[Secure-testing-team] Bug#843462: emacs25: Please disable xwidgets/webkit

David Bremner bremner at debian.org
Sun Nov 6 19:17:00 UTC 2016 

Package: emacs25
Version: 25.1+1-2
Severity: important
Tags: security

according to check-support-status (package debian-security-support)

* Source:webkitgtk
  Details: No security support upstream and backports not feasible, only for use on trusted content
  Affected binary packages:
  - libjavascriptcoregtk-3.0-0:amd64 (installed version: 2.4.11-3)
  - libwebkitgtk-3.0-0:amd64 (installed version: 2.4.11-3)

Although there is apparently some sandboxing in the use of webkit in
emacs (I read that it uses a seperate process, although not anywhere
authoritative), this still seems to be equivalent to shipping a
JavaScript enabled browser without any security support.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages emacs25 depends on:
ii  emacs25-bin-common          25.1+1-2
ii  gconf-service               3.2.6-4
ii  libacl1                     2.2.52-3
ii  libasound2                  1.1.2-1
ii  libatk1.0-0                 2.22.0-1
ii  libc6                       2.24-5
ii  libcairo-gobject2           1.14.6-1+b1
ii  libcairo2                   1.14.6-1+b1
ii  libdbus-1-3                 1.10.12-1
ii  libfontconfig1              2.11.0-6.7
ii  libfreetype6                2.6.3-3+b1
ii  libgconf-2-4                3.2.6-4
ii  libgdk-pixbuf2.0-0          2.36.0-1
ii  libgif7                     5.1.4-0.4
ii  libglib2.0-0                2.50.1-1
ii  libgnutls30                 3.5.5-6
ii  libgomp1                    6.2.0-10
ii  libgpm2                     1.20.4-6.2
ii  libgtk-3-0                  3.22.2-1
ii  libice6                     2:1.0.9-1+b1
ii  libjavascriptcoregtk-3.0-0  2.4.11-3
ii  libjpeg62-turbo             1:1.5.1-2
ii  libm17n-0                   1.7.0-3+b1
ii  libmagickcore-6.q16-2       8:6.9.6.2+dfsg-2
ii  libmagickwand-6.q16-2       8:6.9.6.2+dfsg-2
ii  libotf0                     0.9.13-3
ii  libpango-1.0-0              1.40.3-2
ii  libpangocairo-1.0-0         1.40.3-2
ii  libpng16-16                 1.6.25-2
ii  librsvg2-2                  2.40.16-1
ii  libselinux1                 2.6-1
ii  libsm6                      2:1.2.2-1+b1
ii  libsoup2.4-1                2.56.0-1
ii  libtiff5                    4.0.6-3
ii  libtinfo5                   6.0+20160917-1
ii  libwebkitgtk-3.0-0          2.4.11-3
ii  libx11-6                    2:1.6.3-1
ii  libx11-xcb1                 2:1.6.3-1
ii  libxcb1                     1.12-1
ii  libxcomposite1              1:0.4.4-1
ii  libxfixes3                  1:5.0.2-1
ii  libxft2                     2.3.2-1
ii  libxinerama1                2:1.1.3-1+b1
ii  libxml2                     2.9.4+dfsg1-2.1
ii  libxpm4                     1:3.5.11-1+b1
ii  libxrandr2                  2:1.5.0-1
ii  libxrender1                 1:0.9.9-2
ii  zlib1g                      1:1.2.8.dfsg-2+b3

emacs25 recommends no packages.

Versions of packages emacs25 suggests:
pn  emacs25-common-non-dfsg  <none>

-- no debconf information

More information about the Secure-testing-team mailing list