Bug 23189

Summary: webkit2 security issues fixed upstream (WSA-2018-0005)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: webkit2-2.20.2-1.mga6.src.rpm CVE:
Status comment:
Attachments: zenity test script
Sample pdf with hyperlinks

Description David Walser 2018-06-17 00:56:46 CEST 
Upstream has issued an advisory on June 13:
https://webkitgtk.org/security/WSA-2018-0005.html

The issues have been fixed in 2.20.3, released on June 11:
https://webkitgtk.org/2018/06/11/webkitgtk2.20.3-released.html

Mageia 6 is also affected.

It's building in Cauldron now and will be pushed in Mageia 6 when that's done.

Testing procedure in bug 22876 comment 4

Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.20.3, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11646
https://webkitgtk.org/security/WSA-2018-0005.html
https://webkitgtk.org/2018/06/11/webkitgtk2.20.3-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.20.3-1.mga6
webkit2-jsc-2.20.3-1.mga6
lib(64)webkit2gtk4.0_37-2.20.3-1.mga6
lib(64)javascriptcoregtk4.0_18-2.20.3-1.mga6
lib(64)webkit2-devel-2.20.3-1.mga6
lib(64)javascriptcore-gir4.0-2.20.3-1.mga6
lib(64)webkit2gtk-gir4.0-2.20.3-1.mga6

from SRPMS:
webkit2-2.20.3-1.mga6.src.rpm
Comment 1 David Walser 2018-06-17 02:05:39 CEST 
Building in Mageia 6 now.  Info in Comment 0.

Assignee: bugsquad => qa-bugs
Keywords: (none) => has_procedure

Comment 2 Herman Viaene 2018-06-30 14:51:10 CEST 
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Followed testing procedure in using zenity and the script (see attachment)
Found also an example of a pdf with internal and external hyperlinks (next attachment)
All work OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 3 Herman Viaene 2018-06-30 14:53:17 CEST 
Created attachment 10262 [details]
zenity test script
Comment 4 Herman Viaene 2018-06-30 14:54:03 CEST 
Created attachment 10263 [details]
Sample pdf with hyperlinks
Comment 5 Dave Hodgins 2018-07-01 04:28:52 CEST 
Advisory committed to svn. Validating the update.

CC: (none) => davidwhodgins

Comment 6 Dave Hodgins 2018-07-01 04:30:00 CEST 
Actually adding the keywords.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-07-01 19:18:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0302.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED