Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 619788 (CVE-2017-2496, CVE-2017-2504, CVE-2017-2505, CVE-2017-2506, CVE-2017-2508, CVE-2017-2510, CVE-2017-2514, CVE-2017-2515, CVE-2017-2521, CVE-2017-2525, CVE-2017-2526, CVE-2017-2528, CVE-2017-2530, CVE-2017-2531, CVE-2017-2536, CVE-2017-2539, CVE-2017-2544, CVE-2017-2547, CVE-2017-2549, CVE-2017-6980, CVE-2017-6984)

Summary: <net-libs/webkit-gtk-2.16.3: multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2017-0004.html
Whiteboard: B2 [glsa cve]
Package list:
net-libs/webkit-gtk-2.16.3
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-05-26 21:43:02 UTC
CVE-2017-2496 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2496):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2017-2504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2504):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected.
  The issue involves the "WebKit" component. It allows remote attackers to
  conduct Universal XSS (UXSS) attacks via a crafted web site that improperly
  interacts with WebKit Editor commands.

CVE-2017-2505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2505):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected.
  The issue involves the "WebKit" component. It allows remote attackers to
  execute arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site.

CVE-2017-2506 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2506):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2017-2508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2508):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to conduct Universal XSS (UXSS)
  attacks via a crafted web site that improperly interacts with container
  nodes.

CVE-2017-2510 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2510):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to conduct Universal XSS (UXSS)
  attacks via a crafted web site that improperly interacts with pageshow
  events.

CVE-2017-2514 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2514):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2017-2515 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2515):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected.
  The issue involves the "WebKit" component. It allows remote attackers to
  execute arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site.

CVE-2017-2521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2521):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected.
  watchOS before 3.2.2 is affected. The issue involves the "WebKit" component.
  It allows remote attackers to execute arbitrary code or cause a denial of
  service (memory corruption and application crash) via a crafted web site.

CVE-2017-2525 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2525):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected.
  The issue involves the "WebKit" component. It allows remote attackers to
  execute arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site.

CVE-2017-2526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2526):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2017-2528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2528):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to conduct Universal XSS (UXSS)
  attacks via a crafted web site that improperly interacts with cached frames.

CVE-2017-2530 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2530):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. iCloud before 6.2.1 on Windows
  is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2017-2531 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2531):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected.
  The issue involves the "WebKit" component. It allows remote attackers to
  execute arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site.

CVE-2017-2536 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2536):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected.
  The issue involves the "WebKit" component. It allows remote attackers to
  execute arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site.

CVE-2017-2539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2539):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2017-2544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2544):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2017-2547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2547):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2017-2549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2549):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected.
  The issue involves the "WebKit" component. It allows remote attackers to
  conduct Universal XSS (UXSS) attacks via a crafted web site that improperly
  interacts with frame loading.

CVE-2017-6980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6980):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected.
  The issue involves the "WebKit" component. It allows remote attackers to
  execute arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site.

CVE-2017-6984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6984):
  An issue was discovered in certain Apple products. iOS before 10.3.2 is
  affected. Safari before 10.1.1 is affected. iTunes before 12.6.1 on Windows
  is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.
Comment 1 Mart Raudsepp gentoo-dev 2017-05-26 21:49:21 UTC
https://webkitgtk.org/security/WSA-2017-0004.html

WebKitGTK+ Security Advisory WSA-2017-0004

    Date Reported: May 25, 2017

    Advisory ID: WSA-2017-0004

    CVE identifiers: CVE-2017-2496, CVE-2017-2504, CVE-2017-2505, CVE-2017-2506, CVE-2017-2508, CVE-2017-2510, CVE-2017-2514, CVE-2017-2515, CVE-2017-2521, CVE-2017-2525, CVE-2017-2526, CVE-2017-2528, CVE-2017-2530, CVE-2017-2531, CVE-2017-2536, CVE-2017-2539, CVE-2017-2544, CVE-2017-2547, CVE-2017-2549, CVE-2017-6980, CVE-2017-6984.

Several vulnerabilities were discovered in WebKitGTK+.

    CVE-2017-2496
        Versions affected: WebKitGTK+ before 2.16.3.
        Credit to Apple.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2504
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to universal cross site scripting (UXSS). Description: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management.
    CVE-2017-2505
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2506
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Zheng Huang of the Baidu Security Lab working with Trend Micro’s Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2508
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to universal cross site scripting (UXSS). Description: A logic issue existed in the handling of WebKit container nodes. This issue was addressed with improved state management.
    CVE-2017-2510
        Versions affected: WebKitGTK+ before 2.16.3.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to universal cross site scripting (UXSS). Description: A logic issue existed in the handling of pageshow events. This issue was addressed with improved state management.
    CVE-2017-2514
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2515
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2521
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2525
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2526
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Kai Kang (4B5F5F4B) of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2528
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to universal cross site scripting (UXSS). Description: A logic issue existed in the handling of WebKit cached frames. This issue was addressed with improved state management.
    CVE-2017-2530
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Wei Yuan of Baidu Security Lab.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2531
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2536
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Samuel Groß and Niklas Baumstark working with Trend Micro’s Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2539
        Versions affected: WebKitGTK+ before 2.16.3.
        Credit to Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2544
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to 360 Security (@mj0011sec) working with Trend Micro’s Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2547
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero, Team Sniper (Keen Lab and PC Mgr) working with Trend Micro’s Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2549
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to universal cross site scripting (UXSS). Description: A logic issue existed in frame loading. This issue was addressed with improved state management.
    CVE-2017-6980
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-6984
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution or cause a denial of service (memory corruption and application crash). Description: Multiple memory corruption issues were addressed with improved memory handling.
Comment 2 Mart Raudsepp gentoo-dev 2017-05-26 21:50:23 UTC
Arches please proceed as already CCed in earlier action :)

commit 699d560d397993025482777d1ddd3e403859d437
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Sat May 27 00:40:39 2017 +0300

    net-libs/webkit-gtk: bump to 2.16.3; includes 3 security bug fixes
    
    Security fixes: CVE-2017-2496, CVE-2017-2539, CVE-2017-2510.
    Also other bug fixes.
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-27 16:40:08 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-01 09:13:53 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Mart Raudsepp gentoo-dev 2017-06-01 13:31:21 UTC
Cleanup of SLOT=4 done; earlier slots can not be cleaned up as usual due to consumers.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 16:00:44 UTC
Added to an existing GLSA.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-06-07 12:11:52 UTC
This issue was resolved and addressed in
 GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-07 12:18:29 UTC
Cleanup for older slots are tracked in bug 577068.