Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 608958 (CVE-2016-4692, CVE-2016-4743, CVE-2016-7586, CVE-2016-7587, CVE-2016-7589, CVE-2016-7592, CVE-2016-7598, CVE-2016-7599, CVE-2016-7610, CVE-2016-7611, CVE-2016-7623, CVE-2016-7632, CVE-2016-7635, CVE-2016-7639, CVE-2016-7640, CVE-2016-7641, CVE-2016-7642, CVE-2016-7645, CVE-2016-7646, CVE-2016-7648, CVE-2016-7649, CVE-2016-7652, CVE-2016-7654, CVE-2016-7656, CVE-2017-2350, CVE-2017-2354, CVE-2017-2355, CVE-2017-2356, CVE-2017-2362, CVE-2017-2363, CVE-2017-2364, CVE-2017-2365, CVE-2017-2366, CVE-2017-2369, CVE-2017-2371, CVE-2017-2373) - <net-libs/webkit-gtk-2.14.4: multiple vulnerabilities
Summary: <net-libs/webkit-gtk-2.14.4: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-4692, CVE-2016-4743, CVE-2016-7586, CVE-2016-7587, CVE-2016-7589, CVE-2016-7592, CVE-2016-7598, CVE-2016-7599, CVE-2016-7610, CVE-2016-7611, CVE-2016-7623, CVE-2016-7632, CVE-2016-7635, CVE-2016-7639, CVE-2016-7640, CVE-2016-7641, CVE-2016-7642, CVE-2016-7645, CVE-2016-7646, CVE-2016-7648, CVE-2016-7649, CVE-2016-7652, CVE-2016-7654, CVE-2016-7656, CVE-2017-2350, CVE-2017-2354, CVE-2017-2355, CVE-2017-2356, CVE-2017-2362, CVE-2017-2363, CVE-2017-2364, CVE-2017-2365, CVE-2017-2366, CVE-2017-2369, CVE-2017-2371, CVE-2017-2373
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa cve cleanup]
Keywords:
Depends on:
Blocks: 608964
  Show dependency tree
 
Reported: 2017-02-11 13:39 UTC by Pacho Ramos
Modified: 2017-06-07 12:11 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/webkit-gtk-2.14.5
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pacho Ramos gentoo-dev 2017-02-11 13:39:51 UTC
https://webkitgtk.org/security/WSA-2017-0002.html

CVE identifiers: CVE-2017-2350, CVE-2017-2354, CVE-2017-2355, CVE-2017-2356, CVE-2017-2362, CVE-2017-2363, CVE-2017-2364, CVE-2017-2365, CVE-2017-2366, CVE-2017-2369, CVE-2017-2371, CVE-2017-2373.
Comment 1 Mart Raudsepp gentoo-dev 2017-02-11 14:12:39 UTC
Removing www-client/epiphany-3.20.6 as that doesn't fix security bugs, 3.20.7 does. We should handle that in a separate security bug too though imho (after bumped).
Adding webkit-gtk CVEs as aliases too
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-02-11 14:18:06 UTC
From ${URL}:

WebKitGTK+ Security Advisory WSA-2017-0002

    Date Reported: February 10, 2017

    Advisory ID: WSA-2017-0002

    CVE identifiers: CVE-2017-2350, CVE-2017-2354, CVE-2017-2355, CVE-2017-2356, CVE-2017-2362, CVE-2017-2363, CVE-2017-2364, CVE-2017-2365, CVE-2017-2366, CVE-2017-2369, CVE-2017-2371, CVE-2017-2373.

Several vulnerabilities were discovered in WebKitGTK+.

    CVE-2017-2350
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to Gareth Heyes of Portswigger Web Security.
        Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A prototype access issue was addressed through improved exception handling.
    CVE-2017-2354
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to Neymar of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.
    CVE-2017-2355
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to Team Pangu and lokihardt at PwnFest 2016.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory initialization issue was addressed through improved memory handling.
    CVE-2017-2356
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to Team Pangu and lokihardt at PwnFest 2016.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation.
    CVE-2017-2362
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to Ivan Fratric of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.
    CVE-2017-2363
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic.
    CVE-2017-2364
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic.
    CVE-2017-2365
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A validation issue existed in variable handling. This issue was addressed through improved validation.
    CVE-2017-2366
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation.
    CVE-2017-2369
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to Ivan Fratric of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation.
    CVE-2017-2371
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to lokihardt of Google Project Zero.
        Impact: A malicious website can open popups. Description: An issue existed in the handling of blocking popups. This was addressed through improved input validation.
    CVE-2017-2373
        Versions affected: WebKitGTK+ before 2.14.4.
        Credit to Ivan Fratric of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html
Comment 3 Pacho Ramos gentoo-dev 2017-02-11 14:34:00 UTC
please note that epiphany and webkit-gtk need to go together as, otherwise, this webkit-gtk will break current epiphany stable
Comment 4 Pacho Ramos gentoo-dev 2017-02-11 14:43:45 UTC
Also, I tried to bump 3.20.7 epiphany but I am waiting for https://bugzilla.gnome.org/show_bug.cgi?id=778495
Comment 5 Pacho Ramos gentoo-dev 2017-02-11 15:44:32 UTC
fixed epiphany that works with this in the tree
Comment 6 Pacho Ramos gentoo-dev 2017-02-11 19:25:32 UTC
amd64/x86 stable
Comment 7 Mart Raudsepp gentoo-dev 2017-02-11 19:44:32 UTC
Just like with other open webkit-gtk security bugs, we can't cleanup SLOT=2 and SLOT=3 ebuilds due to consumers. We should be able to cleanup 2.12.5 though.
Comment 8 Mart Raudsepp gentoo-dev 2017-02-13 18:58:14 UTC
Message from upstream:

"The WebKitGTK+ 2.14.4 release broke WebKit for users with HiDPI
displays. Please do not update to this version. We will release a
corrected version shortly, probably tomorrow. Apologies for the
inconvenience."

We will need to wait for that 2.14.5 and stable it here under security as well, due to the serious usability regression the one stabled is apparently causing.
Delaying 2.12.5 cleanup till then as well from my end at least, for HiDPI users to have a fallback until 2.14.5 is available.
Comment 9 Mart Raudsepp gentoo-dev 2017-02-15 15:57:59 UTC
commit bd9b427d1077d360e444052f03cef2803f307d9a
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Wed Feb 15 13:25:16 2017 +0200

    net-libs/webkit-gtk: bump to 2.14.5 for serious HiDPI regression fixes
    
    * Fix rendering of non-accelerated contents with HiDPI.
    * Revert the fix for rendering issues in long documents with transparent background because it caused issues in HiDPI.


amd/x86: Please stabilize the newer 2.14.5 that fixes serious regressions in HiDPI support that the 2.14.4 caused for stable users alongside the security fixes.
With 2.14.4, HiDPI (e.g GDK_SCALE=2 epiphany) is completely broken, usually not even rendering content visibly, potentially affecting non-Web things as well (yelp, evolution mail, etc).
Comment 10 Agostino Sarubbo gentoo-dev 2017-02-16 08:27:56 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-02-16 08:28:25 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 12 Mart Raudsepp gentoo-dev 2017-02-16 19:53:54 UTC
cleanup of vulnerable webkit-gtk-2.12.5 done; webkit-gtk-2.4* can't be cleaned up yet due to consumers on those parallel installable SLOTs, as for other open webkit-gtk security bugs
Comment 13 Mart Raudsepp gentoo-dev 2017-02-20 16:15:44 UTC
We never received a security bug for https://webkitgtk.org/security/WSA-2017-0001.html either, so we were late in stabilizing 2.14.3 or such before for the previous batch of security issues and received some bad PR due to that.
Adding the CVEs and link here too; might want to reconsider the severity, but I doubt it goes higher than current A2. GLSA will need to include the old stuff too then at least...
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-06-07 12:11:33 UTC
This issue was resolved and addressed in
 GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15
by GLSA coordinator Thomas Deutschmann (whissi).