Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 672108 (CVE-2018-4345, CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4378, CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, CVE-2018-4416, WSA-2018-0008)

Summary: <net-libs/webkit-gtk-2.22.5: multiple vulnerabilities (WSA-2018-0008)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2018-0008.html
Whiteboard: A2 [glsa+ cve]
Package list:
net-libs/webkit-gtk-2.22.5
Runtime testing required: ---
Bug Depends on: 674854    
Bug Blocks: 674702, 674870    

Description GLSAMaker/CVETool Bot gentoo-dev 2018-11-27 22:38:15 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-11-27 22:40:08 UTC
From $URL:

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

CVE-2018-4345
Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1.
Credit to an anonymous researcher.
A cross-site scripting issue existed in WebKit. This issue was addressed with improved URL validation.

CVE-2018-4372
Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before 2.22.2.
Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4373
Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
Credit to ngg, alippai, DirtYiCE, KT of Tresorit working with Trend Micro’s Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4375
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to Yu Haiwan and Wu Hongjun From Nanyang Technological University working with Trend Micro’s Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4376
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to 010 working with Trend Micro’s Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4378
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to an anonymous researcher, zhunki of 360 ESG Codesafe Team.
Processing maliciously crafted web content may lead to code execution. A memory corruption issue was addressed with improved validation.

CVE-2018-4382
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to lokihardt of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4386
Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1.
Credit to lokihardt of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4392
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to zhunki of 360 ESG Codesafe Team.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4416
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to lokihardt of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-01-09 01:37:10 UTC
x86 stable
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-01-10 09:53:46 UTC
amd64 stable
Comment 4 Mart Raudsepp gentoo-dev 2019-01-14 19:54:46 UTC
cleanup done
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2019-03-07 22:01:58 UTC
Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2019-03-14 01:38:22 UTC
This issue was resolved and addressed in
 GLSA 201903-12 at https://security.gentoo.org/glsa/201903-12
by GLSA coordinator Aaron Bauman (b-man).