Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 672108 (CVE-2018-4345, CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4378, CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, CVE-2018-4416, WSA-2018-0008) - <net-libs/webkit-gtk-2.22.5: multiple vulnerabilities (WSA-2018-0008)
Summary: <net-libs/webkit-gtk-2.22.5: multiple vulnerabilities (WSA-2018-0008)
Status: RESOLVED FIXED
Alias: CVE-2018-4345, CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4378, CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, CVE-2018-4416, WSA-2018-0008
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on: 674854
Blocks: CVE-2018-4437, CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464, WSA-2018-0009 674870
  Show dependency tree
 
Reported: 2018-11-27 22:38 UTC by GLSAMaker/CVETool Bot
Modified: 2019-03-14 01:38 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/webkit-gtk-2.22.5
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-11-27 22:38:15 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-11-27 22:40:08 UTC
From $URL:

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

CVE-2018-4345
Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1.
Credit to an anonymous researcher.
A cross-site scripting issue existed in WebKit. This issue was addressed with improved URL validation.

CVE-2018-4372
Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before 2.22.2.
Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4373
Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
Credit to ngg, alippai, DirtYiCE, KT of Tresorit working with Trend Micro’s Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4375
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to Yu Haiwan and Wu Hongjun From Nanyang Technological University working with Trend Micro’s Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4376
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to 010 working with Trend Micro’s Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4378
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to an anonymous researcher, zhunki of 360 ESG Codesafe Team.
Processing maliciously crafted web content may lead to code execution. A memory corruption issue was addressed with improved validation.

CVE-2018-4382
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to lokihardt of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4386
Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1.
Credit to lokihardt of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4392
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to zhunki of 360 ESG Codesafe Team.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

CVE-2018-4416
Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0.
Credit to lokihardt of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-01-09 01:37:10 UTC
x86 stable
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-01-10 09:53:46 UTC
amd64 stable
Comment 4 Mart Raudsepp gentoo-dev 2019-01-14 19:54:46 UTC
cleanup done
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2019-03-07 22:01:58 UTC
Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2019-03-14 01:38:22 UTC
This issue was resolved and addressed in
 GLSA 201903-12 at https://security.gentoo.org/glsa/201903-12
by GLSA coordinator Aaron Bauman (b-man).