Upstream has issued an advisory today (November 4): https://webkitgtk.org/security/WSA-2016-0006.html The issues are all fixed in 2.14.0 (Cauldron has 2.14.1). We should update both to 2.14.2: https://webkitgtk.org/2016/11/03/webkitgtk2.14.2-released.html
Source RPM: (none) => webkit2-2.12.4-1.mga5.src.rpm
Assigning to the registered maintainer, but CC'ing all packagers collectively, because the maintainer seems unavailable
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => fundawang
Ubuntu has issued an advisory for this on January 10: http://www.ubuntu.com/usn/usn-3166-1
URL: (none) => https://lwn.net/Vulnerabilities/711330/
Upstream has issued an advisory on January 17: https://www.webkitgtk.org/security/WSA-2017-0001.html Several of the issues are fixed in 2.14.3: https://www.webkitgtk.org/2017/01/17/webkitgtk2.14.3-released.html LWN reference: https://lwn.net/Vulnerabilities/711945/
Summary: webkit2 security issues fixed upstream (WSA-2016-0006) => webkit2 security issues fixed upstream (WSA-2016-0006 and WSA-2017-0001)
To find the packages that use webkit2, you can see at: https://bugs.mageia.org/show_bug.cgi?id=18597#c1 Suggested advisory: ======================== The updated packages fix security vulnerabilities: WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4730, CVE-2016-4733, CVE-2016-4734, and CVE-2016-4735. (CVE-2016-4611) Processing maliciously crafted web content may result in the disclosure of user information. Description: An input validation issue was addressed through improved state management. (CVE-2016-4613) WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. (CVE-2016-4657) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-4666) CFNetwork in Apple iOS before 10 and OS X before 10.12 mishandles Local Storage deletion, which allows local users to discover the visited web sites of arbitrary users via unspecified vectors. (CVE-2016-4707) WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 mishandles error prototypes, which allows remote attackers to execute arbitrary code via a crafted web site. (CVE-2016-4728) WebKit in Apple iOS before 10 and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4731. (CVE-2016-4729) WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4733, CVE-2016-4734, and CVE-2016-4735. (CVE-2016-4730) WebKit in Apple iOS before 10 and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4729. (CVE-2016-4731) WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4734, and CVE-2016-4735. (CVE-2016-4733) WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4733, and CVE-2016-4735. (CVE-2016-4734) WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4733, and CVE-2016-4734. (CVE-2016-4735) WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 does not properly restrict access to the location variable, which allows remote attackers to obtain sensitive information via a crafted web site. (CVE-2016-4758) WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4765, CVE-2016-4766, CVE-2016-4767, and CVE-2016-4768. (CVE-2016-4759) WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to conduct DNS rebinding attacks against non-HTTP Safari sessions by leveraging HTTP/0.9 support. (CVE-2016-4760) An use-after-free vulnerability allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2016-4761) WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, iCloud before 6.0 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. (CVE-2016-4762) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-4764) WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4766, CVE-2016-4767, and CVE-2016-4768. (CVE-2016-4765) WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4765, CVE-2016-4767, and CVE-2016-4768. (CVE-2016-4766) WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4765, CVE-2016-4766, and CVE-2016-4768. (CVE-2016-4767) WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4765, CVE-2016-4766, and CVE-2016-4767. (CVE-2016-4768) WebKit in Apple iTunes before 12.5.1 on Windows and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. (CVE-2016-4769) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-7578) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-4692) Processing maliciously crafted web content may result in the disclosure of process memory. Description: A memory corruption issue was addressed through improved input validation. (CVE-2016-4743) Processing maliciously crafted web content may result in the disclosure of user information. Description: A validation issue was addressed through improved state management. (CVE-2016-7586) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7587) Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed through improved state management. (CVE-2016-7589) Processing maliciously crafted web content may compromise user information. Description: An issue existed in handling of JavaScript prompts. This was addressed through improved state management. (CVE-2016-7592) Processing maliciously crafted web content may result in the disclosure of process memory. Description: An uninitialized memory access issue was addressed through improved memory initialization. (CVE-2016-7598) Processing maliciously crafted web content may result in the disclosure of user information. Description: An issue existed in the handling of HTTP redirects. This issue was addressed through improved cross origin validation. (CVE-2016-7599) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7610) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7611) Visiting a maliciously crafted website may compromise user information. Description: An issue existed in the handling of blob URLs. This issue was addressed through improved URL handling. (CVE-2016-7623) Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. Description: A memory corruption issue was addressed through improved state management. (CVE-2016-7632) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-7635) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7639) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7640) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7641) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7642) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7645) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7646) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7648) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7649) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-7652) Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7654) Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed through improved state management. (CVE-2016-7656) References: https://webkitgtk.org/security/WSA-2016-0006.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4611 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4657 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4666 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4707 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4728 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4729 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4730 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4731 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4733 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4758 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4759 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4760 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4764 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4765 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4766 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4767 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4768 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4769 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7578 https://www.webkitgtk.org/security/WSA-2017-0001.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4692 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4743 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7587 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7589 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7592 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7610 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7611 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7623 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7632 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7635 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7639 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7641 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7642 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7645 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7646 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7648 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7649 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7652 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7654 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7656 https://webkitgtk.org/2016/11/03/webkitgtk2.14.2-released.html https://www.webkitgtk.org/2017/01/17/webkitgtk2.14.3-released.html ======================== Updated packages in core/updates_testing: ======================== webkit2-2.14.3-1.mga5 webkit2-jsc-2.14.3-1.mga5 lib(64)webkit2gtk4.0_37-2.14.3-1.mga5 lib(64)javascriptcoregtk4.0_18-2.14.3-1.mga5 lib(64)webkit2-devel-2.14.3-1.mga5 lib(64)javascriptcore-gir4.0-2.14.3-1.mga5 lib(64)webkit2gtk-gir4.0-2.14.3-1.mga5 from SRPMS: webkit2-2.14.3-1.mga5.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: fundawang => qa-bugs
Abbreviated list of dependant software, from: $ urpmq --whatrequires-recursive webkit2 | sort | uniq anjuta areca-backup cbi-plugins devhelp eclipse-* epiphany gitg glade3 gtkpod gthumb jetty-httpservice jfreechart-swt [many libs, mostly related to the other programs] shotwell tuxguitar tycho [relates to eclipse] vuze epiphany (alias Web I think), gthumb & shotwell look the easiest applications.
CC: (none) => lewyssmith
Testing M5 x64 real hardware AFTER update: lib64javascriptcore-gir4.0-2.14.3-1.mga5 lib64javascriptcoregtk4.0_18-2.14.3-1.mga5 lib64webkit2gtk4.0_37-2.14.3-1.mga5 lib64webkit2gtk-gir4.0-2.14.3-1.mga5 webkit2-2.14.3-1.mga5 Used Web/Epiphany on several sites, using it for this report. Played with gThumb & Shotwell (which curiously does not accept .gif) with different image formats. No problems perceived, deeming the update OK. Will tackle the enormous Advisory in Comment 4.
Whiteboard: (none) => MGA5-64-OK
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Upstream has issued an advisory on February 10: https://webkitgtk.org/security/WSA-2017-0002.html The issues are fixed in 2.14.4: https://www.webkitgtk.org/2017/02/10/webkitgtk2.14.4-released.html I have committed it to SVN for Cauldron and Mageia 5 and asked for a freeze push. When we re-do this update for Mageia 5, the advisory doesn't need to have individual CVE descriptions, since for webkit2 they provide no useful information. See the previous webkit2 update for an example of a generic advisory we can use.
CC: pkg-bugs => qa-bugsAssignee: qa-bugs => pkg-bugsSummary: webkit2 security issues fixed upstream (WSA-2016-0006 and WSA-2017-0001) => webkit2 security issues fixed upstream (WSA-2016-0006, WSA-2017-0001, and WSA-2017-0002)Whiteboard: MGA5-64-OK advisory => (none)
Updated packages uploaded for Mageia 5 and Cauldron. Advisory in SVN updated.
CC: qa-bugs => (none)Assignee: pkg-bugs => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
LWN reference for WSA-2017-0002: https://lwn.net/Vulnerabilities/714424/
I have committed version 2.14.5 (which corrects the problem with HiDPI displays) to SVN for Cauldron and Mageia 5 and asked for a freeze push.
Re-testing M5_64 real hardware lib64javascriptcoregtk4.0_18-2.14.5-1.mga5 lib64javascriptcore-gir4.0-2.14.5-1.mga5 lib64webkit2gtk4.0_37-2.14.5-1.mga5 lib64webkit2gtk-gir4.0-2.14.5-1.mga5 webkit2-2.14.5-1.mga5 As per comments 5 & 6, used Web=Epiphany, gThumb (which is baffling; what is its supposed usefulness?), Shotwell. Web could not show all videos, & there was no sound. (I doubt that I tried that before). gThumb behaved sensibly with previously ingested images, imported some more, rotated some but not all formats OK. Shotwell looked fine except for the few image types it does not handle. From a simple point of view, this is OK. I shall update the advisory to the new SRPM version.
Whiteboard: advisory => advisory MGA5-64-OK
Missing reference added to SVN advisory.
32-bit The following 5 packages are going to be installed: - libjavascriptcore-gir4.0-2.14.5-1.mga5.i586 - libjavascriptcoregtk4.0_18-2.14.5-1.mga5.i586 - libwebkit2gtk-gir4.0-2.14.5-1.mga5.i586 - libwebkit2gtk4.0_37-2.14.5-1.mga5.i586 - webkit2-2.14.5-1.mga5.i586 5.7MB of additional disk space will be used. 24MB of packages will be retrieved. Is it ok to continue? -------------------- Using epiphany some. Still working after updates and reboot. Brian
CC: (none) => brtians1Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK mga5-32-ok
both arch are validated, i think we can validate this advisory
CC: (none) => mageia
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0069.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED