Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 637076 (CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13802, CVE-2017-13803)

Summary: <net-libs/webkit-gtk-2.18.3: Remote AcE and/or DoS vectors (CVE-2017-{13783,13784,13785,13788,13791,13792,13793,13794,13795,13796,13798,13802,13803})
Product: Gentoo Security Reporter: Hank Leininger <hlein>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2017-0009.html
Whiteboard: B2 [glsa cve]
Package list:
net-libs/webkit-gtk-2.18.3
Runtime testing required: ---

Description Hank Leininger 2017-11-10 17:36:25 UTC
From ${URL}:

Several vulnerabilities were discovered in WebKitGTK+.

##

13 different CVEs all with:
"Impact: Processing maliciously crafted web content may lead to arbitrary code execution.
Description: Multiple memory corruption issues were addressed with improved memory handling."

Ten are fixed in 2.18.1 (2.18.2 is current in portage as I write this); three fixed in 2.18.3 (just released).
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-12 13:17:24 UTC
(In reply to Hank Leininger from comment #0)
> From ${URL}:
> 
> Several vulnerabilities were discovered in WebKitGTK+.
> 
> ##
> 
> 13 different CVEs all with:
> "Impact: Processing maliciously crafted web content may lead to arbitrary
> code execution.
> Description: Multiple memory corruption issues were addressed with improved
> memory handling."
> 
> Ten are fixed in 2.18.1 (2.18.2 is current in portage as I write this);
> three fixed in 2.18.3 (just released).

Thank you for reporting the issue.
Comment 2 Larry the Git Cow gentoo-dev 2017-11-21 17:31:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3dd23d4bc9222af04ce0e307a1eebe0dbc744bca

commit 3dd23d4bc9222af04ce0e307a1eebe0dbc744bca
Author:     Ian Stakenvicius <axs@gentoo.org>
AuthorDate: 2017-11-21 17:31:21 +0000
Commit:     Ian Stakenvicius <axs@gentoo.org>
CommitDate: 2017-11-21 17:31:45 +0000

    net-libs/webkit-gtk: bump to 2.18.3 for security
    
    Bug: https://bugs.gentoo.org/637076
    Acked-by: Mart Raudsepp <leio@gentoo.org>
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.18.3.ebuild | 284 +++++++++++++++++++++++++++
 2 files changed, 285 insertions(+)}
Comment 3 Agostino Sarubbo gentoo-dev 2017-11-24 13:24:23 UTC
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-27 00:22:08 UTC
x86 stable
Comment 5 Larry the Git Cow gentoo-dev 2017-11-28 17:33:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62eeb40713550035e44586334620fb337a94ae44

commit 62eeb40713550035e44586334620fb337a94ae44
Author:     Manuel Rüger <mrueg@gentoo.org>
AuthorDate: 2017-11-28 17:33:37 +0000
Commit:     Manuel Rüger <mrueg@gentoo.org>
CommitDate: 2017-11-28 17:33:37 +0000

    net-libs/webkit-gtk: Remove vulnerable 2.18.2 as requested by leio
    
    Bug: https://bugs.gentoo.org/637076
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.18.2.ebuild | 284 ---------------------------
 2 files changed, 285 deletions(-)}
Comment 6 D'juan McDonald (domhnall) 2017-12-03 03:23:56 UTC
New GLSA request filed.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-12-14 17:04:04 UTC
This issue was resolved and addressed in
 GLSA 201712-01 at https://security.gentoo.org/glsa/201712-01
by GLSA coordinator Thomas Deutschmann (whissi).