Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 641752 (CVE-2017-13856, CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, CVE-2017-7157) - <net-libs/webkit-gtk-2.18.4: multiple vulnerabilities
Summary: <net-libs/webkit-gtk-2.18.4: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-13856, CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, CVE-2017-7157
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-19 20:03 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-07 23:59 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/webkit-gtk-2.18.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-19 20:03:21 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-12-19 20:05:03 UTC
------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               WSA-2017-0010
------------------------------------------------------------------------

Date reported      : December 19, 2017
Advisory ID        : WSA-2017-0010
Advisory URL       : https://webkitgtk.org/security/WSA-2017-0010.html
CVE identifiers    : CVE-2017-7156, CVE-2017-7157, CVE-2017-13856,
                     CVE-2017-13866, CVE-2017-13870.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2017-7156
    Versions affected: WebKitGTK+ before 2.18.4.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7157
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13856
    Versions affected: WebKitGTK+ before 2.18.4.
    Credit to Jeonghoon Shin.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13866
    Versions affected: WebKitGTK+ before 2.18.4.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13870
    Versions affected: WebKitGTK+ before 2.18.4.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.
Comment 2 Larry the Git Cow gentoo-dev 2017-12-20 13:59:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2037d637f2b5fa504fad32fa8628044050ffb603

commit 2037d637f2b5fa504fad32fa8628044050ffb603
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2017-12-20 13:54:53 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2017-12-20 13:58:54 +0000

    net-libs/webkit-gtk: security bump to 2.18.4
    
    Bug: https://bugs.gentoo.org/641752
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.18.4.ebuild | 284 +++++++++++++++++++++++++++
 2 files changed, 285 insertions(+)}
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-12-20 21:20:17 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-12-27 08:52:49 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Larry the Git Cow gentoo-dev 2017-12-27 20:24:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e7e9386980fdf244980b36ef60bf7f050094848

commit 1e7e9386980fdf244980b36ef60bf7f050094848
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2017-12-27 20:23:58 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2017-12-27 20:23:58 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/641752
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.18.3.ebuild | 284 ---------------------------
 2 files changed, 285 deletions(-)}
Comment 6 D'juan McDonald (domhnall) 2018-01-05 07:08:15 UTC
New GLSA request filed.


Gentoo Security Padawan
(Jmbailey/mbailey_j)
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2018-01-07 23:59:14 UTC
This issue was resolved and addressed in
 GLSA 201801-09 at https://security.gentoo.org/glsa/201801-09
by GLSA coordinator Aaron Bauman (b-man).