Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573656 (CVE-2015-7096, CVE-2015-7098) - <net-libs/webkit-gtk-2.10.7: Multiple vulnerabilities
Summary: <net-libs/webkit-gtk-2.10.7: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2015-7096, CVE-2015-7098
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: gnome-3.18-stable
Blocks:
  Show dependency tree
 
Reported: 2016-02-02 11:10 UTC by Agostino Sarubbo
Modified: 2017-06-07 12:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-02 11:10:01 UTC
From ${URL} :

Date reported      : February 01, 2016
Advisory ID        : WSA-2016-0001
Advisory URL       : http://webkitgtk.org/security/WSA-2016-0001.html
CVE identifiers    : CVE-2015-7096, CVE-2015-7098.

Several vulnerabilities were discovered on WebKitGTK+.

CVE-2015-7096
    Versions affected: WebKitGTK+ before 2.10.5.
    Credit to Apple.
    WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before
    9.1 allows remote attackers to execute arbitrary code or cause a
    denial of service (memory corruption and application crash) via a
    crafted web site, a different vulnerability than CVE-2015-7048,
    CVE-2015-7095, CVE-2015-7097, CVE-2015-7098, CVE-2015-7099,
    CVE-2015-7100, CVE-2015-7101, CVE-2015-7102, and CVE-2015-7103.

CVE-2015-7098
    Versions affected: WebKitGTK+ before 2.10.5.
    Credit to Apple.
    WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before
    9.1 allows remote attackers to execute arbitrary code or cause a
    denial of service (memory corruption and application crash) via a
    crafted web site, a different vulnerability than CVE-2015-7048,
    CVE-2015-7095, CVE-2015-7096, CVE-2015-7097, CVE-2015-7099,
    CVE-2015-7100, CVE-2015-7101, CVE-2015-7102, and CVE-2015-7103.




@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-25 00:59:00 UTC
Was fixed upstream in v2.10.5. First fixed version containing was v2.10.7 (via https://gitweb.gentoo.org/repo/gentoo.git/commit/net-libs/webkit-gtk?id=a62079ddda10039b692df7a77fb4ec572027b2e5).

Current stable version in tree is =net-libs/webkit-gtk-2.12.5.

Added to existing GLSA.


@ Maintainer(s): I am unable to determine if v2.4.11 is affected. Can you help? Maybe you know the commits so we can check?
Comment 2 Mart Raudsepp gentoo-dev 2016-11-25 06:52:25 UTC
webkit-gtk-2.4 is very likely to be affected by various security bugs that have happened and fixed in 2.10 or 2.12.
We need to get webkit-gtk-2.4 out of the tree, but various consumers have still not ported to webkit2gtk (multiprocessing new API). The hope is that these remaining applications only display controlled static HTML, not support browsing the web, but I have not checked.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-25 16:13:46 UTC
@ Maintainer(s): Thank you for your response. Could you please create a webkit-gtk-2.4 removal tracking bug and file blocking bugs against remaining consumers? That way we could track progress...
Comment 4 Pacho Ramos gentoo-dev 2016-11-25 19:13:33 UTC
It was being covered in bug 570034
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 10:21:47 UTC
This issue was resolved and addressed in
 GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41
by GLSA coordinator Aaron Bauman (b-man).
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-13 13:33:42 UTC
Should not have been addressed via GLSA or closed.  Errata published.  Reopening.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-06-07 12:11:16 UTC
This issue was resolved and addressed in
 GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15
by GLSA coordinator Thomas Deutschmann (whissi).