Bug 636378 (CVE-2017-1000121, CVE-2017-1000122)

Summary:	net-libs/webkit-gtk: Multiple vulnerabilities (CVE-2017-{1000121,1000122})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gnome
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://webkitgtk.org/security/WSA-2017-0007.html
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2017-11-03 14:13:49 UTC

CVE-2017-1000122 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000122):
  The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not
  properly validate certain message metadata, allowing a compromised secondary
  process to cause a denial of service (release assertion) of the UI process.
  This vulnerability does not affect Apple products.

CVE-2017-1000121 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000121):
  The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not
  properly validate message size metadata, allowing a compromised secondary
  process to trigger an integer overflow and subsequent buffer overflow in the
  UI process. This vulnerability does not affect Apple products.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-03 14:14:51 UTC

@Maintainers please confirm if we are affected by this vulnerabilities.

Thank you.

Comment 2 Mart Raudsepp gentoo-dev

2017-11-03 14:25:03 UTC

2.16.3 and newer is safe per https://webkitgtk.org/security/WSA-2017-0007.html

Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-03 14:29:17 UTC

Thank you, nothing else to do here then.

GLSA Vote: No