Bug 23004 - webkit2 security issues fixed upstream (WSA-2018-0004)
Summary: webkit2 security issues fixed upstream (WSA-2018-0004)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-05-08 16:06 CEST by David Walser
Modified: 2018-05-29 21:42 CEST (History)
8 users (show)

See Also:
Source RPM: webkit2-2.20.1-1.mga6.src.rpm
CVE: CVE-2018-4200
Status comment:


Attachments
Interactive calendar widget script for zenity (188 bytes, application/x-perl)
2018-05-23 19:00 CEST, Len Lawrence
Details

Description David Walser 2018-05-08 16:06:23 CEST
Upstream has issued an advisory on May 7:
https://webkitgtk.org/security/WSA-2018-0004.html

CVE-2018-4200 was fixed in 2.20.2 on May 7:
https://webkitgtk.org/2018/05/07/webkitgtk2.20.2-released.html

Mageia 6 is also affected.
David Walser 2018-05-08 16:06:31 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-05-09 08:37:06 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing some committers.

CC: (none) => marja11, mrambo, nicolas.salguero, olav
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2018-05-09 11:12:36 CEST
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.20.2, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4200
https://www.webkitgtk.org/security/WSA-2018-0004.html
https://www.webkitgtk.org/2018/05/07/webkitgtk2.20.2-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.20.2-1.mga6
webkit2-jsc-2.20.2-1.mga6
lib(64)webkit2gtk4.0_37-2.20.2-1.mga6
lib(64)javascriptcoregtk4.0_18-2.20.2-1.mga6
lib(64)webkit2-devel-2.20.2-1.mga6
lib(64)javascriptcore-gir4.0-2.20.2-1.mga6
lib(64)webkit2gtk-gir4.0-2.20.2-1.mga6

from SRPMS:
webkit2-2.20.2-1.mga6.src.rpm

CVE: (none) => CVE-2018-4200
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Comment 3 claire robinson 2018-05-19 04:16:01 CEST
Procedure in bug 22876 comment 4

Keywords: (none) => has_procedure

Comment 4 Len Lawrence 2018-05-23 18:54:24 CEST
Mageia 6, x86_64

Found no reproducers for the security flaws and bugs.
Updated the packages, adding webkit2-jsc and lib64webkit2-devel.

Referred to previous bug 22876 for procedure.

Used atril to look at the TurboPrint manual as a PDF.  It worked perfectly including following hyperlinks and weblinks.

Ran shotwell on a small image collection.  That worked fine and it also launched a video in the same directory.

Called zenity with the calendar dialogue.
This displayed an interactive calendar widget and returned a selected date as a string in the terminal.
$ zenity --calendar calendar.pl
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
22/06/17

Hoping that these functionality tests are sufficient for an OK.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-05-23 19:00:01 CEST
Created attachment 10184 [details]
Interactive calendar widget script for zenity

Downloaded from
https://help.gnome.org/users/zenity/3.24/calendar.html.en

$ zenity --calendar calendar.pl
Comment 6 Thomas Andrews 2018-05-24 15:38:19 CEST
Len, your tests were deemed sufficient to validate this the last time, so they should be this time, too.

Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-05-29 20:55:39 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2018-05-29 21:42:29 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0258.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.