Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 652820 (CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4121, CVE-2018-4122, CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129, CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162, CVE-2018-4163, CVE-2018-4165, CVE-2018-4200, CVE-2018-4204, WSA-2018-0003, WSA-2018-0004)

Summary: <net-libs/webkit-gtk-2.20.2: Multiple vulnerabilities (WSA-2018-{0003,0004})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome, ostroffjh, pedromoreno94
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
media-libs/woff2-1.0.2-r1 net-libs/webkit-gtk-2.20.3
 Runtime testing required: ---
Bug Depends on: 655550    
Bug Blocks: 658168    

Description GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 21:47:08 UTC 
CVE-2018-4165 (https://nvd.nist.gov/vuln/detail/CVE-2018-4165):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. The issue involves the "WebKit" component. It allows remote
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption and application crash) via a crafted web site.

CVE-2018-4163 (https://nvd.nist.gov/vuln/detail/CVE-2018-4163):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. watchOS before 4.3 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2018-4162 (https://nvd.nist.gov/vuln/detail/CVE-2018-4162):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. watchOS before 4.3 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2018-4146 (https://nvd.nist.gov/vuln/detail/CVE-2018-4146):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. watchOS before 4.3 is affected. The issue involves the "WebKit"
  component. It allows attackers to cause a denial of service (memory
  corruption) via a crafted web site.

CVE-2018-4133 (https://nvd.nist.gov/vuln/detail/CVE-2018-4133):
  An issue was discovered in certain Apple products. Safari before 11.1 is
  affected. The issue involves the "WebKit" component. A Safari cross-site
  scripting (XSS) vulnerability allows remote attackers to inject arbitrary
  web script or HTML via a crafted URL.

CVE-2018-4129 (https://nvd.nist.gov/vuln/detail/CVE-2018-4129):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. watchOS before 4.3 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2018-4128 (https://nvd.nist.gov/vuln/detail/CVE-2018-4128):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. The issue involves the "WebKit" component. It allows remote
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption and application crash) via a crafted web site.

CVE-2018-4127 (https://nvd.nist.gov/vuln/detail/CVE-2018-4127):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. The issue involves the "WebKit" component. It allows remote
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption and application crash) via a crafted web site.

CVE-2018-4125 (https://nvd.nist.gov/vuln/detail/CVE-2018-4125):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. watchOS before 4.3 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2018-4122 (https://nvd.nist.gov/vuln/detail/CVE-2018-4122):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. watchOS before 4.3 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2018-4120 (https://nvd.nist.gov/vuln/detail/CVE-2018-4120):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. The issue involves the "WebKit" component. It allows remote
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption and application crash) via a crafted web site.

CVE-2018-4119 (https://nvd.nist.gov/vuln/detail/CVE-2018-4119):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. The issue involves the "WebKit" component. It allows remote
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption and application crash) via a crafted web site.

CVE-2018-4118 (https://nvd.nist.gov/vuln/detail/CVE-2018-4118):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. The issue involves the "WebKit" component. It allows remote
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption and application crash) via a crafted web site.

CVE-2018-4117 (https://nvd.nist.gov/vuln/detail/CVE-2018-4117):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. watchOS before 4.3 is
  affected. The issue involves the fetch API in the "WebKit" component. It
  allows remote attackers to bypass the Same Origin Policy and obtain
  sensitive information via a crafted web site.

CVE-2018-4114 (https://nvd.nist.gov/vuln/detail/CVE-2018-4114):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. watchOS before 4.3 is affected. The issue involves the "WebKit"
  component. It allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption and application crash) via a crafted
  web site.

CVE-2018-4113 (https://nvd.nist.gov/vuln/detail/CVE-2018-4113):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. watchOS before 4.3 is affected. The issue involves a
  JavaScriptCore function in the "WebKit" component. It allows attackers to
  trigger an assertion failure by leveraging improper array indexing.

CVE-2018-4101 (https://nvd.nist.gov/vuln/detail/CVE-2018-4101):
  An issue was discovered in certain Apple products. iOS before 11.3 is
  affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is
  affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is
  affected. The issue involves the "WebKit" component. It allows remote
  attackers to execute arbitrary code or cause a denial of service (memory
  corruption and application crash) via a crafted web site.


WebKitGTK+ Security Advisory WSA-2018-0003:

https://webkitgtk.org/security/WSA-2018-0003.html
Comment 1 tonemgub 2018-05-12 00:41:22 UTC 
------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               WSA-2018-0004
------------------------------------------------------------------------

Date reported      : May 07, 2018
Advisory ID        : WSA-2018-0004
Advisory URL       : https://webkitgtk.org/security/WSA-2018-0004.html
CVE identifiers    : CVE-2018-4121, CVE-2018-4200, CVE-2018-4204.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2018-4121
   Versions affected: WebKitGTK+ before 2.20.0.
   Credit to Natalie Silvanovich of Google Project Zero.
   Impact: Processing maliciously crafted web content may lead to
   arbitrary code execution. Description: Multiple memory corruption
   issues were addressed with improved memory handling.

CVE-2018-4200
   Versions affected: WebKitGTK+ before 2.20.2.
   Credit to Ivan Fratric of Google Project Zero.
   Impact: Processing maliciously crafted web content may lead to
   arbitrary code execution. Description: A memory corruption issue was
   addressed with improved state management.

CVE-2018-4204
   Versions affected: WebKitGTK+ before 2.20.1.
   Credit to Richard Zhu (fluorescence) working with Trend Micro's Zero
   Day Initiative, found by OSS-Fuzz.
   Impact: Processing maliciously crafted web content may lead to
   arbitrary code execution. Description: A memory corruption issue was
   addressed with improved memory handling.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
May 07, 2018
Comment 2 Vlad K. 2018-06-14 15:13:16 UTC 
Another batch coming up:

https://webkitgtk.org/security/WSA-2018-0005.html
Comment 3 Mart Raudsepp gentoo-dev 2018-07-23 22:37:24 UTC 
Bump is done finally, but I'd prefer to let it simmer for a couple days in ~arch, as the upstream build system does something similar to chromium[jumbo-build] unconditionally now with some cmake dark magic and some ebuild things were reworked. So lets see what shakes out within 2-7 days.
Comment 4 Mart Raudsepp gentoo-dev 2018-07-23 22:45:14 UTC 
I can't find https://webkitgtk.org/security/WSA-2018-0003.html covered anywhere. Maybe include it here, and possibly also merge in the WSA-2018-0005 (bug 658168) stuff into the same bug here, as it's all the same version bump and stabling?
Comment 5 Mart Raudsepp gentoo-dev 2018-07-28 11:27:45 UTC 
Lets proceed with stabilization now then.
x86@: you haven't done 661356 yet, so removing the bug depends and asking you to straight to stable it as security dep (older version was bundled in webkit-gtk before in earlier versions)
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-28 16:16:23 UTC 
x86 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-07-30 20:52:38 UTC 
amd64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-06 19:08:46 UTC 
New GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 21:29:08 UTC 
This issue was resolved and addressed in
 GLSA 201808-04 at https://security.gentoo.org/glsa/201808-04
by GLSA coordinator Thomas Deutschmann (whissi).