Bug 23408 - webkit2 security issues fixed upstream (WSA-2018-0006)
Summary: webkit2 security issues fixed upstream (WSA-2018-0006)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-08 13:16 CEST by David Walser
Modified: 2018-09-21 18:27 CEST (History)
6 users (show)

See Also:
Source RPM: webkit2-2.20.3-1.mga6.src.rpm
CVE:
Status comment:


Attachments
journalctl for Aug25th. midori webkit issues (91.23 KB, text/plain)
2018-08-25 19:00 CEST, Brian Rockwell
Details

Description David Walser 2018-08-08 13:16:40 CEST
Upstream has issued an advisory on August 7:
https://webkitgtk.org/security/WSA-2018-0006.html

The issues have been fixed in 2.20.4, released on August 6:
https://webkitgtk.org/2018/08/06/webkitgtk2.20.4-released.html

Mageia 6 is also affected.

It's building in Cauldron now and Mageia 6 now.

Testing procedure in bug 22876 comment 4

Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.20.4, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4261
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4262
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4264
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4266
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4278
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4284
https://webkitgtk.org/security/WSA-2018-0006.html
https://webkitgtk.org/2018/08/06/webkitgtk2.20.4-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.20.4-1.mga6
webkit2-jsc-2.20.4-1.mga6
lib(64)webkit2gtk4.0_37-2.20.4-1.mga6
lib(64)javascriptcoregtk4.0_18-2.20.4-1.mga6
lib(64)webkit2-devel-2.20.4-1.mga6
lib(64)javascriptcore-gir4.0-2.20.4-1.mga6
lib(64)webkit2gtk-gir4.0-2.20.4-1.mga6

from webkit2-2.20.4-1.mga6.src.rpm
David Walser 2018-08-08 13:16:52 CEST

Keywords: (none) => has_procedure

Comment 1 Herman Viaene 2018-08-11 10:56:22 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Following procedure above, opened a pfd containing links with atril: expected behavior is OK
Run the perl testscript provides an interacive calendar widget.
All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 2 Brian Rockwell 2018-08-25 18:56:34 CEST
mga6-64

$ uname -a
Linux localhost 4.14.65-desktop-1.mga6 #1 SMP Sat Aug 18 14:50:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux



This breaks midori browser so this is a no go.

I'll attach journal.

Let me know if you need anything else

CC: (none) => brtians1
Keywords: (none) => feedback

Comment 3 Brian Rockwell 2018-08-25 19:00:40 CEST
Created attachment 10336 [details]
journalctl for Aug25th.  midori webkit issues

Xfce platform running in virtuabox

I installed midori:

The following 3 packages are going to be installed:

- lib64midori-core1-0.5.11-4.mga6.x86_64
- lib64zeitgeist2.0_0-1.0-1.mga6.x86_64
- midori-0.5.11-4.mga6.x86_64

5MB of additional disk space will be used.

1.1MB of packages will be retrieved.


I tested it and it was access mageia and slashdot web-sites

Then upgraded webkit.

Afterwards midori was no longer functional.

When I run from terminal I see the following:

$ midori

(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:2:31: The style property GtkButton:default-border is deprecated and shouldn't be used anymore. It will be removed in a future version

(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:3:39: The style property GtkButton:default-outside-border is deprecated and shouldn't be used anymore. It will be removed in a future version

(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:4:29: The style property GtkButton:inner-border is deprecated and shouldn't be used anymore. It will be removed in a future version

(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:5:33: The style property GtkWidget:focus-line-width is deprecated and shouldn't be used anymore. It will be removed in a future version

(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:6:30: The style property GtkWidget:focus-padding is deprecated and shouldn't be used anymore. It will be removed in a future version

(midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:26:20: The :insensitive pseudo-class is deprecated. Use :disabled instead.

(midori4:3915): GLib-CRITICAL **: g_file_test: assertion 'filename != NULL' failed
/usr/libexec/webkit2gtk-4.0/WebKitWebProcess: symbol lookup error: /lib64/libwebkit2gtk-4.0.so.37: undefined symbol: _ZN3JSC41DeferredStructureTransitionWatchpointFireC1ERNS_2VMEPNS_9StructureE


See journal.  Let me know if you need anything else from me
Comment 4 David Walser 2018-08-25 21:52:32 CEST
I guess we need to update to the 2.20.5 bugfix version.
Comment 5 Nicolas Salguero 2018-08-28 11:31:01 CEST
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.20.5, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4261
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4262
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4264
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4266
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4278
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4284
https://webkitgtk.org/security/WSA-2018-0006.html
https://webkitgtk.org/2018/08/06/webkitgtk2.20.4-released.html
https://webkitgtk.org/2018/08/13/webkitgtk2.20.5-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.20.5-1.mga6
webkit2-jsc-2.20.5-1.mga6
lib(64)webkit2gtk4.0_37-2.20.5-1.mga6
lib(64)javascriptcoregtk4.0_18-2.20.5-1.mga6
lib(64)webkit2-devel-2.20.5-1.mga6
lib(64)javascriptcore-gir4.0-2.20.5-1.mga6
lib(64)webkit2gtk-gir4.0-2.20.5-1.mga6

from webkit2-2.20.5-1.mga6.src.rpm

Whiteboard: MGA6-32-OK => (none)
CC: (none) => nicolas.salguero
Keywords: feedback => (none)
Status: NEW => ASSIGNED

Comment 6 Herman Viaene 2018-08-28 16:16:42 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Following procedure above, opened a pfd containing links with atril: expected behavior is OK.
Run the perl testscript provides an interacive calendar widget.
All OK.

Whiteboard: (none) => MGA6-32-OK

Comment 7 Brian Rockwell 2018-08-29 00:06:47 CEST
The following 4 packages are going to be installed:

- lib64webkit2gtk-gir4.0-2.20.5-1.mga6.x86_64
- lib64webkit2gtk4.0_37-2.20.5-1.mga6.x86_64
- webkit2-2.20.5-1.mga6.x86_64
- webkit2-jsc-2.20.5-1.mga6.x86_64

240KB of additional disk space will be used.


midori failed.

Installed the development libraries and the 230MB of additional stuff 

lib(64)webkit2-devel-2.20.5-1.mga6
and the following

Aug 28 21:55:40 localhost [RPM][4025]: Transaction ID 5b860b2c started
Aug 28 21:55:40 localhost [RPM][4025]: erase lib64javascriptcore-gir4.0-2.20.3-1
Aug 28 21:55:40 localhost [RPM][4025]: erase lib64javascriptcoregtk4.0_18-2.20.3
Aug 28 21:55:40 localhost [RPM][4025]: erase lib64xcursor1-1.1.14-6.1.mga6.x86_6
Aug 28 21:55:40 localhost [RPM][4025]: install lib64sqlite3-devel-3.17.0-2.2.mga
Aug 28 21:55:41 localhost [RPM][4025]: install lib64javascriptcoregtk4.0_18-2.20
Aug 28 21:55:41 localhost [RPM][4025]: install lib64javascriptcore-gir4.0-2.20.5
Aug 28 21:55:42 localhost [RPM][4025]: install lib64soup-devel-2.58.2-1.1.mga6.x
Aug 28 21:55:42 localhost [RPM][4025]: install lib64xcursor1-1.1.14-6.2.mga6.x86
Aug 28 21:55:42 localhost [RPM][4025]: install lib64xcursor-devel-1.1.14-6.2.mga
Aug 28 21:55:45 localhost [RPM][4025]: install lib64gtk+3.0-devel-3.22.16-1.mga6
Aug 28 21:55:45 localhost [RPM][4025]: install lib64jpeg-devel-1:1.5.1-1.2.mga6.
Aug 28 21:55:45 localhost [RPM][4025]: install lib64tasn1-devel-4.13-1.mga6.x86_
Aug 28 21:55:45 localhost [RPM][4025]: install lib64webkit2-devel-2.20.5-1.mga6.
Aug 28 21:55:47 localhost [RPM][4025]: install pango-doc-1.40.6-1.1.mga6.noarch:
Aug 28 21:55:47 localhost [RPM][4025]: erase lib64javascriptcore-gir4.0-2.20.3-1
Aug 28 21:55:47 localhost [RPM][4025]: erase lib64javascriptcoregtk4.0_18-2.20.3
Aug 28 21:55:47 localhost [RPM][4025]: erase lib64xcursor1-1.1.14-6.1.mga6.x86_6
Aug 28 21:55:53 localhost [RPM][4025]: install lib64sqlite3-devel-3.17.0-2.2.mga
Aug 28 21:55:53 localhost [RPM][4025]: install lib64javascriptcoregtk4.0_18-2.20
Aug 28 21:55:53 localhost [RPM][4025]: install lib64javascriptcore-gir4.0-2.20.5
Aug 28 21:55:53 localhost [RPM][4025]: install lib64soup-devel-2.58.2-1.1.mga6.x
Aug 28 21:55:53 localhost [RPM][4025]: install lib64xcursor1-1.1.14-6.2.mga6.x86
Aug 28 21:55:53 localhost [RPM][4025]: install lib64xcursor-devel-1.1.14-6.2.mga
Aug 28 21:55:53 localhost [RPM][4025]: install lib64gtk+3.0-devel-3.22.16-1.mga6
Aug 28 21:55:53 localhost [RPM][4025]: install lib64jpeg-devel-1:1.5.1-1.2.mga6.
Aug 28 21:55:53 localhost [RPM][4025]: install lib64tasn1-devel-4.13-1.mga6.x86_
Aug 28 21:55:53 localhost [RPM][4025]: install lib64webkit2-devel-2.20.5-1.mga6.
Aug 28 21:55:53 localhost [RPM][4025]: install pango-doc-1.40.6-1.1.mga6.noarch:
Aug 28 21:55:53 localhost [RPM][4025]: Transaction ID 5b860b2c finished: 0


behold - it works now.

MGa6-64 works - we just need to note midori needs the dev libraries.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => feedback

Comment 8 David Walser 2018-08-29 00:24:43 CEST
(In reply to Brian Rockwell from comment #7)
> MGa6-64 works - we just need to note midori needs the dev libraries.

It shouldn't.  What's with that?  Packaging error?
Comment 9 Nicolas Salguero 2018-08-29 09:13:14 CEST
(In reply to David Walser from comment #8)
> (In reply to Brian Rockwell from comment #7)
> > MGa6-64 works - we just need to note midori needs the dev libraries.
> 
> It shouldn't.  What's with that?  Packaging error?

The dev libraries are not needed.  What is needed is lib(64)javascriptcoregtk4.0_18 and lib(64)javascriptcore-gir4.0 packages in the same version as webkit2.

In comment 7, it seems that those packages have not been updated at the same time as the other packages.  I made that mistake myself once and, now, I do not forget anymore :-)

By installing the devel package, the two forgotten packages are forced to be updated.

Best regards,

Nico.
Comment 10 Brian Rockwell 2018-09-19 03:25:59 CEST
Has anyone fixed the dependency noted by Nicolas?
Comment 11 David Walser 2018-09-19 12:04:40 CEST
It's not a dependency issue, it's user error.  When you QA test packages, make sure *all* of the relevant packages built from that SRPM (listed in Comment 5 in this case) get updated.

Keywords: feedback => (none)

Comment 12 Thomas Andrews 2018-09-19 14:01:04 CEST
Sounds to me like this is good to go, then. Validating. Suggested advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 13 Brian Rockwell 2018-09-20 03:01:55 CEST
David - fine.  Why didn't Midori request the package?
Comment 14 David Walser 2018-09-20 04:48:27 CEST
Midori does require the package, that's why it was already installed.
Dave Hodgins 2018-09-21 16:58:08 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 15 Mageia Robot 2018-09-21 18:27:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0382.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.