WebKitGTK+ Security Advisory WSA-2017-0005
Date Reported: June 21, 2017
Advisory ID: WSA-2017-0005
CVE identifiers: CVE-2017-2538, CVE-2017-2424.
Several vulnerabilities were discovered in WebKitGTK+.
Versions affected: WebKitGTK+ before 2.16.4.
Credit to Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative.
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
Versions affected: WebKitGTK+ before 2.16.0.
Credit to Paul Thomson (using the GLFuzz tool) of the Multicore Programming Group, Imperial College London.
Impact: Processing maliciously crafted web content may result in the disclosure of process memory. Description: An information disclosure issue existed in the processing of OpenGL shaders. This issue was addressed through improved memory management.
We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.
Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html
I guess technically there is only one CVE security fix in this 2.16.4 stabilization as the other one was fixed in 2.16.0 and now identified or got a CVE number or whatnot.
Arches, please proceed
Please hold off stabilization. Upstream notified of a HTML select element regression they are investigating.
"We are investigating a regression with WebKitGTK+ 2.16.4 that causes
HTML select elements to not work in some cases. Due to the severity of
this regression, we recommend not upgrading to 2.16.4 and sticking with
2.16.3 for the time being. We apologize for the inconvenience and will
provide a corrected release as soon as possible."
Tomorrow there will be a 2.16.5 release with the change that had this regression reverted. The regression has only been observed with one HTML select element in GNOME bugzilla, so shouldn't affect other use cases than browser (epiphany) really in practice, and even then very limited. As 2.16.5 is supposed to be released tomorrow, we can wait for that.
Unfortunately amd64 actually already marked 2.16.4 stable half a day after I removed CC's (some stable testing queue package.accept_keywords file thing I suppose), so that will mean two webkit-gtk updates in a week for those that upgrade frequently or happened to do webkit-gtk-2.16.4 upgrade already.
Author: Mart Raudsepp <email@example.com>
Date: Tue Jun 27 21:19:55 2017 +0300
net-libs/webkit-gtk: bump to 2.16.5 for a crash and a wayland regression fix
* Fix a web process crash when page finishes loading in several web sites.
* Fix the menu of select elements not showing in some cases under Wayland.
This is meant to be the security stabilization target for CVE-2017-2538 for
a regression free upgrade
Maintainer(s), please cleanup.
Cleanup done, to the extent possible as usual due to consumed old SLOTs. security@ is tracking that in bug 577068 instead though.
Maintainer(s), Thank you for your work.
New GLSA Request filed.
This issue was resolved and addressed in
GLSA 201709-03 at https://security.gentoo.org/glsa/201709-03
by GLSA coordinator Aaron Bauman (b-man).