Summary: | <net-libs/webkit-gtk-2.26.3: multiple vulnerabilities (WSA-2020-0001) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | gentoo, gnome |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://webkitgtk.org/security/WSA-2020-0001.html | ||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: |
gui-libs/libwpe-1.4.0.1 arm64
gui-libs/wpebackend-fdo-1.4.0 arm64
sys-apps/xdg-dbus-proxy-0.1.2 arm64
net-libs/webkit-gtk-2.26.4
|
Runtime testing required: | --- |
Bug Depends on: | 704182 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2020-01-25 23:40:57 UTC
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-8835 Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3. Credit to Anonymous working with Trend Micro’s Zero Day Initiative, Mike Zhang of Pangu Team. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8844 Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3. Credit to William Bowling (@wcbowling). Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8846 Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3. Credit to Marcin Towalski of Cisco Talos. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6825b367eab5028b16c0907070129c85c71b767 commit b6825b367eab5028b16c0907070129c85c71b767 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-01-31 18:07:29 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-01-31 19:18:10 +0000 net-libs/webkit-gtk: security bump to 2.26.3, fix gtk-doc Move gtk-doc building from USE=doc to USE=gtk-doc, as the latter is the one to use now for when generating gtk-doc from scratch. Fix it with perl-based gtk-doc by stripping out some tags in the docs completely; this was already fixed upstream, but that fix seems dependent on newer gtk-doc handling the markdown quoting that got added. So remove the tags completely until we can depend on a newer gtk-doc that doesn't have trouble with the upstream way. Also a build fix for USE="wayland -opengl -gles2-only" (but remember: you shouldn't disable both opengl and gles2-only on any real desktop system). Bug: https://bugs.gentoo.org/706374 Bug: https://bugs.gentoo.org/704550 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> net-libs/webkit-gtk/Manifest | 1 + net-libs/webkit-gtk/files/2.26.3-fix-gtk-doc.patch | 27 ++ .../files/2.26.3-fix-noGL-wayland-build.patch | 39 +++ net-libs/webkit-gtk/webkit-gtk-2.26.3.ebuild | 287 +++++++++++++++++++++ 4 files changed, 354 insertions(+) amd64 stable x86 stable An automated check of this bug failed - the following atom is unknown: net-libs/webkit-gtk-2.26.3 Please verify the atom list. An automated check of this bug succeeded - the previous repoman errors are now resolved. arm64 stable via newer 2.26.4 bug This issue was resolved and addressed in GLSA 202003-22 at https://security.gentoo.org/glsa/202003-22 by GLSA coordinator Thomas Deutschmann (whissi). |