From ${URL}: CVE-2016-1726 Versions affected: WebKitGTK+ before 2.10.8. Credit to Apple. WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725. ## From http://webkitgtk.org/2016/03/11/webkitgtk2.10.8-released.html: What’s new in the WebKitGTK+ 2.10.8 release? ... Security fixes: CVE-2016-1726.
CVE-2016-1726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726): WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725.
CVE-2016-1728 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728): The Cascading Style Sheets (CSS) implementation in Apple iOS before 9.2.1 and Safari before 9.0.3 mishandles the "a:visited button" selector during height processing, which makes it easier for remote attackers to obtain sensitive browser-history information via a crafted web site. CVE-2016-1727 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727): WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1724. CVE-2016-1726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726): WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725. CVE-2016-1725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725): WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1726. CVE-2016-1724 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724): WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1727. CVE-2016-1723 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723): WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1725 and CVE-2016-1726.
commit 4d2854acf1a56d2de76c5cee7d4a13c7bfcf85fa Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Mar 15 10:50:45 2016 net-libs/webkit-gtk: Security bump to version 2.10.8 (bug #577068). Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
we would need 2.10.9 instead as 2.10.8 has some regressions per: http://www.webkitgtk.org/2016/03/17/webkitgtk2.10.9-released.html
amd64 stable
x86 stable. Maintainer(s), please cleanup.
@ Maintainer(s): Still waiting for your cleanup. If you want to keep v2.4 for some reason please tell us so we have to check if these versions are affected and need masking.
We can not clean these up without heavily breaking the tree, because many packages in tree still use webkit-gtk SLOT 2 or 3.
This issue was resolved and addressed in GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41 by GLSA coordinator Aaron Bauman (b-man).
Reopening for cleanup.
Moving the cleanup from bug 570034 to here. Please add depends for additional packages which require fixing.
This issue was resolved and addressed in GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening to track cleanup of older, vulnerable, slots.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a880818f9d0e1f8ae97cd3f94208a48709c032b5 commit a880818f9d0e1f8ae97cd3f94208a48709c032b5 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-02-23 05:32:58 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-02-23 05:32:58 +0000 profiles: p.mask net-lib/webkit-gtk SLOT=2 and SLOT=3 for security Bug: https://bugs.gentoo.org/577068 profiles/package.mask | 10 ++++++++++ 1 file changed, 10 insertions(+)}
Do not remove it from the portage tree(SLOT2). Mask it and allow the user to still use it if they are running an application that depends on it. Citrix Receiver is one such application. Thanks, -N
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c99899dde7c6c94f8ad09a1b4972f4da0d9dfdc2 commit c99899dde7c6c94f8ad09a1b4972f4da0d9dfdc2 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-03-25 19:04:12 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-03-25 19:05:39 +0000 net-libs/webkit-gtk: Remove security vulnerable SLOT=2 and SLOT=3 These slots are years old, unmaintained and vulnerable to hundreds of bugs with a CVE assigned. Additionally there are some known unfixed issues building against newer ICU. No interest in continued maintenance of known hugely security vulnerable versions, thus with no consumers remaining in main tree, this is going away now. Sorry. If you need this, please think seriously ten times before you make it available to yourself via an overlay, or use any software that requires this security riddled version still. Closes: https://bugs.gentoo.org/577068 net-libs/webkit-gtk/Manifest | 1 - .../files/webkit-gtk-1.11.90-gtk-docize-fix.patch | 10 - .../files/webkit-gtk-1.6.1-darwin-quartz.patch | 67 ----- .../files/webkit-gtk-2.2.5-hppa-platform.patch | 20 -- .../files/webkit-gtk-2.2.5-ia64-platform.patch | 12 - .../files/webkit-gtk-2.4.1-ia64-malloc.patch | 20 -- .../files/webkit-gtk-2.4.11-video-web-audio.patch | 11 - .../files/webkit-gtk-2.4.4-atomic-ppc.patch | 32 --- .../files/webkit-gtk-2.4.4-jpeg-9a.patch | 30 --- .../files/webkit-gtk-2.4.7-disable-webgl.patch | 11 - .../webkit-gtk/files/webkit-gtk-2.4.9-gcc-6.patch | 29 --- net-libs/webkit-gtk/metadata.xml | 1 - net-libs/webkit-gtk/webkit-gtk-2.4.11-r1.ebuild | 275 --------------------- net-libs/webkit-gtk/webkit-gtk-2.4.11-r200.ebuild | 262 -------------------- profiles/package.mask | 3 +- 15 files changed, 1 insertion(+), 783 deletions(-)
(In reply to Nikolay Kichukov from comment #15) > Citrix Receiver is one such application. I see a Citrix Receiver released 2 days ago, which does use webkit-gtk:4 instead in its webcontainer components (links against libwebkit2gtk-4.0.so.37 and gtk3), though there's still also a .so it ships itself that links to webkit-gtk:2, but not sure if and where it's used; just like icaclient webkit-gtk:2 dep was questionable as well for at least main functionality. However, lets not go into further discussion about this here - this is a security bug that gets e-mail to many people, etc. Thought to at least notify my findings still; make of them what you will after testing this newer release, if possible (to connect to your servers or whatnot).
Citrix receiver(selfservice) 13.9.1(latest) still depends on the old version of webkit-gtk:2: open("/usr/lib64/libjavascriptcoregtk-1.0.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) ... write(2, "selfservice is unable to find a "..., 77selfservice is unable to find a compatible webkit library and will now exit. ) = 77 So it does have a dependency for something that Gentoo removed and not masked. Thanks, -N
