Bug 22452

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.18.6, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4089
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7165
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13884
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13885
https://webkitgtk.org/security/WSA-2018-0002.html
https://webkitgtk.org/2018/01/24/webkitgtk2.18.6-released.html
http://openwall.com/lists/oss-security/2018/01/24/6
========================

Updated packages in core/updates_testing:
========================
webkit2-2.18.6-1.mga6
webkit2-jsc-2.18.6-1.mga6
lib(64)webkit2gtk4.0_37-2.18.6-1.mga6
lib(64)javascriptcoregtk4.0_18-2.18.6-1.mga6
lib(64)webkit2-devel-2.18.6-1.mga6
lib(64)javascriptcore-gir4.0-2.18.6-1.mga6
lib(64)webkit2gtk-gir4.0-2.18.6-1.mga6

from SRPMS:
webkit2-2.18.6-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 6

Advisory done.
Wanted to test, but it is not yet in my mirror.
 https://bugs.mageia.org/show_bug.cgi?id=22245#c3
has relevant application pointers. Test under Gnome might help.

Keywords: (none) => advisory

Testing M6/64 under Gnome.
I could not find any test cases in the many CVEs.

BEFORE update: all pkgs at 2.18.5-1

Atril with a long sophisticated PDF, good:
 $ strace atril 2>&1 | grep webkit2
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
read(14, "libwebkit2gtk-4.0.so.37.24.8\n7f7"..., 1024) = 1024

Evolution
 $ strace evolution 2>&1 | grep webkit2
open("/usr/lib64/evolution/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
Not OK: it seized up after a few random clicks. But it may have been OK - see post-update test.

Zenity; good.
 $ strace zenity --title="Select a file to remove" --file-selection 2>&1 | grep webkit2
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
----------------
AFTER update to:
 lib64javascriptcoregtk4.0_18-2.18.6-1.mga6
 lib64javascriptcore-gir4.0-2.18.6-1.mga6
 lib64webkit2gtk4.0_37-2.18.6-1.mga6
 lib64webkit2gtk-gir4.0-2.18.6-1.mga6
 webkit2-2.18.6-1.mga6

Atril on different PDFs:
 $ strace atril 2>&1 | grep webkit2
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
read(14, "libwebkit2gtk-4.0.so.37.24.9\n7f2"..., 1024) = 1024
Note version updated. Result good.

Zenity: same as before, good.

Evolution:
 $ strace evolution 2>&1 | grep webkit2open("/usr/lib64/evolution/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
Once again this seized up. Clicking hopefully here & there, it eventually caught up on the buffered clicks (shown in its own window heading), and then reacted sensibly.

OKing the update; validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0102.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED