Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683234 (CVE-2019-11070, CVE-2019-6201, CVE-2019-6251, CVE-2019-7285, CVE-2019-7292, CVE-2019-8503, CVE-2019-8506, CVE-2019-8515, CVE-2019-8518, CVE-2019-8523, CVE-2019-8524, CVE-2019-8535, CVE-2019-8536, CVE-2019-8544, CVE-2019-8551, CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, WSA-2019-0002) - <net-libs/webkit-gtk-2.24.1: multiple vulnerabilities (WSA-2019-0002)
Summary: <net-libs/webkit-gtk-2.24.1: multiple vulnerabilities (WSA-2019-0002)
Status: RESOLVED FIXED
Alias: CVE-2019-11070, CVE-2019-6201, CVE-2019-6251, CVE-2019-7285, CVE-2019-7292, CVE-2019-8503, CVE-2019-8506, CVE-2019-8515, CVE-2019-8518, CVE-2019-8523, CVE-2019-8524, CVE-2019-8535, CVE-2019-8536, CVE-2019-8544, CVE-2019-8551, CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, WSA-2019-0002
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-13 09:50 UTC by GLSAMaker/CVETool Bot
Modified: 2019-09-06 16:18 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/webkit-gtk-2.24.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-04-13 09:50:08 UTC 
CVE-2019-6201 (https://nvd.nist.gov/vuln/detail/CVE-2019-6201):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-6251 (https://nvd.nist.gov/vuln/detail/CVE-2019-6251):
  embed/ephy-web-view.c in GNOME Web (aka Epiphany) through 3.31.4 allows
  address bar spoofing because a page load triggered by JavaScript leads to
  updating an address as if it were triggered by a safer visit type (e.g.,
  VISIT_LINK, VISIT_TYPED, VISIT_BOOKMARK, or VISIT_HOMEPAGE). This is similar
  to the CVE-2018-8383 issue in Microsoft Edge.

CVE-2019-7285 (https://nvd.nist.gov/vuln/detail/CVE-2019-7285):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-7292 (https://nvd.nist.gov/vuln/detail/CVE-2019-7292):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8503 (https://nvd.nist.gov/vuln/detail/CVE-2019-8503):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8506 (https://nvd.nist.gov/vuln/detail/CVE-2019-8506):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8515 (https://nvd.nist.gov/vuln/detail/CVE-2019-8515):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8518 (https://nvd.nist.gov/vuln/detail/CVE-2019-8518):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8523 (https://nvd.nist.gov/vuln/detail/CVE-2019-8523):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8524 (https://nvd.nist.gov/vuln/detail/CVE-2019-8524):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8535 (https://nvd.nist.gov/vuln/detail/CVE-2019-8535):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8536 (https://nvd.nist.gov/vuln/detail/CVE-2019-8536):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8544 (https://nvd.nist.gov/vuln/detail/CVE-2019-8544):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8551 (https://nvd.nist.gov/vuln/detail/CVE-2019-8551):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8558 (https://nvd.nist.gov/vuln/detail/CVE-2019-8558):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8559 (https://nvd.nist.gov/vuln/detail/CVE-2019-8559):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-8563 (https://nvd.nist.gov/vuln/detail/CVE-2019-8563):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-11070 (https://nvd.nist.gov/vuln/detail/CVE-2019-11070):
  WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply
  configured HTTP proxy settings when downloading livestream video (HLS, DASH,
  or Smooth Streaming), an error resulting in deanonymization. This issue was
  corrected by changing the way livestreams are downloaded.
Comment 1 Larry the Git Cow gentoo-dev 2019-04-13 19:05:54 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08e02e08cb8befcf19ded8e1cee3dd32025bf4bd

commit 08e02e08cb8befcf19ded8e1cee3dd32025bf4bd
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-04-13 18:58:50 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-04-13 18:59:07 +0000

    net-libs/webkit-gtk: security bump to 2.24.1, drop JIT control
    
    JIT manual control is getting complicated for limited benefits, which
    mostly involve oneself shooting in the foot. Let upstream build system
    figure out whether it should do JIT or not and don't get in the way.
    May be revisited based on any fallout and relevant bug reports after
    discussions on such reports convince it's needed.
    
    Bug: https://bugs.gentoo.org/683234
    Bug: https://bugs.gentoo.org/680580
    Bug: https://bugs.gentoo.org/680464
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.24.1.ebuild | 281 +++++++++++++++++++++++++++
 2 files changed, 282 insertions(+)
Comment 2 Mart Raudsepp gentoo-dev 2019-04-19 09:48:24 UTC 
Looks like no-one is complaining about the USE=jit removal so far, so lets proceed with security stabilization. Meant to get this going 2 days ago, better late than never :)
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-04-19 16:07:23 UTC 
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-24 21:35:08 UTC 
x86 stable
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-04-24 22:41:02 UTC 
@gnome, please drop vulnerable.
Comment 6 Larry the Git Cow gentoo-dev 2019-04-25 08:46:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b93f98379f931e1d3cc8c547142b7661ee8895c

commit 6b93f98379f931e1d3cc8c547142b7661ee8895c
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-04-25 08:46:28 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-04-25 08:46:28 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/683234
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   3 -
 net-libs/webkit-gtk/webkit-gtk-2.22.6.ebuild | 287 ---------------------------
 net-libs/webkit-gtk/webkit-gtk-2.22.7.ebuild | 287 ---------------------------
 net-libs/webkit-gtk/webkit-gtk-2.24.0.ebuild | 286 --------------------------
 4 files changed, 863 deletions(-)
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-09-06 15:45:54 UTC 
Added to an existing GLSA.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2019-09-06 16:18:29 UTC 
This issue was resolved and addressed in
 GLSA 201909-05 at https://security.gentoo.org/glsa/201909-05
by GLSA coordinator Thomas Deutschmann (whissi).