Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637076 (CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13802, CVE-2017-13803) - <net-libs/webkit-gtk-2.18.3: Remote AcE and/or DoS vectors (CVE-2017-{13783,13784,13785,13788,13791,13792,13793,13794,13795,13796,13798,13802,13803})
Summary: <net-libs/webkit-gtk-2.18.3: Remote AcE and/or DoS vectors (CVE-2017-{13783,1...
Status: RESOLVED FIXED
Alias: CVE-2017-13783, CVE-2017-13784, CVE-2017-13785, CVE-2017-13788, CVE-2017-13791, CVE-2017-13792, CVE-2017-13793, CVE-2017-13794, CVE-2017-13795, CVE-2017-13796, CVE-2017-13798, CVE-2017-13802, CVE-2017-13803
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-10 17:36 UTC by Hank Leininger
Modified: 2017-12-14 17:04 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/webkit-gtk-2.18.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2017-11-10 17:36:25 UTC
From ${URL}:

Several vulnerabilities were discovered in WebKitGTK+.

##

13 different CVEs all with:
"Impact: Processing maliciously crafted web content may lead to arbitrary code execution.
Description: Multiple memory corruption issues were addressed with improved memory handling."

Ten are fixed in 2.18.1 (2.18.2 is current in portage as I write this); three fixed in 2.18.3 (just released).
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-12 13:17:24 UTC
(In reply to Hank Leininger from comment #0)
> From ${URL}:
> 
> Several vulnerabilities were discovered in WebKitGTK+.
> 
> ##
> 
> 13 different CVEs all with:
> "Impact: Processing maliciously crafted web content may lead to arbitrary
> code execution.
> Description: Multiple memory corruption issues were addressed with improved
> memory handling."
> 
> Ten are fixed in 2.18.1 (2.18.2 is current in portage as I write this);
> three fixed in 2.18.3 (just released).

Thank you for reporting the issue.
Comment 2 Larry the Git Cow gentoo-dev 2017-11-21 17:31:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3dd23d4bc9222af04ce0e307a1eebe0dbc744bca

commit 3dd23d4bc9222af04ce0e307a1eebe0dbc744bca
Author:     Ian Stakenvicius <axs@gentoo.org>
AuthorDate: 2017-11-21 17:31:21 +0000
Commit:     Ian Stakenvicius <axs@gentoo.org>
CommitDate: 2017-11-21 17:31:45 +0000

    net-libs/webkit-gtk: bump to 2.18.3 for security
    
    Bug: https://bugs.gentoo.org/637076
    Acked-by: Mart Raudsepp <leio@gentoo.org>
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.18.3.ebuild | 284 +++++++++++++++++++++++++++
 2 files changed, 285 insertions(+)}
Comment 3 Agostino Sarubbo gentoo-dev 2017-11-24 13:24:23 UTC
amd64 stable
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-11-27 00:22:08 UTC
x86 stable
Comment 5 Larry the Git Cow gentoo-dev 2017-11-28 17:33:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62eeb40713550035e44586334620fb337a94ae44

commit 62eeb40713550035e44586334620fb337a94ae44
Author:     Manuel Rüger <mrueg@gentoo.org>
AuthorDate: 2017-11-28 17:33:37 +0000
Commit:     Manuel Rüger <mrueg@gentoo.org>
CommitDate: 2017-11-28 17:33:37 +0000

    net-libs/webkit-gtk: Remove vulnerable 2.18.2 as requested by leio
    
    Bug: https://bugs.gentoo.org/637076
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.18.2.ebuild | 284 ---------------------------
 2 files changed, 285 deletions(-)}
Comment 6 D'juan McDonald (domhnall) 2017-12-03 03:23:56 UTC
New GLSA request filed.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-12-14 17:04:04 UTC
This issue was resolved and addressed in
 GLSA 201712-01 at https://security.gentoo.org/glsa/201712-01
by GLSA coordinator Thomas Deutschmann (whissi).