Bug 23004

Summary: webkit2 security issues fixed upstream (WSA-2018-0004)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, marja11, mhrambo3501, nicolas.salguero, olav, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: webkit2-2.20.1-1.mga6.src.rpm CVE: CVE-2018-4200
Status comment:
Attachments: Interactive calendar widget script for zenity

Description David Walser 2018-05-08 16:06:23 CEST 
Upstream has issued an advisory on May 7:
https://webkitgtk.org/security/WSA-2018-0004.html

CVE-2018-4200 was fixed in 2.20.2 on May 7:
https://webkitgtk.org/2018/05/07/webkitgtk2.20.2-released.html

Mageia 6 is also affected.
David Walser 2018-05-08 16:06:31 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-05-09 08:37:06 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing some committers.

CC: (none) => marja11, mrambo, nicolas.salguero, olav
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2018-05-09 11:12:36 CEST 
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.20.2, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4200
https://www.webkitgtk.org/security/WSA-2018-0004.html
https://www.webkitgtk.org/2018/05/07/webkitgtk2.20.2-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.20.2-1.mga6
webkit2-jsc-2.20.2-1.mga6
lib(64)webkit2gtk4.0_37-2.20.2-1.mga6
lib(64)javascriptcoregtk4.0_18-2.20.2-1.mga6
lib(64)webkit2-devel-2.20.2-1.mga6
lib(64)javascriptcore-gir4.0-2.20.2-1.mga6
lib(64)webkit2gtk-gir4.0-2.20.2-1.mga6

from SRPMS:
webkit2-2.20.2-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2018-4200
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 claire robinson 2018-05-19 04:16:01 CEST 
Procedure in bug 22876 comment 4

Keywords: (none) => has_procedure

Comment 4 Len Lawrence 2018-05-23 18:54:24 CEST 
Mageia 6, x86_64

Found no reproducers for the security flaws and bugs.
Updated the packages, adding webkit2-jsc and lib64webkit2-devel.

Referred to previous bug 22876 for procedure.

Used atril to look at the TurboPrint manual as a PDF.  It worked perfectly including following hyperlinks and weblinks.

Ran shotwell on a small image collection.  That worked fine and it also launched a video in the same directory.

Called zenity with the calendar dialogue.
This displayed an interactive calendar widget and returned a selected date as a string in the terminal.
$ zenity --calendar calendar.pl
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
22/06/17

Hoping that these functionality tests are sufficient for an OK.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-05-23 19:00:01 CEST 
Created attachment 10184 [details]
Interactive calendar widget script for zenity

Downloaded from
https://help.gnome.org/users/zenity/3.24/calendar.html.en

$ zenity --calendar calendar.pl
Comment 6 Thomas Andrews 2018-05-24 15:38:19 CEST 
Len, your tests were deemed sufficient to validate this the last time, so they should be this time, too.

Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-05-29 20:55:39 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2018-05-29 21:42:29 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0258.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED