Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622442 (CVE-2017-2424, CVE-2017-2538, WSA-2017-0005) - <net-libs/webkit-gtk-2.16.5: Multiple vulnerabilities
Summary: <net-libs/webkit-gtk-2.16.5: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-2424, CVE-2017-2538, WSA-2017-0005
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-22 07:16 UTC by Kristian Fiskerstrand
Modified: 2017-09-17 15:38 UTC (History)
3 users (show)

See Also:
Package list:
net-libs/webkit-gtk-2.16.5
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2017-06-22 07:16:57 UTC
From $URL:

WebKitGTK+ Security Advisory WSA-2017-0005

    Date Reported: June 21, 2017

    Advisory ID: WSA-2017-0005

    CVE identifiers: CVE-2017-2538, CVE-2017-2424.

Several vulnerabilities were discovered in WebKitGTK+.

    CVE-2017-2538
        Versions affected: WebKitGTK+ before 2.16.4.
        Credit to Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2017-2424
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to Paul Thomson (using the GLFuzz tool) of the Multicore Programming Group, Imperial College London.
        Impact: Processing maliciously crafted web content may result in the disclosure of process memory. Description: An information disclosure issue existed in the processing of OpenGL shaders. This issue was addressed through improved memory management.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html
Comment 1 Mart Raudsepp gentoo-dev 2017-06-23 14:31:21 UTC
I guess technically there is only one CVE security fix in this 2.16.4 stabilization as the other one was fixed in 2.16.0 and now identified or got a CVE number or whatnot.
Arches, please proceed
Comment 2 Mart Raudsepp gentoo-dev 2017-06-25 05:01:54 UTC
Please hold off stabilization. Upstream notified of a HTML select element regression they are investigating.

"We are investigating a regression with WebKitGTK+ 2.16.4 that causes 
HTML select elements to not work in some cases. Due to the severity of 
this regression, we recommend not upgrading to 2.16.4 and sticking with 
2.16.3 for the time being. We apologize for the inconvenience and will 
provide a corrected release as soon as possible."
Comment 3 Mart Raudsepp gentoo-dev 2017-06-26 20:57:25 UTC
Tomorrow there will be a 2.16.5 release with the change that had this regression reverted. The regression has only been observed with one HTML select element in GNOME bugzilla, so shouldn't affect other use cases than browser (epiphany) really in practice, and even then very limited. As 2.16.5 is supposed to be released tomorrow, we can wait for that.

Unfortunately amd64 actually already marked 2.16.4 stable half a day after I removed CC's (some stable testing queue package.accept_keywords file thing I suppose), so that will mean two webkit-gtk updates in a week for those that upgrade frequently or happened to do webkit-gtk-2.16.4 upgrade already.
Comment 4 Mart Raudsepp gentoo-dev 2017-06-27 18:31:45 UTC
commit 873439d6af5263f1a4aaf6b4a5b09329f5471295
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Tue Jun 27 21:19:55 2017 +0300

    net-libs/webkit-gtk: bump to 2.16.5 for a crash and a wayland regression fix
    
    Upstream changes:
    * Fix a web process crash when page finishes loading in several web sites.
    * Fix the menu of select elements not showing in some cases under Wayland.
    
    This is meant to be the security stabilization target for CVE-2017-2538 for
    a regression free upgrade
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-28 13:20:28 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-30 11:12:00 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 7 Mart Raudsepp gentoo-dev 2017-07-07 20:34:28 UTC
Cleanup done, to the extent possible as usual due to consumed old SLOTs. security@ is tracking that in bug 577068 instead though.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-10 06:48:19 UTC
Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:38:58 UTC
This issue was resolved and addressed in
 GLSA 201709-03 at https://security.gentoo.org/glsa/201709-03
by GLSA coordinator Aaron Bauman (b-man).