Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658168 (CVE-2018-11646, CVE-2018-11712, CVE-2018-11713, CVE-2018-12293, CVE-2018-12294, CVE-2018-4190, CVE-2018-4192, CVE-2018-4199, CVE-2018-4201, CVE-2018-4214, CVE-2018-4218, CVE-2018-4222, CVE-2018-4232, CVE-2018-4233, WSA-2018-0005) - <net-libs/webkit-gtk-2.20.3: Multiple vulnerabilities (WSA-2018-0005)
Summary: <net-libs/webkit-gtk-2.20.3: Multiple vulnerabilities (WSA-2018-0005)
Status: RESOLVED FIXED
Alias: CVE-2018-11646, CVE-2018-11712, CVE-2018-11713, CVE-2018-12293, CVE-2018-12294, CVE-2018-4190, CVE-2018-4192, CVE-2018-4199, CVE-2018-4201, CVE-2018-4214, CVE-2018-4218, CVE-2018-4222, CVE-2018-4232, CVE-2018-4233, WSA-2018-0005
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4121, CVE-2018-4122, CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129, CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162, CVE-2018-4163, CVE-2018-4165, CVE-2018-4200, CVE-2018-4204, WSA-2018-0003, WSA-2018-0004 655550 661356
Blocks:
  Show dependency tree
 
Reported: 2018-06-15 12:58 UTC by Vlad K.
Modified: 2018-08-22 21:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2018-06-15 12:58:03 UTC
Date Reported:   June 13, 2018
Advisory ID:     WSA-2018-0005
CVE identifiers: CVE-2018-4190, CVE-2018-4192, CVE-2018-4199, CVE-2018-4201,
                 CVE-2018-4214, CVE-2018-4218, CVE-2018-4222, CVE-2018-4232,
                 CVE-2018-4233, CVE-2018-11646, CVE-2018-11712,
                 CVE-2018-11713, CVE-2018-12293, CVE-2018-12294.

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

CVE-2018-4190
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    Credit to Jun Kokatsu (@shhnjk).  Impact: Visiting a maliciously crafted
    website may leak sensitive data. Description: Credentials were unexpectedly
    sent when fetching CSS mask images. This was addressed by using a
    CORS-enabled fetch method.

CVE-2018-4192
    Versions affected: WebKitGTK+ before 2.20.1.  Credit to Markus Gaasedelen,
    Nick Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend
    Micro’s Zero Day Initiative.  Impact: Processing maliciously crafted web
    content may lead to arbitrary code execution. Description: A race condition
    was addressed with improved locking.

CVE-2018-4199
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    Credit to Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils of MWR Labs
    working with Trend Micro’s Zero Day Initiative.  Impact: Processing
    maliciously crafted web content may lead to arbitrary code execution.
    Description: A buffer overflow issue was addressed with improved memory
    handling.

CVE-2018-4201
    Versions affected: WebKitGTK+ before 2.20.1.  Credit to an anonymous
    researcher.  Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption issues
    were addressed with improved memory handling.

CVE-2018-4214
    Versions affected: WebKitGTK+ before 2.20.0.  Credit to OSS-Fuzz.  Impact:
    Processing maliciously crafted web content may lead to an unexpected
    application crash. Description: A memory corruption issue was addressed
    with improved input validation.

CVE-2018-4218
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    Credit to Natalie Silvanovich of Google Project Zero.  Impact: Processing
    maliciously crafted web content may lead to arbitrary code execution.
    Description: Multiple memory corruption issues were addressed with improved
    memory handling.

CVE-2018-4222
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    Credit to Natalie Silvanovich of Google Project Zero.  Impact: Processing
    maliciously crafted web content may lead to arbitrary code execution.
    Description: An out-of-bounds read was addressed with improved input
    validation.

CVE-2018-4232
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    Credit to Aymeric Chaib.  Impact: Visiting a maliciously crafted website
    may lead to cookies being overwritten. Description: A permissions issue
    existed in the handling of web browser cookies. This issue was addressed
    with improved restrictions.

CVE-2018-4233
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    Credit to Samuel Groß (@5aelo) working with Trend Micro’s Zero Day
    Initiative.  Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption issues
    were addressed with improved memory handling.

CVE-2018-11646
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    Credit to Mishra Dhiraj.  Maliciously crafted web content could trigger an
    application crash in WebKitFaviconDatabase, caused by mishandling
    unexpected input.

CVE-2018-11712
    Versions affected: WebKitGTK+ 2.20.0 and 2.20.1.  Credit to Metrological
    Group B.V.  The libsoup network backend of WebKit failed to perform TLS
    certificate verification for WebSocket connections.

CVE-2018-11713
    Versions affected: WebKitGTK+ before 2.20.0 or without libsoup 2.62.0.
    Credit to Dirkjan Ochtman.  The libsoup network backend of WebKit
    unexpectedly failed to use system proxy settings for WebSocket connections.
    As a result, users could be deanonymized by crafted web sites via a
    WebSocket connection.

CVE-2018-12293
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    Credit to ADlab of Venustech.  Maliciously crafted web content could
    achieve a heap buffer overflow in ImageBufferCairo by exploiting multiple
    integer overflow issues.

CVE-2018-12294
    Versions affected: WebKitGTK+ before 2.20.2.  Credit to ADlab of Venustech.
    Maliciously crafted web content could trigger a use-after-free of a
    TextureMapperLayer object.


Reproducible: Didn't try
Comment 1 Mart Raudsepp gentoo-dev 2018-07-23 22:36:22 UTC
Bump is done finally, but I'd prefer to let it simmer for a couple days in ~arch, as the upstream build system does something similar to chromium[jumbo-build] unconditionally now with some cmake dark magic and some ebuild things were reworked. So lets see what shakes out within 2-7 days.
Comment 2 Mart Raudsepp gentoo-dev 2018-07-30 09:32:17 UTC
I suggest merging this into bug 652820, add CVE to alias there, also include WSA-2018-0003 things, etc...
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-06 19:10:39 UTC
Added to an existing GLSA request.
Comment 4 Larry the Git Cow gentoo-dev 2018-08-16 21:33:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9aaff9f75c2d90539b4891c3de7619f8f3891a0

commit d9aaff9f75c2d90539b4891c3de7619f8f3891a0
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-08-16 21:15:32 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-08-16 21:32:30 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/658168
    Package-Manager: Portage-2.3.46, Repoman-2.3.10

 net-libs/webkit-gtk/Manifest                       |   1 -
 .../webkit-gtk/files/2.20.3-jsc-build-fixes.patch  |  14 -
 .../files/webkit-gtk-2.8.5-fix-ia64-build.patch    |  21 --
 net-libs/webkit-gtk/webkit-gtk-2.18.6.ebuild       | 284 ---------------------
 4 files changed, 320 deletions(-)
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 21:29:17 UTC
This issue was resolved and addressed in
 GLSA 201808-04 at https://security.gentoo.org/glsa/201808-04
by GLSA coordinator Thomas Deutschmann (whissi).