Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 734584 (CVE-2020-9862, CVE-2020-9893, CVE-2020-9894, CVE-2020-9895, CVE-2020-9915, CVE-2020-9925) - <net-libs/webkit-gtk-2.28.4: Multiple vulnerabilities (CVE-2020-{9862,9893,9894,9895,9915,9925})
Summary: <net-libs/webkit-gtk-2.28.4: Multiple vulnerabilities (CVE-2020-{9862,9893,98...
Status: RESOLVED FIXED
Alias: CVE-2020-9862, CVE-2020-9893, CVE-2020-9894, CVE-2020-9895, CVE-2020-9915, CVE-2020-9925
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-29 16:59 UTC by John Helmert III (ajak)
Modified: 2020-07-31 17:13 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/webkit-gtk-2.28.4
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-07-29 16:59:25 UTC
CVE-2020-9862:

Impact: Copying a URL from Web Inspector may lead to command injection. Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.

CVE-2020-9893:

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution. Description: An use-after-free issue was addressed with improved memory management.

CVE-2020-9894:

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution. Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9895:

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution. Description: An use-after-free issue was addressed with improved memory management.

CVE-2020-9915:

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.

CVE-2020-9925:

Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.



All are fixed by 2.28.4 according to $URL. Let's stable when ready?
Comment 1 Sam James gentoo-dev Security 2020-07-29 23:08:12 UTC
arm64 stable
Comment 2 Sam James gentoo-dev Security 2020-07-29 23:08:34 UTC
amd64 stable
Comment 3 Sam James gentoo-dev Security 2020-07-29 23:47:47 UTC
x86 stable. Please cleanup.
Comment 4 Larry the Git Cow gentoo-dev 2020-07-30 21:18:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e09a9c9cc6ff10e82e4d9a1f8bb6e896325ef029

commit e09a9c9cc6ff10e82e4d9a1f8bb6e896325ef029
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-07-30 21:17:26 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-07-30 21:17:52 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/734584
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                       |   1 -
 .../webkit-gtk/files/2.28.3-non-jumbo-fix2.patch   |  44 ----
 net-libs/webkit-gtk/webkit-gtk-2.28.3.ebuild       | 290 ---------------------
 3 files changed, 335 deletions(-)
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-07-31 17:13:37 UTC
This issue was resolved and addressed in
 GLSA 202007-61 at https://security.gentoo.org/glsa/202007-61
by GLSA coordinator Sam James (sam_c).