Bug 21894

Summary: webkit2 security issues fixed upstream (WSA-2017-0008 and WSA-2017-0009)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cjw, lewyssmith, mageia, marja11, nicolas.salguero, olav, pterjan, rverschelde, shlomif, sysadmin-bugs, thierry.vignaud
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: webkit2-2.16.6-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-10-19 04:54:05 CEST 
Upstream has issued an advisory today (October 18):
https://webkitgtk.org/security/WSA-2017-0008.html

Most of the issues are fixed in 2.18.0.

Coincidentally, 2.18.1 has also been released today:
https://webkitgtk.org/2017/10/18/webkitgtk2.18.1-released.html
Comment 1 Marja Van Waes 2017-10-21 13:18:00 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => cjw, mageia, marja11, nicolas.salguero, olav, pterjan, rverschelde, shlomif, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-10-24 23:24:44 CEST 
Ubuntu has issued an advisory for this on October 23:
https://usn.ubuntu.com/usn/usn-3460-1/
Comment 3 Nicolas Salguero 2017-11-02 10:58:04 CET 
Hi,

Version 2.18.2 was released the halloween day.

I am working on it.

Best regards,

Nico.
Comment 4 Nicolas Salguero 2017-11-02 13:52:25 CET 
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.18.2, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7089
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7102
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7111
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7142
https://webkitgtk.org/security/WSA-2017-0008.html
https://webkitgtk.org/2017/10/18/webkitgtk2.18.1-released.html
https://webkitgtk.org/2017/10/27/webkitgtk2.18.2-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.18.2-1.mga6
webkit2-jsc-2.18.2-1.mga6
lib(64)webkit2gtk4.0_37-2.18.2-1.mga6
lib(64)javascriptcoregtk4.0_18-2.18.2-1.mga6
lib(64)webkit2-devel-2.18.2-1.mga6
lib(64)javascriptcore-gir4.0-2.18.2-1.mga6
lib(64)webkit2gtk-gir4.0-2.18.2-1.mga6

from SRPMS:
webkit2-2.18.2-1.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Lewis Smith 2017-11-05 14:32:04 CET

Keywords: (none) => advisory

Comment 5 Lewis Smith 2017-11-05 14:33:32 CET 
 $ urpmq --whatrequires-recursive webkit2 | sort | uniq | grep -v ^lib
shows a host of applications that ultimately use webkit2.

CC: (none) => lewyssmith

Lewis Smith 2017-11-05 14:33:44 CET

CC: lewyssmith => (none)

Comment 6 David Walser 2017-11-11 02:08:50 CET 
Upstream has issued an advisory today (November 10):
https://webkitgtk.org/security/WSA-2017-0009.html

A few more security issues were fixed in 2.18.3, and more that were fixed in 2.18.1 have been announced.

Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.18.3, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7089
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7102
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7111
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7142
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13783
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13791
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13793
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13796
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13803
https://webkitgtk.org/security/WSA-2017-0008.html
https://webkitgtk.org/security/WSA-2017-0009.html
https://webkitgtk.org/2017/10/18/webkitgtk2.18.1-released.html
https://webkitgtk.org/2017/10/27/webkitgtk2.18.2-released.html
https://webkitgtk.org/2017/11/10/webkitgtk2.18.3-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.18.3-1.mga6
webkit2-jsc-2.18.3-1.mga6
libwebkit2gtk4.0_37-2.18.3-1.mga6
libjavascriptcoregtk4.0_18-2.18.3-1.mga6
libwebkit2-devel-2.18.3-1.mga6
libjavascriptcore-gir4.0-2.18.3-1.mga6
libwebkit2gtk-gir4.0-2.18.3-1.mga6

from webkit2-2.18.3-1.mga6.src.rpm

Summary: webkit2 security issues fixed upstream (WSA-2017-0008) => webkit2 security issues fixed upstream (WSA-2017-0008 and WSA-2017-0009)

Comment 7 Lewis Smith 2017-11-22 19:56:27 CET 
About to try M6/64, updating the following to:
- lib64javascriptcore-gir4.0-2.18.3-1.mga6.x86_64
- lib64javascriptcoregtk4.0_18-2.18.3-1.mga6.x86_64
- lib64webkit2gtk-gir4.0-2.18.3-1.mga6.x86_64
- lib64webkit2gtk4.0_37-2.18.3-1.mga6.x86_64
- webkit2-2.18.3-1.mga6.x86_64
Will try Gnome, Nautilus, Cinnamon, XFCE, Thunar and hope they invoke one of the libraries.

CC: (none) => lewyssmith

Comment 8 Lewis Smith 2017-11-22 21:44:01 CET 
Testing M6/64 AFTER the update

Stracing a number of available applications given by:
 $ urpmq --whatrequires-recursive webkit2 | sort | uniq | grep -v ^lib
in the manner:
 $ strace <application> 2>1 | grep webkit
many gave no sign of calling webkit; e.g. epiphany=web, files, caja,  thunar. Nor did GDM display manager; Cinnamon, Gnome  Xfce desktops. But all these things worked - I tried those that I had installed with a 6-desktop system.

A few did show more +ve use:

$ strace atril 2>&1 | grep webkit
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
read(14, "libwebkit2gtk-4.0.so.37.24.6\n7fc"..., 1024) = 1024

$ strace evolution 2>&1 | grep webkit
open("/usr/lib64/evolution/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
stat("/usr/lib64/evolution/modules/module-webkit-editor.so", {st_mode=S_IFREG|0755, st_size=105320, ...}) = 0
open("/usr/lib64/evolution/modules/module-webkit-editor.so", O_RDONLY|O_CLOEXEC) = 19
stat("/usr/lib64/evolution/modules/module-webkit-inspector.so", {st_mode=S_IFREG|0755, st_size=11256, ...}) = 0
open("/usr/lib64/evolution/modules/module-webkit-inspector.so", O_RDONLY|O_CLOEXEC) = 19
open("/run/user/1001/webkitgtk-wayland-compositor-4a836554-8156-4d9b-aa04-262c594ad6a8.lock", O_RDONLY|O_CREAT|O_CLOEXEC, 0660) = 36
stat("/run/user/1001/webkitgtk-wayland-compositor-4a836554-8156-4d9b-aa04-262c594ad6a8", 0x7fff7ba0db00) = -1 ENOENT (No such file or directory)
bind(37, {sa_family=AF_UNIX, sun_path="/run/user/1001/webkitgtk-wayland-compositor-4a836554-8156-4d9b-aa04-262c594ad6a8"}, 82) = 0

$ strace zenity  --title="Select a file to remove" --file-selection 2>&1 | grep webkit
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3

Seeing no sign of trouble, this warrant OK. In our pressed situation, am validating it also. The advisory to be updated re comment 6.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2017-11-26 22:19:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0425.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED