Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 706374 (CVE-2019-8835, CVE-2019-8844, CVE-2019-8846, WSA-2020-0001)

Summary: <net-libs/webkit-gtk-2.26.3: multiple vulnerabilities (WSA-2020-0001)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gentoo, gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2020-0001.html
Whiteboard: A2 [glsa+ cve]
Package list:
gui-libs/libwpe-1.4.0.1 arm64 gui-libs/wpebackend-fdo-1.4.0 arm64 sys-apps/xdg-dbus-proxy-0.1.2 arm64 net-libs/webkit-gtk-2.26.4
Runtime testing required: ---
Bug Depends on: 704182    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-01-25 23:40:57 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-01-25 23:41:58 UTC
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

    CVE-2019-8835
        Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3.
        Credit to Anonymous working with Trend Micro’s Zero Day Initiative, Mike Zhang of Pangu Team.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2019-8844
        Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3.
        Credit to William Bowling (@wcbowling).
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2019-8846
        Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3.
        Credit to Marcin Towalski of Cisco Talos.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
Comment 2 Larry the Git Cow gentoo-dev 2020-01-31 19:19:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6825b367eab5028b16c0907070129c85c71b767

commit b6825b367eab5028b16c0907070129c85c71b767
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-01-31 18:07:29 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-01-31 19:18:10 +0000

    net-libs/webkit-gtk: security bump to 2.26.3, fix gtk-doc
    
    Move gtk-doc building from USE=doc to USE=gtk-doc, as the latter is the
    one to use now for when generating gtk-doc from scratch. Fix it with
    perl-based gtk-doc by stripping out some tags in the docs completely;
    this was already fixed upstream, but that fix seems dependent on newer
    gtk-doc handling the markdown quoting that got added. So remove the
    tags completely until we can depend on a newer gtk-doc that doesn't
    have trouble with the upstream way.
    
    Also a build fix for USE="wayland -opengl -gles2-only" (but remember:
    you shouldn't disable both opengl and gles2-only on any real desktop
    system).
    
    Bug: https://bugs.gentoo.org/706374
    Bug: https://bugs.gentoo.org/704550
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                       |   1 +
 net-libs/webkit-gtk/files/2.26.3-fix-gtk-doc.patch |  27 ++
 .../files/2.26.3-fix-noGL-wayland-build.patch      |  39 +++
 net-libs/webkit-gtk/webkit-gtk-2.26.3.ebuild       | 287 +++++++++++++++++++++
 4 files changed, 354 insertions(+)
Comment 3 Piotr Karbowski (RETIRED) gentoo-dev 2020-02-02 09:34:47 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-03 14:45:00 UTC
x86 stable
Comment 5 Stabilization helper bot gentoo-dev 2020-03-01 17:01:01 UTC
An automated check of this bug failed - the following atom is unknown:

net-libs/webkit-gtk-2.26.3

Please verify the atom list.
Comment 6 Stabilization helper bot gentoo-dev 2020-03-08 15:01:44 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 7 Mart Raudsepp gentoo-dev 2020-03-14 11:03:34 UTC
arm64 stable via newer 2.26.4 bug
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 04:44:45 UTC
This issue was resolved and addressed in
 GLSA 202003-22 at https://security.gentoo.org/glsa/202003-22
by GLSA coordinator Thomas Deutschmann (whissi).