644128 – <net-libs/webkit-gtk-2.18.5: Spectre/Meltdown mitigation (CVE-2017-{5715,5753})

Bug 644128 - <net-libs/webkit-gtk-2.18.5: Spectre/Meltdown mitigation (CVE-2017-{5715,5753})

Summary: <net-libs/webkit-gtk-2.18.5: Spectre/Meltdown mitigation (CVE-2017-{5715,5753})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://webkitgtk.org/security/WSA-20...
Whiteboard:	A4 [noglsa cve]
Keywords:

Depends on:
Blocks:	CVE-2017-5715 CVE-2017-5753
	Show dependency tree

Reported:	2018-01-10 15:08 UTC by GLSAMaker/CVETool Bot
Modified:	2018-03-15 21:56 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	net-libs/webkit-gtk-2.18.5
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2018-01-10 15:08:47 UTC

CVE-2017-5753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5753):
  Systems with microprocessors utilizing speculative execution and branch
  prediction may allow unauthorized disclosure of information to an attacker
  with local user access via a side-channel analysis.

CVE-2017-5715 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5715):
  Systems with microprocessors utilizing speculative execution and indirect
  branch prediction may allow unauthorized disclosure of information to an
  attacker with local user access via a side-channel analysis.

Comment 1 Larry the Git Cow gentoo-dev

2018-01-11 13:52:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=985a787359c84f142eb47005244b681ebc35b2be

commit 985a787359c84f142eb47005244b681ebc35b2be
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-01-11 13:52:15 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-01-11 13:52:15 +0000

    net-libs/webkit-gtk: security bump to 2.18.5 for Spectre mitigation
    
    Bug: https://bugs.gentoo.org/644128
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.18.5.ebuild | 284 +++++++++++++++++++++++++++
 2 files changed, 285 insertions(+)}

Comment 2 Mart Raudsepp gentoo-dev

2018-01-11 14:06:38 UTC

Not sure why Meltdown is mentioned in summary. Also my summary change to mention the version now reads odd, as if earlier has mitigation, due to the backwards way with mitigations

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-11 20:11:29 UTC

x86 stable

Comment 4 Agostino Sarubbo gentoo-dev

2018-01-14 15:31:27 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 5 Larry the Git Cow gentoo-dev

2018-01-15 18:20:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f29a87fb51e655797c146b3f5120c47401572a5a

commit f29a87fb51e655797c146b3f5120c47401572a5a
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-01-15 18:19:13 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-01-15 18:19:13 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/644128
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.18.4.ebuild | 284 ---------------------------
 2 files changed, 285 deletions(-)}

Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-03-15 21:56:51 UTC

GLSA Vote: No

marking as FIXED.

Thank you