Incoming details.
Several vulnerabilities were discovered in WebKitGTK+. CVE-2018-4088 Versions affected: WebKitGTK+ before 2.18.6. Credit to Jeonghoon Shin of Theori. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4089 Versions affected: WebKitGTK+ before 2.18.4. Credit to Ivan Fratric of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4096 Versions affected: WebKitGTK+ before 2.18.6. Credit to OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7153 Versions affected: WebKitGTK+ before 2.18.6. Credit to Jerry Decime. Impact: Visiting a malicious website may lead to user interface spoofing. Description: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic. CVE-2017-7160 Versions affected: WebKitGTK+ before 2.18.6. Credit to Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7161 Versions affected: WebKitGTK+ before 2.18.6. Credit to Mitin Svyat. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A command injection issue existed in Web Inspector. This issue was addressed through improved escaping of special characters. CVE-2017-7165 Versions affected: WebKitGTK+ before 2.18.6. Credit to 360 Security working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-13884 Versions affected: WebKitGTK+ before 2.18.6. Credit to 360 Security working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-13885 Versions affected: WebKitGTK+ before 2.18.6. Credit to 360 Security working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2731d7a81444b0743caae7453e0c0e168005c828 commit 2731d7a81444b0743caae7453e0c0e168005c828 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-01-25 13:53:03 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-01-25 14:37:25 +0000 net-libs/webkit-gtk: security bump to 2.18.6 Bug: https://bugs.gentoo.org/645686 Package-Manager: Portage-2.3.19, Repoman-2.3.6 net-libs/webkit-gtk/Manifest | 1 + net-libs/webkit-gtk/webkit-gtk-2.18.6.ebuild | 284 +++++++++++++++++++++++++++ 2 files changed, 285 insertions(+)}
x86 stable
amd64 stable
Cleanup of SLOT=4 done. SLOT=2 and SLOT=3 cleanup is tracked in bug 577068 and not here, therefore cleanup for this bugs purposes all done, moving to "glsa?"
New GLSA request filed.
This issue was resolved and addressed in GLSA 201803-11 at https://security.gentoo.org/glsa/201803-11 by GLSA coordinator Christopher Diaz Riveros (chrisadr).
