Upstream has issued an advisory today (October 18): https://webkitgtk.org/security/WSA-2017-0008.html Most of the issues are fixed in 2.18.0. Coincidentally, 2.18.1 has also been released today: https://webkitgtk.org/2017/10/18/webkitgtk2.18.1-released.html
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => cjw, mageia, marja11, nicolas.salguero, olav, pterjan, rverschelde, shlomif, thierry.vignaudAssignee: bugsquad => pkg-bugs
Ubuntu has issued an advisory for this on October 23: https://usn.ubuntu.com/usn/usn-3460-1/
Hi, Version 2.18.2 was released the halloween day. I am working on it. Best regards, Nico.
Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.18.2, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7081 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7087 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7089 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7090 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7095 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7096 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7098 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7099 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7100 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7102 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7107 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7111 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7117 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7120 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7142 https://webkitgtk.org/security/WSA-2017-0008.html https://webkitgtk.org/2017/10/18/webkitgtk2.18.1-released.html https://webkitgtk.org/2017/10/27/webkitgtk2.18.2-released.html ======================== Updated packages in core/updates_testing: ======================== webkit2-2.18.2-1.mga6 webkit2-jsc-2.18.2-1.mga6 lib(64)webkit2gtk4.0_37-2.18.2-1.mga6 lib(64)javascriptcoregtk4.0_18-2.18.2-1.mga6 lib(64)webkit2-devel-2.18.2-1.mga6 lib(64)javascriptcore-gir4.0-2.18.2-1.mga6 lib(64)webkit2gtk-gir4.0-2.18.2-1.mga6 from SRPMS: webkit2-2.18.2-1.mga6.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
Keywords: (none) => advisory
$ urpmq --whatrequires-recursive webkit2 | sort | uniq | grep -v ^lib shows a host of applications that ultimately use webkit2.
CC: (none) => lewyssmith
CC: lewyssmith => (none)
Upstream has issued an advisory today (November 10): https://webkitgtk.org/security/WSA-2017-0009.html A few more security issues were fixed in 2.18.3, and more that were fixed in 2.18.1 have been announced. Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.18.3, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7081 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7087 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7089 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7090 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7095 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7096 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7098 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7099 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7100 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7102 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7104 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7107 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7111 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7117 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7120 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7142 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13783 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13784 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13785 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13788 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13791 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13793 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13794 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13796 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13802 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13803 https://webkitgtk.org/security/WSA-2017-0008.html https://webkitgtk.org/security/WSA-2017-0009.html https://webkitgtk.org/2017/10/18/webkitgtk2.18.1-released.html https://webkitgtk.org/2017/10/27/webkitgtk2.18.2-released.html https://webkitgtk.org/2017/11/10/webkitgtk2.18.3-released.html ======================== Updated packages in core/updates_testing: ======================== webkit2-2.18.3-1.mga6 webkit2-jsc-2.18.3-1.mga6 libwebkit2gtk4.0_37-2.18.3-1.mga6 libjavascriptcoregtk4.0_18-2.18.3-1.mga6 libwebkit2-devel-2.18.3-1.mga6 libjavascriptcore-gir4.0-2.18.3-1.mga6 libwebkit2gtk-gir4.0-2.18.3-1.mga6 from webkit2-2.18.3-1.mga6.src.rpm
Summary: webkit2 security issues fixed upstream (WSA-2017-0008) => webkit2 security issues fixed upstream (WSA-2017-0008 and WSA-2017-0009)
About to try M6/64, updating the following to: - lib64javascriptcore-gir4.0-2.18.3-1.mga6.x86_64 - lib64javascriptcoregtk4.0_18-2.18.3-1.mga6.x86_64 - lib64webkit2gtk-gir4.0-2.18.3-1.mga6.x86_64 - lib64webkit2gtk4.0_37-2.18.3-1.mga6.x86_64 - webkit2-2.18.3-1.mga6.x86_64 Will try Gnome, Nautilus, Cinnamon, XFCE, Thunar and hope they invoke one of the libraries.
Testing M6/64 AFTER the update Stracing a number of available applications given by: $ urpmq --whatrequires-recursive webkit2 | sort | uniq | grep -v ^lib in the manner: $ strace <application> 2>1 | grep webkit many gave no sign of calling webkit; e.g. epiphany=web, files, caja, thunar. Nor did GDM display manager; Cinnamon, Gnome Xfce desktops. But all these things worked - I tried those that I had installed with a 6-desktop system. A few did show more +ve use: $ strace atril 2>&1 | grep webkit open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 read(14, "libwebkit2gtk-4.0.so.37.24.6\n7fc"..., 1024) = 1024 $ strace evolution 2>&1 | grep webkit open("/usr/lib64/evolution/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 stat("/usr/lib64/evolution/modules/module-webkit-editor.so", {st_mode=S_IFREG|0755, st_size=105320, ...}) = 0 open("/usr/lib64/evolution/modules/module-webkit-editor.so", O_RDONLY|O_CLOEXEC) = 19 stat("/usr/lib64/evolution/modules/module-webkit-inspector.so", {st_mode=S_IFREG|0755, st_size=11256, ...}) = 0 open("/usr/lib64/evolution/modules/module-webkit-inspector.so", O_RDONLY|O_CLOEXEC) = 19 open("/run/user/1001/webkitgtk-wayland-compositor-4a836554-8156-4d9b-aa04-262c594ad6a8.lock", O_RDONLY|O_CREAT|O_CLOEXEC, 0660) = 36 stat("/run/user/1001/webkitgtk-wayland-compositor-4a836554-8156-4d9b-aa04-262c594ad6a8", 0x7fff7ba0db00) = -1 ENOENT (No such file or directory) bind(37, {sa_family=AF_UNIX, sun_path="/run/user/1001/webkitgtk-wayland-compositor-4a836554-8156-4d9b-aa04-262c594ad6a8"}, 82) = 0 $ strace zenity --title="Select a file to remove" --file-selection 2>&1 | grep webkit open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 Seeing no sign of trouble, this warrant OK. In our pressed situation, am validating it also. The advisory to be updated re comment 6.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0425.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED