Bug 637076 (CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13802, CVE-2017-13803)

Summary:	<net-libs/webkit-gtk-2.18.3: Remote AcE and/or DoS vectors (CVE-2017-{13783,13784,13785,13788,13791,13792,13793,13794,13795,13796,13798,13802,13803})
Product:	Gentoo Security	Reporter:	Hank Leininger <hlein>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gnome
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://webkitgtk.org/security/WSA-2017-0009.html
Whiteboard:	B2 [glsa cve]
Package list:	net-libs/webkit-gtk-2.18.3	Runtime testing required:	---

Description Hank Leininger 2017-11-10 17:36:25 UTC

From ${URL}:

Several vulnerabilities were discovered in WebKitGTK+.

##

13 different CVEs all with:
"Impact: Processing maliciously crafted web content may lead to arbitrary code execution.
Description: Multiple memory corruption issues were addressed with improved memory handling."

Ten are fixed in 2.18.1 (2.18.2 is current in portage as I write this); three fixed in 2.18.3 (just released).

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-12 13:17:24 UTC

(In reply to Hank Leininger from comment #0)
> From ${URL}:
> 
> Several vulnerabilities were discovered in WebKitGTK+.
> 
> ##
> 
> 13 different CVEs all with:
> "Impact: Processing maliciously crafted web content may lead to arbitrary
> code execution.
> Description: Multiple memory corruption issues were addressed with improved
> memory handling."
> 
> Ten are fixed in 2.18.1 (2.18.2 is current in portage as I write this);
> three fixed in 2.18.3 (just released).

Thank you for reporting the issue.

Comment 2 Larry the Git Cow gentoo-dev

2017-11-21 17:31:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3dd23d4bc9222af04ce0e307a1eebe0dbc744bca

commit 3dd23d4bc9222af04ce0e307a1eebe0dbc744bca
Author:     Ian Stakenvicius <axs@gentoo.org>
AuthorDate: 2017-11-21 17:31:21 +0000
Commit:     Ian Stakenvicius <axs@gentoo.org>
CommitDate: 2017-11-21 17:31:45 +0000

    net-libs/webkit-gtk: bump to 2.18.3 for security
    
    Bug: https://bugs.gentoo.org/637076
    Acked-by: Mart Raudsepp <leio@gentoo.org>
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.18.3.ebuild | 284 +++++++++++++++++++++++++++
 2 files changed, 285 insertions(+)}

Comment 3 Agostino Sarubbo gentoo-dev

2017-11-24 13:24:23 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2017-11-27 00:22:08 UTC

x86 stable

Comment 5 Larry the Git Cow gentoo-dev

2017-11-28 17:33:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62eeb40713550035e44586334620fb337a94ae44

commit 62eeb40713550035e44586334620fb337a94ae44
Author:     Manuel Rüger <mrueg@gentoo.org>
AuthorDate: 2017-11-28 17:33:37 +0000
Commit:     Manuel Rüger <mrueg@gentoo.org>
CommitDate: 2017-11-28 17:33:37 +0000

    net-libs/webkit-gtk: Remove vulnerable 2.18.2 as requested by leio
    
    Bug: https://bugs.gentoo.org/637076
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.18.2.ebuild | 284 ---------------------------
 2 files changed, 285 deletions(-)}

Comment 6 D'juan McDonald (domhnall) 2017-12-03 03:23:56 UTC

New GLSA request filed.

Gentoo Security Padawan
(jmbailey/mbailey_j)

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2017-12-14 17:04:04 UTC

This issue was resolved and addressed in
 GLSA 201712-01 at https://security.gentoo.org/glsa/201712-01
by GLSA coordinator Thomas Deutschmann (whissi).