30262 – webkit2 security issues fixed upstream (WSA-2022-0004)

Bug 30262 - webkit2 security issues fixed upstream (WSA-2022-0004)

Summary: webkit2 security issues fixed upstream (WSA-2022-0004)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-04-08 18:51 CEST by David Walser
Modified:	2022-04-13 18:07 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	webkit2-2.34.6-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-04-08 18:51:09 CEST

Upstream has issued an advisory today (April 8):
https://webkitgtk.org/security/WSA-2022-0004.html

The issues are fixed upstream in 2.36.0:
https://webkitgtk.org/2022/03/21/webkitgtk2.36.0-released.html

David Walser 2022-04-08 18:51:23 CEST

Status comment: (none) => Fixed upstream i 2.36.0

Comment 1 Lewis Smith 2022-04-08 21:41:08 CEST

We already (just) have version 2.36.0 in Cauldron thanks to ns80, so it seems sensible to assign this update to you.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2022-04-11 12:08:07 CEST

Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.36.0, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22624
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22637
https://webkitgtk.org/security/WSA-2022-0004.html
https://webkitgtk.org/2022/03/21/webkitgtk2.36.0-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.36.0-1.mga8
webkit2-jsc-2.36.0-1.mga8
lib(64)webkit2gtk-gir4.0-2.36.0-1.mga8
lib(64)javascriptcore-gir4.0-2.36.0-1.mga8
lib(64)javascriptcoregtk4.0_18-2.36.0-1.mga8
lib(64)webkit2gtk4.0_37-2.36.0-1.mga8
lib(64)webkit2-devel-2.36.0-1.mga8

from SRPM:
webkit2-2.36.0-1.mga8.src.rpm

Status comment: Fixed upstream i 2.36.0 => (none)
Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Nicolas Salguero 2022-04-11 12:08:19 CEST

CC: (none) => nicolas.salguero

Comment 3 Thomas Andrews 2022-04-12 20:38:45 CEST

Tested in a Gnome Vbox guest. No installation issues.

Referred to bug 30018 and Bug 30064 for tests:

$ zenity --calendar  Used the mouse to select a date, which was reported back to the command line.

Ran Atril and loaded a pdf, looked OK

Ran Evolution and Epiphany, both GUIs came up normally.

Looks OK in Gnome.

CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2022-04-12 20:51:35 CEST

Tested with a Plasma install on real 64-bit hardware. No installation issues.

This install does not include Evolution or Epiphany, but the zenity calendar and Atril both work OK.

Giving this a 64-bit OK, and validating. Advisory in Comment 2.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-04-12 21:05:28 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-04-13 18:07:17 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0139.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.