Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 644128

Summary: <net-libs/webkit-gtk-2.18.5: Spectre/Meltdown mitigation (CVE-2017-{5715,5753})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2018-0001.html
Whiteboard: A4 [noglsa cve]
Package list:
net-libs/webkit-gtk-2.18.5
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 643342, 643340    

Description GLSAMaker/CVETool Bot gentoo-dev 2018-01-10 15:08:47 UTC
CVE-2017-5753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5753):
  Systems with microprocessors utilizing speculative execution and branch
  prediction may allow unauthorized disclosure of information to an attacker
  with local user access via a side-channel analysis.

CVE-2017-5715 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5715):
  Systems with microprocessors utilizing speculative execution and indirect
  branch prediction may allow unauthorized disclosure of information to an
  attacker with local user access via a side-channel analysis.
Comment 1 Larry the Git Cow gentoo-dev 2018-01-11 13:52:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=985a787359c84f142eb47005244b681ebc35b2be

commit 985a787359c84f142eb47005244b681ebc35b2be
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-01-11 13:52:15 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-01-11 13:52:15 +0000

    net-libs/webkit-gtk: security bump to 2.18.5 for Spectre mitigation
    
    Bug: https://bugs.gentoo.org/644128
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.18.5.ebuild | 284 +++++++++++++++++++++++++++
 2 files changed, 285 insertions(+)}
Comment 2 Mart Raudsepp gentoo-dev 2018-01-11 14:06:38 UTC
Not sure why Meltdown is mentioned in summary. Also my summary change to mention the version now reads odd, as if earlier has mitigation, due to the backwards way with mitigations
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-11 20:11:29 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2018-01-14 15:31:27 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Larry the Git Cow gentoo-dev 2018-01-15 18:20:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f29a87fb51e655797c146b3f5120c47401572a5a

commit f29a87fb51e655797c146b3f5120c47401572a5a
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-01-15 18:19:13 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-01-15 18:19:13 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/644128
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.18.4.ebuild | 284 ---------------------------
 2 files changed, 285 deletions(-)}
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-15 21:56:51 UTC
GLSA Vote: No

marking as FIXED.

Thank you