Bug 19721 - webkit2 security issues fixed upstream (WSA-2016-0006, WSA-2017-0001, and WSA-2017-0002)
Summary: webkit2 security issues fixed upstream (WSA-2016-0006, WSA-2017-0001, and WSA...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/711330/
Whiteboard: advisory MGA5-64-OK mga5-32-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-04 20:34 CET by David Walser
Modified: 2017-03-02 16:11 CET (History)
7 users (show)

See Also:
Source RPM: webkit2-2.12.4-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-11-04 20:34:00 CET
Upstream has issued an advisory today (November 4):
https://webkitgtk.org/security/WSA-2016-0006.html

The issues are all fixed in 2.14.0 (Cauldron has 2.14.1).

We should update both to 2.14.2:
https://webkitgtk.org/2016/11/03/webkitgtk2.14.2-released.html
David Walser 2016-11-04 20:34:11 CET

Source RPM: (none) => webkit2-2.12.4-1.mga5.src.rpm

Comment 1 Marja Van Waes 2016-11-04 23:37:30 CET
Assigning to the registered maintainer, but CC'ing all packagers collectively, because the maintainer seems unavailable

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => fundawang

Comment 2 David Walser 2017-01-12 01:40:35 CET
Ubuntu has issued an advisory for this on January 10:
http://www.ubuntu.com/usn/usn-3166-1

URL: (none) => https://lwn.net/Vulnerabilities/711330/

Comment 3 David Walser 2017-01-18 21:47:35 CET
Upstream has issued an advisory on January 17:
https://www.webkitgtk.org/security/WSA-2017-0001.html

Several of the issues are fixed in 2.14.3:
https://www.webkitgtk.org/2017/01/17/webkitgtk2.14.3-released.html

LWN reference:
https://lwn.net/Vulnerabilities/711945/

Summary: webkit2 security issues fixed upstream (WSA-2016-0006) => webkit2 security issues fixed upstream (WSA-2016-0006 and WSA-2017-0001)

Comment 4 Nicolas Salguero 2017-02-10 15:49:03 CET
To find the packages that use webkit2, you can see at: https://bugs.mageia.org/show_bug.cgi?id=18597#c1

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4730, CVE-2016-4733, CVE-2016-4734, and CVE-2016-4735. (CVE-2016-4611)

Processing maliciously crafted web content may result in the disclosure of user information. Description: An input validation issue was addressed through improved state management. (CVE-2016-4613)

WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. (CVE-2016-4657)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-4666)

CFNetwork in Apple iOS before 10 and OS X before 10.12 mishandles Local Storage deletion, which allows local users to discover the visited web sites of arbitrary users via unspecified vectors. (CVE-2016-4707)

WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 mishandles error prototypes, which allows remote attackers to execute arbitrary code via a crafted web site. (CVE-2016-4728)

WebKit in Apple iOS before 10 and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4731. (CVE-2016-4729)

WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4733, CVE-2016-4734, and CVE-2016-4735. (CVE-2016-4730)

WebKit in Apple iOS before 10 and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4729. (CVE-2016-4731)

WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4734, and CVE-2016-4735. (CVE-2016-4733)

WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4733, and CVE-2016-4735. (CVE-2016-4734)

WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4733, and CVE-2016-4734. (CVE-2016-4735)

WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 does not properly restrict access to the location variable, which allows remote attackers to obtain sensitive information via a crafted web site. (CVE-2016-4758)

WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4765, CVE-2016-4766, CVE-2016-4767, and CVE-2016-4768. (CVE-2016-4759)

WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to conduct DNS rebinding attacks against non-HTTP Safari sessions by leveraging HTTP/0.9 support. (CVE-2016-4760)

An use-after-free vulnerability allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2016-4761)

WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, iCloud before 6.0 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. (CVE-2016-4762)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-4764)

WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4766, CVE-2016-4767, and CVE-2016-4768. (CVE-2016-4765)

WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4765, CVE-2016-4767, and CVE-2016-4768. (CVE-2016-4766)

WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4765, CVE-2016-4766, and CVE-2016-4768. (CVE-2016-4767)

WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4765, CVE-2016-4766, and CVE-2016-4767. (CVE-2016-4768)

WebKit in Apple iTunes before 12.5.1 on Windows and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. (CVE-2016-4769)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-7578)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-4692)

Processing maliciously crafted web content may result in the disclosure of process memory. Description: A memory corruption issue was addressed through improved input validation. (CVE-2016-4743)

Processing maliciously crafted web content may result in the disclosure of user information. Description: A validation issue was addressed through improved state management. (CVE-2016-7586)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7587)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed through improved state management. (CVE-2016-7589)

Processing maliciously crafted web content may compromise user information. Description: An issue existed in handling of JavaScript prompts. This was addressed through improved state management. (CVE-2016-7592)

Processing maliciously crafted web content may result in the disclosure of process memory. Description: An uninitialized memory access issue was addressed through improved memory initialization. (CVE-2016-7598)

Processing maliciously crafted web content may result in the disclosure of user information. Description: An issue existed in the handling of HTTP redirects. This issue was addressed through improved cross origin validation. (CVE-2016-7599)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7610)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7611)

Visiting a maliciously crafted website may compromise user information. Description: An issue existed in the handling of blob URLs. This issue was addressed through improved URL handling. (CVE-2016-7623)

Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. Description: A memory corruption issue was addressed through improved state management. (CVE-2016-7632)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-7635)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7639)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7640)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7641)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7642)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7645)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7646)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7648)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7649)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. (CVE-2016-7652)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management. (CVE-2016-7654)

Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed through improved state management. (CVE-2016-7656)

References:
https://webkitgtk.org/security/WSA-2016-0006.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4611
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4657
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4666
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4758
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4759
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4760
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4761
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4765
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4766
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4767
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4768
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4769
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7578
https://www.webkitgtk.org/security/WSA-2017-0001.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7586
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7589
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7610
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7611
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7623
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7642
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7646
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7648
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7649
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7654
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7656
https://webkitgtk.org/2016/11/03/webkitgtk2.14.2-released.html
https://www.webkitgtk.org/2017/01/17/webkitgtk2.14.3-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.14.3-1.mga5
webkit2-jsc-2.14.3-1.mga5
lib(64)webkit2gtk4.0_37-2.14.3-1.mga5
lib(64)javascriptcoregtk4.0_18-2.14.3-1.mga5
lib(64)webkit2-devel-2.14.3-1.mga5
lib(64)javascriptcore-gir4.0-2.14.3-1.mga5
lib(64)webkit2gtk-gir4.0-2.14.3-1.mga5


from SRPMS:
webkit2-2.14.3-1.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: fundawang => qa-bugs

Comment 5 Lewis Smith 2017-02-11 10:24:28 CET
Abbreviated list of dependant software, from:
 $ urpmq --whatrequires-recursive webkit2 | sort | uniq
anjuta
areca-backup
cbi-plugins
devhelp
eclipse-*
epiphany
gitg
glade3
gtkpod
gthumb
jetty-httpservice
jfreechart-swt
[many libs, mostly related to the other programs]
shotwell
tuxguitar
tycho [relates to eclipse]
vuze

epiphany (alias Web I think), gthumb & shotwell look the easiest applications.

CC: (none) => lewyssmith

Comment 6 Lewis Smith 2017-02-11 11:10:42 CET
Testing M5 x64 real hardware

AFTER update:
 lib64javascriptcore-gir4.0-2.14.3-1.mga5
 lib64javascriptcoregtk4.0_18-2.14.3-1.mga5
 lib64webkit2gtk4.0_37-2.14.3-1.mga5
 lib64webkit2gtk-gir4.0-2.14.3-1.mga5
 webkit2-2.14.3-1.mga5

Used Web/Epiphany on several sites, using it for this report.
Played with gThumb & Shotwell (which curiously does not accept .gif) with different image formats. No problems perceived, deeming the update OK.

Will tackle the enormous Advisory in Comment 4.

Whiteboard: (none) => MGA5-64-OK

Lewis Smith 2017-02-11 11:44:47 CET

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 7 David Walser 2017-02-12 17:13:24 CET
Upstream has issued an advisory on February 10:
https://webkitgtk.org/security/WSA-2017-0002.html

The issues are fixed in 2.14.4:
https://www.webkitgtk.org/2017/02/10/webkitgtk2.14.4-released.html

I have committed it to SVN for Cauldron and Mageia 5 and asked for a freeze push.

When we re-do this update for Mageia 5, the advisory doesn't need to have individual CVE descriptions, since for webkit2 they provide no useful information.  See the previous webkit2 update for an example of a generic advisory we can use.

CC: pkg-bugs => qa-bugs
Assignee: qa-bugs => pkg-bugs
Summary: webkit2 security issues fixed upstream (WSA-2016-0006 and WSA-2017-0001) => webkit2 security issues fixed upstream (WSA-2016-0006, WSA-2017-0001, and WSA-2017-0002)
Whiteboard: MGA5-64-OK advisory => (none)

Comment 8 David Walser 2017-02-12 18:20:29 CET
Updated packages uploaded for Mageia 5 and Cauldron.  Advisory in SVN updated.

CC: qa-bugs => (none)
Assignee: pkg-bugs => qa-bugs

Dave Hodgins 2017-02-13 21:16:08 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 9 David Walser 2017-02-13 23:35:43 CET
LWN reference for WSA-2017-0002:
https://lwn.net/Vulnerabilities/714424/
Comment 10 Nicolas Salguero 2017-02-15 17:19:57 CET
I have committed version 2.14.5 (which corrects the problem with HiDPI displays) to SVN for Cauldron and Mageia 5 and asked for a freeze push.
Comment 11 Lewis Smith 2017-02-21 21:08:06 CET
Re-testing M5_64 real hardware

 lib64javascriptcoregtk4.0_18-2.14.5-1.mga5
 lib64javascriptcore-gir4.0-2.14.5-1.mga5
 lib64webkit2gtk4.0_37-2.14.5-1.mga5
 lib64webkit2gtk-gir4.0-2.14.5-1.mga5
 webkit2-2.14.5-1.mga5

As per comments 5 & 6, used Web=Epiphany, gThumb (which is baffling; what is its supposed usefulness?), Shotwell. Web could not show all videos, & there was no sound. (I doubt that I tried that before). gThumb behaved sensibly with previously ingested images, imported some more, rotated some but not all formats OK. Shotwell looked fine except for the few image types it does not handle.
From a simple point of view, this is OK.
I shall update the advisory to the new SRPM version.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 12 David Walser 2017-02-25 17:57:00 CET
Missing reference added to SVN advisory.
Comment 13 Brian Rockwell 2017-02-28 21:33:34 CET
32-bit

The following 5 packages are going to be installed:

- libjavascriptcore-gir4.0-2.14.5-1.mga5.i586
- libjavascriptcoregtk4.0_18-2.14.5-1.mga5.i586
- libwebkit2gtk-gir4.0-2.14.5-1.mga5.i586
- libwebkit2gtk4.0_37-2.14.5-1.mga5.i586
- webkit2-2.14.5-1.mga5.i586

5.7MB of additional disk space will be used.

24MB of packages will be retrieved.

Is it ok to continue?


--------------------

Using epiphany    some.  Still working after updates and reboot.

Brian

CC: (none) => brtians1
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK mga5-32-ok

Comment 14 Nicolas Lécureuil 2017-03-01 11:11:27 CET
both arch are validated, i think we can validate this advisory

CC: (none) => mageia

Lewis Smith 2017-03-02 08:14:06 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2017-03-02 16:11:51 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0069.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.