From bc9d93e02a1123ebba9af1880ba1fd34f9f2b7a9 Mon Sep 17 00:00:00 2001
From: Mart Raudsepp <leio@gentoo.org>
Date: Sun, 9 Apr 2017 00:26:36 +0300
Subject: [PATCH] net-libs/webkit-gtk: bump to 2.16.1 for 33+ security fixes

Fixes CVE-2016-9642, CVE-2016-9643, CVE-2017-2367, CVE-2017-2376, CVE-2017-2377,
CVE-2017-2386, CVE-2017-2392, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396,
CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2433, CVE-2017-2442,
CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455,
CVE-2017-2457, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465,
CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471,
CVE-2017-2475, CVE-2017-2476, CVE-2017-2481 and further fixes for CVE-2017-2364.

Upstream says 2.16.1 fixes more security bugs than these, over 2.16.0 release,
but that they didn't have CVE numbers as of yet.

Add some seemingly necessary perl build dependencies (which everyone probably
had installed anyways). This perl build dep list is by no means complete.
Includes preliminary patch from Kent to not start requiring perl[ithreads] for
building (over perl with whatever ithreads choice), which would be disastrous
for us.
Upstream has replaced gnutls with libgcrypt. The experimental API unstable DOM
stuff was dropped completely (but isn't used since epiphany-3.22), while the
webkit2gtkinjectedbundle-j1.patch patch in earlier version modified lines that
were there for it - so hopefully -j1 MAKEOPTS building still works with that
patch dropped.
CREDENTIAL_STORAGE option was renamed to LIBSECRET.
flex build dep seems to have been dropped and gstreamer requirement upped to 1.2.3.
harfbuzz 1.3.3 is useful for it for some optional fixes, so guarantee it.

Gentoo-bug: 614876
Thanks-to: Kent Fredric <kentnl@gentoo.org>
---
 net-libs/webkit-gtk/Manifest                  |   1 +
 .../files/2.16.1-avoid-perl-ithreads.patch    |  88 ++++++
 net-libs/webkit-gtk/webkit-gtk-2.16.1.ebuild  | 290 ++++++++++++++++++
 3 files changed, 379 insertions(+)
 create mode 100644 net-libs/webkit-gtk/files/2.16.1-avoid-perl-ithreads.patch
 create mode 100644 net-libs/webkit-gtk/webkit-gtk-2.16.1.ebuild

diff --git a/net-libs/webkit-gtk/Manifest b/net-libs/webkit-gtk/Manifest
index e65a3628ff22..755456d09c48 100644
--- a/net-libs/webkit-gtk/Manifest
+++ b/net-libs/webkit-gtk/Manifest
@@ -1,2 +1,3 @@
 DIST webkitgtk-2.14.5.tar.xz 13956352 SHA256 3ca8f1c33a9b43d6c753dcac1c0788656930e06382b10fdf5c2805ea8f96369f SHA512 3351d9b05458434835fa2db050c34906649c3b1222d7936d123306634a46e35e8cc3aa1bb7512b103af1996fce722254692826b6f695e32ae176032dc8c94e1c WHIRLPOOL 011745e5e1f8926b28b34ac797480b3c79ccfcf09d844d076d8cf3087959013f39f359d7a7ef06a8e95ca7e04d28284ff4901e483180d2a41b4b05568b658e74
+DIST webkitgtk-2.16.1.tar.xz 14675996 SHA256 eb92383232328ce655b703c64370ed3795662479719ad1b4a869ed46769d2945 SHA512 4b8de15644d0d0f9814c674020cbbab8628347915b8010977dbe2365ce276ea05b3bf86171400ae8eb5bfdebbadcfabd1efce34a177b5c82aa765bd3351e7010 WHIRLPOOL c9deacbd229804aaaba88f9fcabdcde1a460430bb60258dfc8d7393723401d7e74d645ba8bf2dcf60e87c30739e45558b747911a4671a8950efe271cb7b86586
 DIST webkitgtk-2.4.11.tar.xz 9869100 SHA256 588aea051bfbacced27fdfe0335a957dca839ebe36aa548df39c7bbafdb65bf7 SHA512 2e2cf01a52b8593765a0a3c2d7f0ad306121660019eb402226bd2826c7d4666dab4e91ca6ccbd29abe0ad3993549f256ed1ab88de22e9c8516d5f40a4edd6bfb WHIRLPOOL de86c4abfb22aacbf62163d0398158931c9cf6ab628547d3b30e613f0505d67c85c3200f7db96500e7c2b35f640cdaa7f501346fc13f492c9439dff4056849a3
diff --git a/net-libs/webkit-gtk/files/2.16.1-avoid-perl-ithreads.patch b/net-libs/webkit-gtk/files/2.16.1-avoid-perl-ithreads.patch
new file mode 100644
index 000000000000..506696fcc7a9
--- /dev/null
+++ b/net-libs/webkit-gtk/files/2.16.1-avoid-perl-ithreads.patch
@@ -0,0 +1,88 @@
+From 1ac17bea2273df0dfec21897b00efb8351648e1b Mon Sep 17 00:00:00 2001
+From: Kent Fredric <kentnl@gentoo.org>
+Date: Sun, 9 Apr 2017 04:10:52 +1200
+Subject: Remove need for threaded perl at expense of being single-threaded
+
+This could theoretically be implemented with forks, but I opted not
+to because its too hard, and the platform specifics are too messy.
+
+This could theoretically also have support for automatic detection
+as to which strategy to use based on OS/availability, but the
+implementation details of that are too much for my pateience today.
+
+In an ideal world, this file would support:
+
+1. Single threaded builds for spartans
+2. Forked builds for people who are on linux but don't want to rebuild
+   their perl just to have threads ( which produce negligible benefit
+   and measurable performance penalties to all code )
+3. Threaded builds for people who are on windows where forks may not
+   be entirely sane.
+
+But #1 is good enough atm.
+
+This is important for Gentoo, because end users decide on their own
+choices with regards to threading support for perl, and threading
+support is off by default due to the performance issues mentioned in #2
+in conjunction with the fact that "threads" is officially discouraged
+by Perl Upstream.
+
+And as Gentoo users have to have a system Perl to compile WebkitGTK,
+this means installing WebkitGTK requires rebuilding their system Perl
+with threads.
+
+And this *also* means that all packages presently compiled against Perl
+become broken, because non-threaded perl and threaded perl are not ABI
+compatible with each other, and this can scale into hundreds of
+packages and significant transient breakage.
+
+This ends up in practice being *far* *worse* in terms of time wasted
+than the mediocre time inefficiency created by needing a single
+threaded build.
+---
+ Source/WebCore/bindings/scripts/generate-bindings-all.pl | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/Source/WebCore/bindings/scripts/generate-bindings-all.pl b/Source/WebCore/bindings/scripts/generate-bindings-all.pl
+index 37b27cc74..b3a378df0 100755
+--- a/Source/WebCore/bindings/scripts/generate-bindings-all.pl
++++ b/Source/WebCore/bindings/scripts/generate-bindings-all.pl
+@@ -32,9 +32,6 @@ use File::Basename;
+ use File::Spec;
+ use File::Find;
+ use Getopt::Long;
+-use threads;
+-use threads::shared;
+-use Thread::Queue;
+ 
+ my $perl = $^X;
+ my $scriptDir = $FindBin::Bin;
+@@ -121,13 +118,11 @@ my @idlFilesToUpdate = grep &{sub {
+                 implicitDependencies($depFile));
+     needsUpdate(\@output, \@deps);
+ }}, @idlFiles;
+-my $queue = Thread::Queue->new(@idlFilesToUpdate);
+-my $abort :shared = 0;
+-my $totalCount = @idlFilesToUpdate;
+-my $currentCount :shared = 0;
+ 
+-my @threadPool = map { threads->create(\&worker) } (1 .. $numOfJobs);
+-$_->join for @threadPool;
++my $abort = 0;
++my $totalCount = @idlFilesToUpdate;
++my $currentCount = 0;
++worker();
+ exit $abort;
+ 
+ sub needsUpdate
+@@ -158,7 +153,7 @@ sub mtime
+ }
+ 
+ sub worker {
+-    while (my $file = $queue->dequeue_nb()) {
++    while (my $file = shift @idlFilesToUpdate) {
+         last if $abort;
+         eval {
+             $currentCount++;
+-- 
+2.12.2
diff --git a/net-libs/webkit-gtk/webkit-gtk-2.16.1.ebuild b/net-libs/webkit-gtk/webkit-gtk-2.16.1.ebuild
new file mode 100644
index 000000000000..704307fbecb7
--- /dev/null
+++ b/net-libs/webkit-gtk/webkit-gtk-2.16.1.ebuild
@@ -0,0 +1,290 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+CMAKE_MAKEFILE_GENERATOR="ninja"
+PYTHON_COMPAT=( python2_7 )
+USE_RUBY="ruby21 ruby22 ruby23 ruby24"
+
+inherit check-reqs cmake-utils eutils flag-o-matic gnome2 pax-utils python-any-r1 ruby-single toolchain-funcs versionator virtualx
+
+MY_P="webkitgtk-${PV}"
+DESCRIPTION="Open source web browser engine"
+HOMEPAGE="http://www.webkitgtk.org/"
+SRC_URI="http://www.webkitgtk.org/releases/${MY_P}.tar.xz"
+
+LICENSE="LGPL-2+ BSD"
+SLOT="4/37" # soname version of libwebkit2gtk-4.0
+KEYWORDS="~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
+
+IUSE="aqua coverage doc +egl +geolocation gles2 gnome-keyring +gstreamer +introspection +jit libnotify nsplugin +opengl spell wayland +webgl X"
+
+# webgl needs gstreamer, bug #560612
+REQUIRED_USE="
+	geolocation? ( introspection )
+	gles2? ( egl )
+	introspection? ( gstreamer )
+	nsplugin? ( X )
+	webgl? ( ^^ ( gles2 opengl ) )
+	!webgl? ( ?? ( gles2 opengl ) )
+	webgl? ( gstreamer )
+	wayland? ( egl )
+	|| ( aqua wayland X )
+"
+
+# Tests fail to link for inexplicable reasons
+# https://bugs.webkit.org/show_bug.cgi?id=148210
+RESTRICT="test"
+
+# use sqlite, svg by default
+# Aqua support in gtk3 is untested
+# Dependencies found at Source/cmake/OptionsGTK.cmake
+RDEPEND="
+	dev-db/sqlite:3=
+	>=dev-libs/glib-2.36:2
+	dev-libs/hyphen
+	>=dev-libs/icu-3.8.1-r1:=
+	>=dev-libs/libxml2-2.8:2
+	>=dev-libs/libxslt-1.1.7
+	>=media-libs/fontconfig-2.8:1.0
+	>=media-libs/freetype-2.4.2:2
+	>=media-libs/harfbuzz-1.3.3:=[icu(+)]
+	>=media-libs/libpng-1.4:0=
+	media-libs/libwebp:=
+	dev-libs/libgcrypt:0=
+	>=net-libs/libsoup-2.42:2.4[introspection?]
+	>=x11-libs/cairo-1.10.2:=
+	>=x11-libs/gtk+-3.14:3[introspection?]
+	>=x11-libs/pango-1.30.0
+	virtual/jpeg:0=
+
+	aqua? ( >=x11-libs/gtk+-3.14:3[aqua] )
+	egl? ( media-libs/mesa[egl] )
+	geolocation? ( >=app-misc/geoclue-2.1.5:2.0 )
+	gles2? ( media-libs/mesa[gles2] )
+	gnome-keyring? ( app-crypt/libsecret )
+	gstreamer? (
+		>=media-libs/gstreamer-1.2.3:1.0
+		>=media-libs/gst-plugins-base-1.2.3:1.0
+		>=media-libs/gst-plugins-bad-1.8:1.0[opengl?] )
+	introspection? ( >=dev-libs/gobject-introspection-1.32.0:= )
+	libnotify? ( x11-libs/libnotify )
+	nsplugin? ( >=x11-libs/gtk+-2.24.10:2 )
+	opengl? ( virtual/opengl
+		x11-libs/cairo[opengl] )
+	spell? ( >=app-text/enchant-0.22:= )
+	wayland? ( >=x11-libs/gtk+-3.14:3[wayland] )
+	webgl? (
+		x11-libs/cairo[opengl]
+		x11-libs/libXcomposite
+		x11-libs/libXdamage )
+	X? (
+		x11-libs/cairo[X]
+		>=x11-libs/gtk+-3.14:3[X]
+		x11-libs/libX11
+		x11-libs/libXcomposite
+		x11-libs/libXrender
+		x11-libs/libXt )
+"
+
+# paxctl needed for bug #407085
+# Need real bison, not yacc
+DEPEND="${RDEPEND}
+	${PYTHON_DEPS}
+	${RUBY_DEPS}
+	>=dev-lang/perl-5.10
+	>=app-accessibility/at-spi2-core-2.5.3
+	>=dev-libs/atk-2.8.0
+	>=dev-util/gtk-doc-am-1.10
+	>=dev-util/gperf-3.0.1
+	>=sys-devel/bison-2.4.3
+	|| ( >=sys-devel/gcc-4.9 >=sys-devel/clang-3.3 )
+	sys-devel/gettext
+	virtual/pkgconfig
+
+	dev-lang/perl
+	virtual/perl-Data-Dumper
+	virtual/perl-Carp
+
+	doc? ( >=dev-util/gtk-doc-1.10 )
+	geolocation? ( dev-util/gdbus-codegen )
+	introspection? ( jit? ( sys-apps/paxctl ) )
+	test? (
+		dev-lang/python:2.7
+		dev-python/pygobject:3[python_targets_python2_7]
+		x11-themes/hicolor-icon-theme
+		jit? ( sys-apps/paxctl ) )
+"
+
+S="${WORKDIR}/${MY_P}"
+
+CHECKREQS_DISK_BUILD="18G" # and even this might not be enough, bug #417307
+
+PATCHES=(
+	# https://bugs.gentoo.org/show_bug.cgi?id=555504
+	"${FILESDIR}"/${PN}-2.8.5-fix-ia64-build.patch
+
+	# https://bugs.gentoo.org/show_bug.cgi?id=564352
+	# https://bugs.webkit.org/show_bug.cgi?id=167283
+	"${FILESDIR}"/${PN}-2.8.5-fix-alpha-build.patch
+
+	# Avoid perl[ithreads] build time requirement as that would be very very messy
+	"${FILESDIR}"/${PV}-avoid-perl-ithreads.patch
+)
+
+pkg_pretend() {
+	if [[ ${MERGE_TYPE} != "binary" ]] ; then
+		if is-flagq "-g*" && ! is-flagq "-g*0" ; then
+			einfo "Checking for sufficient disk space to build ${PN} with debugging CFLAGS"
+			check-reqs_pkg_pretend
+		fi
+
+		if ! test-flag-CXX -std=c++11 ; then
+			die "You need at least GCC 4.9.x or Clang >= 3.3 for C++11-specific compiler flags"
+		fi
+
+		if tc-is-gcc && [[ $(gcc-version) < 4.9 ]] ; then
+			die 'The active compiler needs to be gcc 4.9 (or newer)'
+		fi
+	fi
+}
+
+pkg_setup() {
+	if [[ ${MERGE_TYPE} != "binary" ]] && is-flagq "-g*" && ! is-flagq "-g*0" ; then
+		check-reqs_pkg_setup
+	fi
+
+	python-any-r1_pkg_setup
+}
+
+src_configure() {
+	# Respect CC, otherwise fails on prefix #395875
+	tc-export CC
+
+	# Arches without JIT support also need this to really disable it in all places
+	use jit || append-cppflags -DENABLE_JIT=0 -DENABLE_YARR_JIT=0 -DENABLE_ASSEMBLER=0
+
+	# It does not compile on alpha without this in LDFLAGS
+	# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648761
+	use alpha && append-ldflags "-Wl,--no-relax"
+
+	# ld segfaults on ia64 with LDFLAGS --as-needed, bug #555504
+	use ia64 && append-ldflags "-Wl,--no-as-needed"
+
+	# Sigbuses on SPARC with mcpu and co., bug #???
+	use sparc && filter-flags "-mvis"
+
+	# https://bugs.webkit.org/show_bug.cgi?id=42070 , #301634
+	use ppc64 && append-flags "-mminimal-toc"
+
+	# Try to use less memory, bug #469942 (see Fedora .spec for reference)
+	# --no-keep-memory doesn't work on ia64, bug #502492
+	if ! use ia64; then
+		append-ldflags "-Wl,--no-keep-memory"
+	fi
+
+	# We try to use gold when possible for this package
+#	if ! tc-ld-is-gold ; then
+#		append-ldflags "-Wl,--reduce-memory-overheads"
+#	fi
+
+	# older glibc needs this for INTPTR_MAX, bug #533976
+	if has_version "<sys-libs/glibc-2.18" ; then
+		append-cppflags "-D__STDC_LIMIT_MACROS"
+	fi
+
+	# Multiple rendering bugs on youtube, github, etc without this, bug #547224
+	append-flags $(test-flags -fno-strict-aliasing)
+
+	local ruby_interpreter=""
+
+	if has_version "virtual/rubygems[ruby_targets_ruby24]"; then
+		ruby_interpreter="-DRUBY_EXECUTABLE=$(type -P ruby24)"
+	elif has_version "virtual/rubygems[ruby_targets_ruby23]"; then
+		ruby_interpreter="-DRUBY_EXECUTABLE=$(type -P ruby23)"
+	elif has_version "virtual/rubygems[ruby_targets_ruby22]"; then
+		ruby_interpreter="-DRUBY_EXECUTABLE=$(type -P ruby22)"
+	else
+		ruby_interpreter="-DRUBY_EXECUTABLE=$(type -P ruby21)"
+	fi
+
+	# TODO: Check Web Audio support
+	# should somehow let user select between them?
+	#
+	# FTL_JIT requires llvm
+	#
+	# opengl needs to be explicetly handled, bug #576634
+
+	local opengl_enabled
+	if use opengl || use gles2; then
+		opengl_enabled=ON
+	else
+		opengl_enabled=OFF
+	fi
+
+	# support for webgl (aka 2d-canvas accelerating)
+	local canvas_enabled
+	if use webgl && ! use gles2 ; then
+		canvas_enabled=ON
+	else
+		canvas_enabled=OFF
+	fi
+
+	local mycmakeargs=(
+		-DENABLE_QUARTZ_TARGET=$(usex aqua)
+		-DENABLE_API_TESTS=$(usex test)
+		-DENABLE_GTKDOC=$(usex doc)
+		-DENABLE_GEOLOCATION=$(usex geolocation)
+		$(cmake-utils_use_find_package gles2 OpenGLES2)
+		-DENABLE_GLES2=$(usex gles2)
+		-DENABLE_VIDEO=$(usex gstreamer)
+		-DENABLE_WEB_AUDIO=$(usex gstreamer)
+		-DENABLE_INTROSPECTION=$(usex introspection)
+		-DENABLE_JIT=$(usex jit)
+		-DUSE_LIBNOTIFY=$(usex libnotify)
+		-DUSE_LIBSECRET=$(usex gnome-keyring)
+		-DENABLE_PLUGIN_PROCESS_GTK2=$(usex nsplugin)
+		-DENABLE_SPELLCHECK=$(usex spell)
+		-DENABLE_WAYLAND_TARGET=$(usex wayland)
+		-DENABLE_WEBGL=$(usex webgl)
+		$(cmake-utils_use_find_package egl EGL)
+		$(cmake-utils_use_find_package opengl OpenGL)
+		-DENABLE_X11_TARGET=$(usex X)
+		-DENABLE_OPENGL=${opengl_enabled}
+		-DENABLE_ACCELERATED_2D_CANVAS=${canvas_enabled}
+		-DCMAKE_BUILD_TYPE=Release
+		-DPORT=GTK
+		${ruby_interpreter}
+	)
+
+	# Allow it to use GOLD when possible as it has all the magic to
+	# detect when to use it and using gold for this concrete package has
+	# multiple advantages and is also the upstream default, bug #585788
+#	if tc-ld-is-gold ; then
+#		mycmakeargs+=( -DUSE_LD_GOLD=ON )
+#	else
+#		mycmakeargs+=( -DUSE_LD_GOLD=OFF )
+#	fi
+
+	cmake-utils_src_configure
+}
+
+src_compile() {
+	cmake-utils_src_compile
+}
+
+src_test() {
+	# Prevents test failures on PaX systems
+	use jit && pax-mark m $(list-paxables Programs/*[Tt]ests/*) # Programs/unittests/.libs/test*
+
+	cmake-utils_src_test
+}
+
+src_install() {
+	cmake-utils_src_install
+
+	# Prevents crashes on PaX systems, bug #522808
+	use jit && pax-mark m "${ED}usr/bin/jsc" "${ED}usr/libexec/webkit2gtk-4.0/WebKitWebProcess"
+	pax-mark m "${ED}usr/libexec/webkit2gtk-4.0/WebKitPluginProcess"
+	use nsplugin && pax-mark m "${ED}usr/libexec/webkit2gtk-4.0/WebKitPluginProcess"2
+}
-- 
2.26.2