| Summary: | webkit2 security issues fixed upstream (WSA-2017-0010) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | webkit2-2.18.3-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Nicolas Salguero
2017-12-20 13:25:43 CET
Nicolas Salguero
2017-12-20 13:27:03 CET
Assignee:
bugsquad =>
nicolas.salguero Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.18.4, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7156 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7157 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13856 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13866 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13870 https://webkitgtk.org/security/WSA-2017-0010.html https://webkitgtk.org/2017/12/19/webkitgtk2.18.4-released.html http://openwall.com/lists/oss-security/2017/12/19/6 ======================== Updated packages in core/updates_testing: ======================== webkit2-2.18.4-1.mga6 webkit2-jsc-2.18.4-1.mga6 lib(64)webkit2gtk4.0_37-2.18.4-1.mga6 lib(64)javascriptcoregtk4.0_18-2.18.4-1.mga6 lib(64)webkit2-devel-2.18.4-1.mga6 lib(64)javascriptcore-gir4.0-2.18.4-1.mga6 lib(64)webkit2gtk-gir4.0-2.18.4-1.mga6 from SRPMS: webkit2-2.18.4-1.mga6.src.rpm Whiteboard:
MGA6TOO =>
(none) MGA6-32 on Dell Latitude D600 MATE No installation issues At CLI: $ strace -o webkit.txt atril (atril:8385): Gtk-WARNING **: Allocating size to EvSidebar 0x92c2a00 without calling gtk_widget_get_preferred_width/height(). How does the code know the size to allocate? Atril opens and I can read a pdf made by scanning (xsane) two pages from a magazine. Trace confirms libwebkit2gtk is called. CC:
(none) =>
herman.viaene
Lewis Smith
2017-12-31 15:54:19 CET
Keywords:
(none) =>
advisory Testing M6/64 AFTER update: - lib64javascriptcore-gir4.0-2.18.4-1.mga6.x86_64 - lib64javascriptcoregtk4.0_18-2.18.4-1.mga6.x86_64 - lib64webkit2gtk-gir4.0-2.18.4-1.mga6.x86_64 - lib64webkit2gtk4.0_37-2.18.4-1.mga6.x86_64 - webkit2-2.18.4-1.mga6.x86_64 Using https://bugs.mageia.org/show_bug.cgi?id=21894#c8 as a guide. Web/Epiphany says: "Epiphany is a GNOME web browser based on the webkit rendering engine." If it has anything to do with this update, I used it extensively without problems (other than outdated certificates). $ strace atril 2>&1 | grep webkit2 open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 read(14, "usr/lib64/libwebkit2gtk-4.0.so.3"..., 1024) = 1024 I opened a long PDF document with images, perfect. It only seems to offer to view PDFs, not .odt or .txt. $ strace evolution 2>&1 | grep webkit2 open("/usr/lib64/evolution/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 Clicked everything in sight; all seems correct. $ strace zenity --title="Select a file to remove" --file-selection 2>&1 | grep webkit2 open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 Opened a functional file chooser dialogue. Nothing untoward to prevent an OK & validation. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0005.html Status:
ASSIGNED =>
RESOLVED |