32 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

March 26, 2021 12:00 AM