Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 614876 (CVE-2016-9642, CVE-2016-9643, CVE-2017-2367, CVE-2017-2376, CVE-2017-2377, CVE-2017-2386, CVE-2017-2392, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2433, CVE-2017-2442, CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455, CVE-2017-2457, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471, CVE-2017-2475, CVE-2017-2476, CVE-2017-2481) - <net-libs/webkit-gtk-2.16.0: multiple vulnerabilities
Summary: <net-libs/webkit-gtk-2.16.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-9642, CVE-2016-9643, CVE-2017-2367, CVE-2017-2376, CVE-2017-2377, CVE-2017-2386, CVE-2017-2392, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2433, CVE-2017-2442, CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455, CVE-2017-2457, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471, CVE-2017-2475, CVE-2017-2476, CVE-2017-2481
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: B2 [glsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-06 20:25 UTC by Mart Raudsepp
Modified: 2017-06-07 12:11 UTC (History)
1 user (show)

See Also:
Package list:
=net-libs/webkit-gtk-2.16.1 =media-libs/harfbuzz-1.4.5
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mart Raudsepp gentoo-dev 2017-04-06 20:25:17 UTC 
WebKitGTK+ Security Advisory WSA-2017-0003

    Date Reported: April 06, 2017

    Advisory ID: WSA-2017-0003

    CVE identifiers: CVE-2016-9642, CVE-2016-9643, CVE-2017-2364, CVE-2017-2367, CVE-2017-2376, CVE-2017-2377, CVE-2017-2386, CVE-2017-2392, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2433, CVE-2017-2442, CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455, CVE-2017-2457, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471, CVE-2017-2475, CVE-2017-2476, CVE-2017-2481.

Several vulnerabilities were discovered in WebKitGTK+.

    CVE-2016-9642
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to Gustavo Grieco.
        JavaScriptCore in WebKit allows attackers to cause a denial of service (out-of-bounds heap read) via a crafted Javascript file.
    CVE-2016-9643
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Gustavo Grieco.
        The regex code in WebKit allows remote attackers to cause a denial of service (memory consumption) as demonstrated in a large number of ($ (open parenthesis and dollar) followed by {-2,16} and a large number of +) (plus close parenthesis).
    CVE-2017-2364
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to lokihardt of Google Project Zero.
        This issue allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
    CVE-2017-2367
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to lokihardt of Google Project Zero.
        This issue allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
    CVE-2017-2376
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to an anonymous researcher, Chris Hlady of Google Inc, Yuyang Zhou of Tencent Security Platform Department (security.tencent.com), Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd., Michal Zalewski of Google Inc, an anonymous researcher.
        This issue allows remote attackers to spoof the address bar by leveraging text input during the loading of a page.
    CVE-2017-2377
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Vicki Pfau.
        This issue involves the “WebKit Web Inspector” component. It allows attackers to cause a denial of service (memory corruption and application crash) by leveraging a window-close action during a debugger-pause state.
    CVE-2017-2386
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to André Bargull.
        This issue allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
    CVE-2017-2392
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Max Bazaliy of Lookout.
        This issue allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted app.
    CVE-2017-2394
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Apple.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2395
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to Apple.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2396
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to Apple.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2405
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to Apple.
        This issue involves the “WebKit Web Inspector” component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2415
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Kai Kang of Tencent’s Xuanwu Lab (tentcent.com).
        This issue allows remote attackers to execute arbitrary code by leveraging an unspecified “type confusion.”.
    CVE-2017-2419
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Nicolai Grødum of Cisco Systems.
        This issue allows remote attackers to bypass a Content Security Policy protection mechanism via unspecified vectors.
    CVE-2017-2433
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to Apple.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2442
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to lokihardt of Google Project Zero.
        This issue involves the “WebKit JavaScript Bindings” component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
    CVE-2017-2445
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        This issue allows remote attackers to conduct Universal XSS (UXSS) attacks via crafted frame objects.
    CVE-2017-2446
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Natalie Silvanovich of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.
    CVE-2017-2447
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to Natalie Silvanovich of Google Project Zero.
        This issue allows remote attackers to obtain sensitive information or cause a denial of service (memory corruption) via a crafted web site.
    CVE-2017-2454
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Ivan Fratric of Google Project Zero.
        This issue allows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2455
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to Ivan Fratric of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2457
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        This issue allows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2459
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Ivan Fratric of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2460
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Ivan Fratric of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2464
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to Jeonghoon Shin, Natalie Silvanovich of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2465
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Zheng Huang and Wei Yuan of Baidu Security Lab.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2466
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Ivan Fratric of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2468
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to lokihardt of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2469
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2470
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to lokihardt of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2471
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Ivan Fratric of Google Project Zero.
        A use-after-free vulnerability allows remote attackers to execute arbitrary code via a crafted web site.
    CVE-2017-2475
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to lokihardt of Google Project Zero.
        This issue allows remote attackers to conduct Universal XSS (UXSS) attacks via crafted use of frames on a web site.
    CVE-2017-2476
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to Ivan Fratric of Google Project Zero.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
    CVE-2017-2481
        Versions affected: WebKitGTK+ before 2.14.6.
        Credit to 0011 working with Trend Micro’s Zero Day Initiative.
        This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
Comment 1 Mart Raudsepp gentoo-dev 2017-04-08 22:03:31 UTC 
Arches, please proceed. Upstream claims this feature upgrade should work with GNOME 3.22 and other webkit-gtk consumers just fine, and is used as such by some other downstreams. 2.14.6 was released as well that fixes a majority of these security issues, but that was made only for the benefit of Debian (who refuses to upgrade to 2.16) and some of the security fixes were not possible to be backported by upstream in a reasonable effort, while 2.16 is fully backwards compatible.
Slight testing of epiphany-3.22 and evolution-3.22 didn't blow up for me.

commit bc9d93e02a1123ebba9af1880ba1fd34f9f2b7a9
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Sun Apr 9 00:26:36 2017 +0300

    net-libs/webkit-gtk: bump to 2.16.1 for 33+ security fixes
    
    Fixes CVE-2016-9642, CVE-2016-9643, CVE-2017-2367, CVE-2017-2376, CVE-2017-2377,
    CVE-2017-2386, CVE-2017-2392, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396,
    CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2433, CVE-2017-2442,
    CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455,
    CVE-2017-2457, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465,
    CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471,
    CVE-2017-2475, CVE-2017-2476, CVE-2017-2481 and further fixes for CVE-2017-2364.
    
    Upstream says 2.16.1 fixes more security bugs than these, over 2.16.0 release,
    but that they didn't have CVE numbers as of yet.
    
    Add some seemingly necessary perl build dependencies (which everyone probably
    had installed anyways). This perl build dep list is by no means complete.
    Includes preliminary patch from Kent to not start requiring perl[ithreads] for
    building (over perl with whatever ithreads choice), which would be disastrous
    for us.
    Upstream has replaced gnutls with libgcrypt. The experimental API unstable DOM
    stuff was dropped completely (but isn't used since epiphany-3.22), while the
    webkit2gtkinjectedbundle-j1.patch patch in earlier version modified lines that
    were there for it - so hopefully -j1 MAKEOPTS building still works with that
    patch dropped.
    CREDENTIAL_STORAGE option was renamed to LIBSECRET.
    flex build dep seems to have been dropped and gstreamer requirement upped to 1.2.3.
    harfbuzz 1.3.3 is useful for it for some optional fixes, so guarantee it.
    
    Gentoo-bug: 614876
    Thanks-to: Kent Fredric <kentnl@gentoo.org>
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-04-08 22:13:49 UTC 
Adding needed newer harfbuzz to package list
Comment 3 Agostino Sarubbo gentoo-dev 2017-04-11 15:04:21 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-04-17 08:04:15 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 5 Mart Raudsepp gentoo-dev 2017-04-17 08:11:38 UTC 
Older webkit-gtk:4 cleaned up; As usual vulnerable SLOT=2 and SLOT=3 can not be cleaned up without breaking the tree due to consumers.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-04-19 06:43:03 UTC 
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-06-07 12:11:43 UTC 
This issue was resolved and addressed in
 GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15
by GLSA coordinator Thomas Deutschmann (whissi).