Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 577068 (CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727, CVE-2016-1728) - <net-libs/webkit-gtk-2.10.9: Remote AcE and/or DoS vectors (CVE-2016-{1723,1724,1725,1726,1727,1728})
Summary: <net-libs/webkit-gtk-2.10.9: Remote AcE and/or DoS vectors (CVE-2016-{1723,17...
Status: RESOLVED FIXED
Alias: CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727, CVE-2016-1728
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://webkitgtk.org/security/WSA-201...
Whiteboard: B2 [glsa cve cleanup]
Keywords:
Depends on: 471458 532058 553088 566572 572974 572978 572980 572982 572984 573092 573094 579294 581912 584156 584160 584162 584164 584170 584172 584174 584176 584178 584184 584186 584188 584190 584192 597258 597532 600898 608600 608602 608604 608606 608608 608610 608612 608618 608626 621554 625842 625846 627554 629114 629122 629124 629126 629130 639638 645860
Blocks:
  Show dependency tree
 
Reported: 2016-03-11 16:07 UTC by Kristian Fiskerstrand
Modified: 2018-05-07 14:21 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2016-03-11 16:07:15 UTC
From ${URL}:
CVE-2016-1726
    Versions affected: WebKitGTK+ before 2.10.8.
    Credit to Apple.
    WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725.

##

From http://webkitgtk.org/2016/03/11/webkitgtk2.10.8-released.html: 
What’s new in the WebKitGTK+ 2.10.8 release?
... Security fixes: CVE-2016-1726.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 11:44:30 UTC
CVE-2016-1726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726):
  WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows
  remote attackers to execute arbitrary code or cause a denial of service
  (memory corruption) via a crafted web site, a different vulnerability than
  CVE-2016-1723 and CVE-2016-1725.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 11:44:31 UTC
CVE-2016-1728 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728):
  The Cascading Style Sheets (CSS) implementation in Apple iOS before 9.2.1
  and Safari before 9.0.3 mishandles the "a:visited button" selector during
  height processing, which makes it easier for remote attackers to obtain
  sensitive browser-history information via a crafted web site.

CVE-2016-1727 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727):
  WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS
  before 9.1.1, allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via a crafted web site, a different
  vulnerability than CVE-2016-1724.

CVE-2016-1726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726):
  WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows
  remote attackers to execute arbitrary code or cause a denial of service
  (memory corruption) via a crafted web site, a different vulnerability than
  CVE-2016-1723 and CVE-2016-1725.

CVE-2016-1725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725):
  WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows
  remote attackers to execute arbitrary code or cause a denial of service
  (memory corruption) via a crafted web site, a different vulnerability than
  CVE-2016-1723 and CVE-2016-1726.

CVE-2016-1724 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724):
  WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS
  before 9.1.1, allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via a crafted web site, a different
  vulnerability than CVE-2016-1727.

CVE-2016-1723 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723):
  WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows
  remote attackers to execute arbitrary code or cause a denial of service
  (memory corruption) via a crafted web site, a different vulnerability than
  CVE-2016-1725 and CVE-2016-1726.
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2016-03-15 10:05:03 UTC
commit 4d2854acf1a56d2de76c5cee7d4a13c7bfcf85fa
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Mar 15 10:50:45 2016

    net-libs/webkit-gtk: Security bump to version 2.10.8 (bug #577068).
    
    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 4 Pacho Ramos gentoo-dev 2016-03-28 14:07:34 UTC
we would need 2.10.9 instead as 2.10.8 has some regressions per:
http://www.webkitgtk.org/2016/03/17/webkitgtk2.10.9-released.html
Comment 5 Agostino Sarubbo gentoo-dev 2016-04-08 12:22:48 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-04-11 10:41:06 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 7 Thomas Deutschmann gentoo-dev Security 2016-11-21 16:54:26 UTC
@ Maintainer(s): Still waiting for your cleanup. If you want to keep v2.4 for some reason please tell us so we have to check if these versions are affected and need masking.
Comment 8 Mart Raudsepp gentoo-dev 2016-11-22 11:16:06 UTC
We can not clean these up without heavily breaking the tree, because many packages in tree still use webkit-gtk SLOT 2 or 3.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 10:21:55 UTC
This issue was resolved and addressed in
 GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41
by GLSA coordinator Aaron Bauman (b-man).
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-13 10:35:17 UTC
Reopening for cleanup.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-13 11:35:33 UTC
Moving the cleanup from bug 570034 to here.  Please add depends for additional packages which require fixing.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-06-07 12:11:24 UTC
This issue was resolved and addressed in
 GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-06-07 12:19:23 UTC
Re-opening to track cleanup of older, vulnerable, slots.
Comment 14 Larry the Git Cow gentoo-dev 2018-02-23 05:34:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a880818f9d0e1f8ae97cd3f94208a48709c032b5

commit a880818f9d0e1f8ae97cd3f94208a48709c032b5
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-02-23 05:32:58 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-02-23 05:32:58 +0000

    profiles: p.mask net-lib/webkit-gtk SLOT=2 and SLOT=3 for security
    
    Bug: https://bugs.gentoo.org/577068

 profiles/package.mask | 10 ++++++++++
 1 file changed, 10 insertions(+)}
Comment 15 Nikolay Kichukov 2018-03-14 08:50:00 UTC
Do not remove it from the portage tree(SLOT2). Mask it and allow the user to still use it if they are running an application that depends on it. Citrix Receiver is one such application.

Thanks,
-N
Comment 16 Larry the Git Cow gentoo-dev 2018-03-25 19:05:51 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c99899dde7c6c94f8ad09a1b4972f4da0d9dfdc2

commit c99899dde7c6c94f8ad09a1b4972f4da0d9dfdc2
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-03-25 19:04:12 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-03-25 19:05:39 +0000

    net-libs/webkit-gtk: Remove security vulnerable SLOT=2 and SLOT=3
    
    These slots are years old, unmaintained and vulnerable to hundreds of
    bugs with a CVE assigned. Additionally there are some known unfixed
    issues building against newer ICU. No interest in continued maintenance
    of known hugely security vulnerable versions, thus with no consumers
    remaining in main tree, this is going away now. Sorry.
    If you need this, please think seriously ten times before you make it
    available to yourself via an overlay, or use any software that requires
    this security riddled version still.
    
    Closes: https://bugs.gentoo.org/577068

 net-libs/webkit-gtk/Manifest                       |   1 -
 .../files/webkit-gtk-1.11.90-gtk-docize-fix.patch  |  10 -
 .../files/webkit-gtk-1.6.1-darwin-quartz.patch     |  67 -----
 .../files/webkit-gtk-2.2.5-hppa-platform.patch     |  20 --
 .../files/webkit-gtk-2.2.5-ia64-platform.patch     |  12 -
 .../files/webkit-gtk-2.4.1-ia64-malloc.patch       |  20 --
 .../files/webkit-gtk-2.4.11-video-web-audio.patch  |  11 -
 .../files/webkit-gtk-2.4.4-atomic-ppc.patch        |  32 ---
 .../files/webkit-gtk-2.4.4-jpeg-9a.patch           |  30 ---
 .../files/webkit-gtk-2.4.7-disable-webgl.patch     |  11 -
 .../webkit-gtk/files/webkit-gtk-2.4.9-gcc-6.patch  |  29 ---
 net-libs/webkit-gtk/metadata.xml                   |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.4.11-r1.ebuild    | 275 ---------------------
 net-libs/webkit-gtk/webkit-gtk-2.4.11-r200.ebuild  | 262 --------------------
 profiles/package.mask                              |   3 +-
 15 files changed, 1 insertion(+), 783 deletions(-)
Comment 17 Mart Raudsepp gentoo-dev 2018-03-25 19:17:27 UTC
(In reply to Nikolay Kichukov from comment #15)
> Citrix Receiver is one such application.

I see a Citrix Receiver released 2 days ago, which does use webkit-gtk:4 instead in its webcontainer components (links against libwebkit2gtk-4.0.so.37 and gtk3), though there's still also a .so it ships itself that links to webkit-gtk:2, but not sure if and where it's used; just like icaclient webkit-gtk:2 dep was questionable as well for at least main functionality.

However, lets not go into further discussion about this here - this is a security bug that gets e-mail to many people, etc. Thought to at least notify my findings still; make of them what you will after testing this newer release, if possible (to connect to your servers or whatnot).
Comment 18 Nikolay Kichukov 2018-05-07 14:21:16 UTC
Citrix receiver(selfservice) 13.9.1(latest) still depends on the old version of webkit-gtk:2:

open("/usr/lib64/libjavascriptcoregtk-1.0.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
...
write(2, "selfservice is unable to find a "..., 77selfservice is unable to find a compatible webkit library and will now exit.
) = 77

So it does have a dependency for something that Gentoo removed and not masked.

Thanks,
-N