| Summary: | webkit2 security issues fixed upstream (WSA-2018-0006) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | webkit2-2.20.3-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | journalctl for Aug25th. midori webkit issues | ||
|
Description
David Walser
2018-08-08 13:16:40 CEST
David Walser
2018-08-08 13:16:52 CEST
Keywords:
(none) =>
has_procedure MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Following procedure above, opened a pfd containing links with atril: expected behavior is OK Run the perl testscript provides an interacive calendar widget. All OK. CC:
(none) =>
herman.viaene mga6-64 $ uname -a Linux localhost 4.14.65-desktop-1.mga6 #1 SMP Sat Aug 18 14:50:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This breaks midori browser so this is a no go. I'll attach journal. Let me know if you need anything else CC:
(none) =>
brtians1 Created attachment 10336 [details]
journalctl for Aug25th. midori webkit issues
Xfce platform running in virtuabox
I installed midori:
The following 3 packages are going to be installed:
- lib64midori-core1-0.5.11-4.mga6.x86_64
- lib64zeitgeist2.0_0-1.0-1.mga6.x86_64
- midori-0.5.11-4.mga6.x86_64
5MB of additional disk space will be used.
1.1MB of packages will be retrieved.
I tested it and it was access mageia and slashdot web-sites
Then upgraded webkit.
Afterwards midori was no longer functional.
When I run from terminal I see the following:
$ midori
(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:2:31: The style property GtkButton:default-border is deprecated and shouldn't be used anymore. It will be removed in a future version
(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:3:39: The style property GtkButton:default-outside-border is deprecated and shouldn't be used anymore. It will be removed in a future version
(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:4:29: The style property GtkButton:inner-border is deprecated and shouldn't be used anymore. It will be removed in a future version
(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:5:33: The style property GtkWidget:focus-line-width is deprecated and shouldn't be used anymore. It will be removed in a future version
(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:6:30: The style property GtkWidget:focus-padding is deprecated and shouldn't be used anymore. It will be removed in a future version
(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:26:20: The :insensitive pseudo-class is deprecated. Use :disabled instead.
(midori4:3915): GLib-CRITICAL **: g_file_test: assertion 'filename != NULL' failed
/usr/libexec/webkit2gtk-4.0/WebKitWebProcess: symbol lookup error: /lib64/libwebkit2gtk-4.0.so.37: undefined symbol: _ZN3JSC41DeferredStructureTransitionWatchpointFireC1ERNS_2VMEPNS_9StructureE
See journal. Let me know if you need anything else from me
I guess we need to update to the 2.20.5 bugfix version. Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.20.5, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4261 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4262 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4264 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4266 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4267 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4270 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4273 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4278 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4284 https://webkitgtk.org/security/WSA-2018-0006.html https://webkitgtk.org/2018/08/06/webkitgtk2.20.4-released.html https://webkitgtk.org/2018/08/13/webkitgtk2.20.5-released.html ======================== Updated packages in core/updates_testing: ======================== webkit2-2.20.5-1.mga6 webkit2-jsc-2.20.5-1.mga6 lib(64)webkit2gtk4.0_37-2.20.5-1.mga6 lib(64)javascriptcoregtk4.0_18-2.20.5-1.mga6 lib(64)webkit2-devel-2.20.5-1.mga6 lib(64)javascriptcore-gir4.0-2.20.5-1.mga6 lib(64)webkit2gtk-gir4.0-2.20.5-1.mga6 from webkit2-2.20.5-1.mga6.src.rpm Whiteboard:
MGA6-32-OK =>
(none) MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Following procedure above, opened a pfd containing links with atril: expected behavior is OK. Run the perl testscript provides an interacive calendar widget. All OK. Whiteboard:
(none) =>
MGA6-32-OK The following 4 packages are going to be installed: - lib64webkit2gtk-gir4.0-2.20.5-1.mga6.x86_64 - lib64webkit2gtk4.0_37-2.20.5-1.mga6.x86_64 - webkit2-2.20.5-1.mga6.x86_64 - webkit2-jsc-2.20.5-1.mga6.x86_64 240KB of additional disk space will be used. midori failed. Installed the development libraries and the 230MB of additional stuff lib(64)webkit2-devel-2.20.5-1.mga6 and the following Aug 28 21:55:40 localhost [RPM][4025]: Transaction ID 5b860b2c started Aug 28 21:55:40 localhost [RPM][4025]: erase lib64javascriptcore-gir4.0-2.20.3-1 Aug 28 21:55:40 localhost [RPM][4025]: erase lib64javascriptcoregtk4.0_18-2.20.3 Aug 28 21:55:40 localhost [RPM][4025]: erase lib64xcursor1-1.1.14-6.1.mga6.x86_6 Aug 28 21:55:40 localhost [RPM][4025]: install lib64sqlite3-devel-3.17.0-2.2.mga Aug 28 21:55:41 localhost [RPM][4025]: install lib64javascriptcoregtk4.0_18-2.20 Aug 28 21:55:41 localhost [RPM][4025]: install lib64javascriptcore-gir4.0-2.20.5 Aug 28 21:55:42 localhost [RPM][4025]: install lib64soup-devel-2.58.2-1.1.mga6.x Aug 28 21:55:42 localhost [RPM][4025]: install lib64xcursor1-1.1.14-6.2.mga6.x86 Aug 28 21:55:42 localhost [RPM][4025]: install lib64xcursor-devel-1.1.14-6.2.mga Aug 28 21:55:45 localhost [RPM][4025]: install lib64gtk+3.0-devel-3.22.16-1.mga6 Aug 28 21:55:45 localhost [RPM][4025]: install lib64jpeg-devel-1:1.5.1-1.2.mga6. Aug 28 21:55:45 localhost [RPM][4025]: install lib64tasn1-devel-4.13-1.mga6.x86_ Aug 28 21:55:45 localhost [RPM][4025]: install lib64webkit2-devel-2.20.5-1.mga6. Aug 28 21:55:47 localhost [RPM][4025]: install pango-doc-1.40.6-1.1.mga6.noarch: Aug 28 21:55:47 localhost [RPM][4025]: erase lib64javascriptcore-gir4.0-2.20.3-1 Aug 28 21:55:47 localhost [RPM][4025]: erase lib64javascriptcoregtk4.0_18-2.20.3 Aug 28 21:55:47 localhost [RPM][4025]: erase lib64xcursor1-1.1.14-6.1.mga6.x86_6 Aug 28 21:55:53 localhost [RPM][4025]: install lib64sqlite3-devel-3.17.0-2.2.mga Aug 28 21:55:53 localhost [RPM][4025]: install lib64javascriptcoregtk4.0_18-2.20 Aug 28 21:55:53 localhost [RPM][4025]: install lib64javascriptcore-gir4.0-2.20.5 Aug 28 21:55:53 localhost [RPM][4025]: install lib64soup-devel-2.58.2-1.1.mga6.x Aug 28 21:55:53 localhost [RPM][4025]: install lib64xcursor1-1.1.14-6.2.mga6.x86 Aug 28 21:55:53 localhost [RPM][4025]: install lib64xcursor-devel-1.1.14-6.2.mga Aug 28 21:55:53 localhost [RPM][4025]: install lib64gtk+3.0-devel-3.22.16-1.mga6 Aug 28 21:55:53 localhost [RPM][4025]: install lib64jpeg-devel-1:1.5.1-1.2.mga6. Aug 28 21:55:53 localhost [RPM][4025]: install lib64tasn1-devel-4.13-1.mga6.x86_ Aug 28 21:55:53 localhost [RPM][4025]: install lib64webkit2-devel-2.20.5-1.mga6. Aug 28 21:55:53 localhost [RPM][4025]: install pango-doc-1.40.6-1.1.mga6.noarch: Aug 28 21:55:53 localhost [RPM][4025]: Transaction ID 5b860b2c finished: 0 behold - it works now. MGa6-64 works - we just need to note midori needs the dev libraries. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK (In reply to Brian Rockwell from comment #7) > MGa6-64 works - we just need to note midori needs the dev libraries. It shouldn't. What's with that? Packaging error? (In reply to David Walser from comment #8) > (In reply to Brian Rockwell from comment #7) > > MGa6-64 works - we just need to note midori needs the dev libraries. > > It shouldn't. What's with that? Packaging error? The dev libraries are not needed. What is needed is lib(64)javascriptcoregtk4.0_18 and lib(64)javascriptcore-gir4.0 packages in the same version as webkit2. In comment 7, it seems that those packages have not been updated at the same time as the other packages. I made that mistake myself once and, now, I do not forget anymore :-) By installing the devel package, the two forgotten packages are forced to be updated. Best regards, Nico. Has anyone fixed the dependency noted by Nicolas? It's not a dependency issue, it's user error. When you QA test packages, make sure *all* of the relevant packages built from that SRPM (listed in Comment 5 in this case) get updated. Keywords:
feedback =>
(none) Sounds to me like this is good to go, then. Validating. Suggested advisory in Comment 5. Keywords:
(none) =>
validated_update David - fine. Why didn't Midori request the package? Midori does require the package, that's why it was already installed.
Dave Hodgins
2018-09-21 16:58:08 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0382.html Status:
ASSIGNED =>
RESOLVED |