Upstream has issued an advisory on January 24: https://webkitgtk.org/security/WSA-2018-0002.html The issues are fixed upstream in 2.18.6: https://webkitgtk.org/2018/01/24/webkitgtk2.18.6-released.html
Source RPM: (none) => webkit2-2.18.5-1.mga6.src.rpmWhiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.18.6, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4088 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4089 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4096 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7153 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7165 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13884 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13885 https://webkitgtk.org/security/WSA-2018-0002.html https://webkitgtk.org/2018/01/24/webkitgtk2.18.6-released.html http://openwall.com/lists/oss-security/2018/01/24/6 ======================== Updated packages in core/updates_testing: ======================== webkit2-2.18.6-1.mga6 webkit2-jsc-2.18.6-1.mga6 lib(64)webkit2gtk4.0_37-2.18.6-1.mga6 lib(64)javascriptcoregtk4.0_18-2.18.6-1.mga6 lib(64)webkit2-devel-2.18.6-1.mga6 lib(64)javascriptcore-gir4.0-2.18.6-1.mga6 lib(64)webkit2gtk-gir4.0-2.18.6-1.mga6 from SRPMS: webkit2-2.18.6-1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 6
Advisory done. Wanted to test, but it is not yet in my mirror. https://bugs.mageia.org/show_bug.cgi?id=22245#c3 has relevant application pointers. Test under Gnome might help.
Keywords: (none) => advisory
Testing M6/64 under Gnome. I could not find any test cases in the many CVEs. BEFORE update: all pkgs at 2.18.5-1 Atril with a long sophisticated PDF, good: $ strace atril 2>&1 | grep webkit2 open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 read(14, "libwebkit2gtk-4.0.so.37.24.8\n7f7"..., 1024) = 1024 Evolution $ strace evolution 2>&1 | grep webkit2 open("/usr/lib64/evolution/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 Not OK: it seized up after a few random clicks. But it may have been OK - see post-update test. Zenity; good. $ strace zenity --title="Select a file to remove" --file-selection 2>&1 | grep webkit2 open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 ---------------- AFTER update to: lib64javascriptcoregtk4.0_18-2.18.6-1.mga6 lib64javascriptcore-gir4.0-2.18.6-1.mga6 lib64webkit2gtk4.0_37-2.18.6-1.mga6 lib64webkit2gtk-gir4.0-2.18.6-1.mga6 webkit2-2.18.6-1.mga6 Atril on different PDFs: $ strace atril 2>&1 | grep webkit2 open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 read(14, "libwebkit2gtk-4.0.so.37.24.9\n7f2"..., 1024) = 1024 Note version updated. Result good. Zenity: same as before, good. Evolution: $ strace evolution 2>&1 | grep webkit2open("/usr/lib64/evolution/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3 Once again this seized up. Clicking hopefully here & there, it eventually caught up on the buffered clicks (shown in its own window heading), and then reacted sensibly. OKing the update; validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0102.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED