Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 667892 (CVE-2018-4191, CVE-2018-4197, CVE-2018-4207, CVE-2018-4208, CVE-2018-4209, CVE-2018-4210, CVE-2018-4212, CVE-2018-4213, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4311, CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318, CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361, WSA-2018-0007) - <net-libs/webkit-gtk-2.22.0: multiple vulnerabilities (WSA-2018-0007)
Summary: <net-libs/webkit-gtk-2.22.0: multiple vulnerabilities (WSA-2018-0007)
Status: RESOLVED FIXED
Alias: CVE-2018-4191, CVE-2018-4197, CVE-2018-4207, CVE-2018-4208, CVE-2018-4209, CVE-2018-4210, CVE-2018-4212, CVE-2018-4213, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4311, CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318, CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361, WSA-2018-0007
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-06 16:39 UTC by GLSAMaker/CVETool Bot
Modified: 2018-12-02 15:51 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/webkit-gtk-2.22.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-10-06 16:39:09 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-10-06 16:42:34 UTC
Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

CVE-2018-4207
    Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks.
CVE-2018-4208
    Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks.
CVE-2018-4209
    Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks.
CVE-2018-4210
    Unexpected interaction with indexing types caused a failure. An array indexing issue existed in the handling of a function in JavaScriptCore. This issue was addressed with improved checks.
CVE-2018-4212
    Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks.
CVE-2018-4213
    Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks.
CVE-2018-4191
    Unexpected interaction causes an ASSERT failure. A memory corruption issue was addressed with improved validation.
CVE-2018-4197
    Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management.
CVE-2018-4299
    Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4306
    Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management.
CVE-2018-4309
    A malicious website may be able to execute scripts in the context of another website. A cross-site scripting issue existed in WebKit. This issue was addressed with improved URL validation.
CVE-2018-4311
    Cross-origin SecurityErrors includes the accessed frame’s origin. The issue was addressed by removing origin information.
CVE-2018-4312
    Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management.
CVE-2018-4314
    Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management.
CVE-2018-4315
    Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management.
CVE-2018-4316
    Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved state management.
CVE-2018-4317
    Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management.
CVE-2018-4318
    Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management.
CVE-2018-4319
    A malicious website may cause unexepected cross-origin behavior. A cross-origin issue existed with iframe elements. This was addressed with improved tracking of security origins.
CVE-2018-4323
    Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4328
    Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4358
    Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4359
    Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4361
    Unexpected interaction causes an ASSERT failure. A memory corruption issue was addressed with improved memory handling.
Comment 2 Larry the Git Cow gentoo-dev 2018-10-06 18:39:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb1d2ca7ceb1e944daadd50ead344d1ac9db70d1

commit bb1d2ca7ceb1e944daadd50ead344d1ac9db70d1
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-10-06 17:55:58 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-10-06 18:31:09 +0000

    net-libs/webkit-gtk: bump to 2.22.2
    
    Bug: https://bugs.gentoo.org/667892
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.22.2.ebuild | 272 +++++++++++++++++++++++++++
 2 files changed, 273 insertions(+)
Comment 3 Mart Raudsepp gentoo-dev 2018-10-06 18:43:33 UTC
Delaying CCing arches a bit to figure out what's going on with epiphany-3.30.1 outright crashing with all this for the Youtube MSE fixes in webkit-gtk-2.22.2/gst-plugins-good-1.14.4/epiphany-3.30.1.
Help testing the masked epiphany 3.30.1 with youtube is welcome - maybe in other setups it doesn't crash.

If there are no updates on this by 9th October, feel free to just CC arches, as worst is that we just end up with yet another webkit-gtk revbump to fix that up. As-is, because epiphany-3.30.1 is masked, 2.22.2 will work fine, just no higher than 240p/360p resolution youtube.
Comment 4 Mart Raudsepp gentoo-dev 2018-10-11 15:12:29 UTC
It crashes with newer epiphany when opusparse gstreamer element doesn't exist. This is a gst-plugins-bad quality element that wasn't ready to move to base pack together with encoder/decoder, and I was told at the time that nothing really should need it - not the case anymore apparently.
That said, this is only an issue when experimental MSE support is explicitly enabled by a webkit-gtk using application, and MSE makes mostly sense just in browsers, so pretty much epiphany only. I will simply keep epiphany not using MSE until opusparse is figured out, and if necessary, add these runtime deps to epiphany only, not webkit-gtk for the time being (to avoid the deps for almost all other webkit-gtk use cases that wouldn't need it, and to not have to stabilize newer gstreamer for this security bug).
https://bugs.webkit.org/show_bug.cgi?id=190469 is filed, in case this really shouldn't be hard required.

tl;dr: webkit-gtk security stabilization can proceed fine, as issues are only brought out with package.masked epiphany.
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-10-14 01:45:48 UTC
x86 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-10-14 07:52:55 UTC
amd64 stable
Comment 7 Larry the Git Cow gentoo-dev 2018-10-14 12:06:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=397750445dd53fee8002275611b56a3cea397a7e

commit 397750445dd53fee8002275611b56a3cea397a7e
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-10-14 12:04:32 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-10-14 12:05:35 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/667892
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11

 net-libs/webkit-gtk/Manifest                 |   2 -
 net-libs/webkit-gtk/webkit-gtk-2.20.4.ebuild | 271 ---------------------------
 net-libs/webkit-gtk/webkit-gtk-2.20.5.ebuild | 271 ---------------------------
 3 files changed, 544 deletions(-)
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2018-12-02 15:51:45 UTC
This issue was resolved and addressed in
 GLSA 201812-04 at https://security.gentoo.org/glsa/201812-04
by GLSA coordinator Aaron Bauman (b-man).