Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 732104 (CVE-2020-13753, CVE-2020-9802, CVE-2020-9803, CVE-2020-9805, CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850, WSA-2020-0006) - <net-libs/webkit-gtk-2.28.3: Multiple vulnerabilities (WSA-2020-0006)
Summary: <net-libs/webkit-gtk-2.28.3: Multiple vulnerabilities (WSA-2020-0006)
Status: RESOLVED FIXED
Alias: CVE-2020-13753, CVE-2020-9802, CVE-2020-9803, CVE-2020-9805, CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850, WSA-2020-0006
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa+ cve]
Keywords: CC-ARCHES
Depends on: 704182
Blocks:
  Show dependency tree
 
Reported: 2020-07-10 12:26 UTC by Sam James
Modified: 2020-07-26 23:42 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/webkit-gtk-2.28.3
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-10 12:26:29 UTC 
From URL:
    CVE-2020-9802

        Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
        Credit to Samuel Groß of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A logic issue was addressed with improved restrictions.

    CVE-2020-9803

        Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
        Credit to Wen Xu of SSLab at Georgia Tech.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved validation.

    CVE-2020-9805

        Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
        Credit to an anonymous researcher.
        Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved restrictions.

    CVE-2020-9806

        Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
        Credit to Wen Xu of SSLab at Georgia Tech.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.

    CVE-2020-9807

        Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
        Credit to Wen Xu of SSLab at Georgia Tech.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.

    CVE-2020-9843

        Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
        Credit to Ryan Pickren (ryanpickren.com).
        Impact: Processing maliciously crafted web content may lead to a cross site scripting attack. Description: An input validation issue was addressed with improved input validation.

    CVE-2020-9850

        Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
        Credit to @jinmo123, @setuid0x0_, and @insu_yun_en of @SSLab_Gatech working with Trend Micro’s Zero Day Initiative.
        Impact: A remote attacker may be able to cause arbitrary code execution. Description: A logic issue was addressed with improved restrictions.

    CVE-2020-13753

        Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
        Credit to Milan Crha at Red Hat.
        The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg- desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal’s input buffer, similar to CVE-2017-5226.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-10 12:27:15 UTC 
Please bump to 2.28.3.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-11 13:34:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51bc67d156bf486792989c5e8e8ee19f43b32f11

commit 51bc67d156bf486792989c5e8e8ee19f43b32f11
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-07-11 10:47:06 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-07-11 13:33:45 +0000

    net-libs/webkit-gtk: bump to 2.28.3
    
    Also raise gtk-doc dependency and drop patch that kept compat with perl gtk-doc,
    as we now can do so without stabilization worries.
    
    Bug: https://bugs.gentoo.org/732104
    Closes: https://bugs.gentoo.org/704550
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                       |   1 +
 .../webkit-gtk/files/2.28.3-non-jumbo-fix2.patch   |  44 ++++
 net-libs/webkit-gtk/webkit-gtk-2.28.3.ebuild       | 290 +++++++++++++++++++++
 3 files changed, 335 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-12 00:19:35 UTC 
arm64 stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 11:45:20 UTC 
amd64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 11:45:30 UTC 
x86 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 11:46:20 UTC 
Need to cleanup but still blocked :(
Comment 7 Larry the Git Cow gentoo-dev 2020-07-19 06:00:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5006f73937044695f6a1317de58ef80d12b19b7a

commit 5006f73937044695f6a1317de58ef80d12b19b7a
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-07-19 05:58:49 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-07-19 05:59:37 +0000

    net-libs/webkit-gtk: remove old
    
    Bug: https://bugs.gentoo.org/699156
    Bug: https://bugs.gentoo.org/712260
    Bug: https://bugs.gentoo.org/732104
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                       |   3 -
 .../files/2.26.2-fix-arm-non-unified-build.patch   |  27 --
 net-libs/webkit-gtk/files/2.26.3-fix-gtk-doc.patch |  27 --
 .../webkit-gtk/files/2.28.2-fix-ppc64-JSC.patch    |  59 -----
 .../files/2.28.2-fix-yelp-desktopless-build.patch  |  53 ----
 .../files/2.28.2-use-gst-audiointerleave.patch     |  55 ----
 .../files/webkit-gtk-2.24.4-icu-65.patch           |  53 ----
 net-libs/webkit-gtk/metadata.xml                   |   4 -
 net-libs/webkit-gtk/webkit-gtk-2.24.4.ebuild       | 283 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.26.4-r1.ebuild    | 286 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.28.2.ebuild       | 293 ---------------------
 11 files changed, 1143 deletions(-)
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-07-26 23:42:09 UTC 
This issue was resolved and addressed in
 GLSA 202007-11 at https://security.gentoo.org/glsa/202007-11
by GLSA coordinator Sam James (sam_c).