Bug 22876

Summary: webkit2 security issues fixed upstream (WSA-2018-0003)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: webkit2-2.18.6-1.mga6.src.rpm CVE:
Status comment: Fixed upstream in 2.20.0

Description David Walser 2018-04-07 18:36:41 CEST 
Upstream has issued an advisory on April 4:
https://www.webkitgtk.org/security/WSA-2018-0003.html

The issues were fixed in 2.20.0 on March 12:
https://www.webkitgtk.org/2018/03/12/webkitgtk2.20.0-released.html

Fedora has issued an advisory for this on April 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z3L43SWNLRJ64K33RNICPLNO5CHH5M3G/

Mageia 6 is also affected.
David Walser 2018-04-07 18:36:57 CEST

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 2.20.0

Comment 1 Marja Van Waes 2018-04-07 23:00:27 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, nicolas.salguero

Comment 2 Nicolas Salguero 2018-04-19 16:06:14 CEST 
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.20.1, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4101
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4162
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4165
https://www.webkitgtk.org/security/WSA-2018-0003.html
https://www.webkitgtk.org/2018/03/12/webkitgtk2.20.0-released.html
https://www.webkitgtk.org/2018/04/10/webkitgtk2.20.1-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.20.1-1.mga6
webkit2-jsc-2.20.1-1.mga6
lib(64)webkit2gtk4.0_37-2.20.1-1.mga6
lib(64)javascriptcoregtk4.0_18-2.20.1-1.mga6
lib(64)webkit2-devel-2.20.1-1.mga6
lib(64)javascriptcore-gir4.0-2.20.1-1.mga6
lib(64)webkit2gtk-gir4.0-2.20.1-1.mga6

from SRPMS:
webkit2-2.20.1-1.mga6.src.rpm

Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO => (none)
Status: NEW => ASSIGNED
Source RPM: webkit2-2.19.90-1.mga7.src.rpm => webkit2-2.18.6-1.mga6.src.rpm

Comment 3 Len Lawrence 2018-04-22 19:02:22 CEST 
Taking this on for Mageia 6, x86_64.

At least one PoC file has been found.  Looking for others just now.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2018-04-22 23:52:22 CEST 
Sorry, no PoCs.  Must have been thinking of another bug.  All the CVE references lead to a series of circular links.  The most that can be said is that nobody has analyzed the vulnerabilities with respect to reproducers yet.

There are a lot of applications with some dependency on webkit2.  Tried a few before updating the candidate packages.

Ran strace on atril when reading a PDF document.
$ grep webkit atril.trace
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libwebkit2gtk-4.0.so.37.24.9", O_RDONLY) = 3
unlink("/home/lcl/.local/share/webkitgtk/localstorage/StorageTracker.db-shm") = 0
unlink("/home/lcl/.local/share/webkitgtk/localstorage/StorageTracker.db-wal") = 0
stat("/home/lcl/.local/share/webkitgtk/localstorage/StorageTracker.db", {st_mode=S_IFREG|0644, st_size=3072, ...}) = 0

$ grep webkit2 shotwell.trace
open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 14

After updating webkit2, shotwell and atril behaved properly.  atril supports hyperlinks in PDFs; that worked fine - raised a documentation page in firefox.
It was not always possible to demonstrate a connection between webkit2 and some of the other applications listed as having a dependency on webkit2.  The link with thunar and totem for example is tenuous at most.

Used zenity and the simple perl script supplied at https://help.gnome.org/users/zenity/3.24/calendar.html.en
to generate an interactive calendar widget.
libwebkit2gtk-4.0.so.37()(64bit) is listed as a dependency of zenity.

I did install steam and attempted to register but was given the runaround so gave up on that.  In any case it showed no signs of using webkit2.

This shall have to do for testing functionality of dependent applications.
Giving it the OK.

Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2018-04-23 20:50:19 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-04-30 21:09:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0213.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED