openSUSE Security Update: Security update for webkit2gtk3
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:3473-1
Rating: moderate
References: #1075775 #1077535 #1079512 #1088182 #1088932
#1092278 #1092279 #1092280 #1095611 #1096060
#1096061 #1097693 #1101999 #1102530 #1104169

Cross-References: CVE-2017-13884 CVE-2017-13885 CVE-2017-7153
CVE-2017-7160 CVE-2017-7161 CVE-2017-7165
CVE-2018-11646 CVE-2018-11712 CVE-2018-11713
CVE-2018-12911 CVE-2018-4088 CVE-2018-4096
CVE-2018-4101 CVE-2018-4113 CVE-2018-4114
CVE-2018-4117 CVE-2018-4118 CVE-2018-4119
CVE-2018-4120 CVE-2018-4121 CVE-2018-4122
CVE-2018-4125 CVE-2018-4127 CVE-2018-4128
CVE-2018-4129 CVE-2018-4133 CVE-2018-4146
CVE-2018-4161 CVE-2018-4162 CVE-2018-4163
CVE-2018-4165 CVE-2018-4190 CVE-2018-4199
CVE-2018-4200 CVE-2018-4204 CVE-2018-4218
CVE-2018-4222 CVE-2018-4232 CVE-2018-4233
CVE-2018-4246
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 40 vulnerabilities is now available.

Description:

This update for webkit2gtk3 to version 2.20.3 fixes the issues:

The following security vulnerabilities were addressed:

– CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs
(boo#1101999)
– CVE-2017-13884: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1075775).
– CVE-2017-13885: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1075775).
– CVE-2017-7153: An unspecified issue allowed remote attackers to spoof
user-interface information (about whether the entire content is derived
from a valid TLS session) via a crafted web site that sends a 401
Unauthorized redirect (bsc#1077535).
– CVE-2017-7160: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1075775).
– CVE-2017-7161: An unspecified issue allowed remote attackers to execute
arbitrary code via special characters that trigger command injection
(bsc#1075775, bsc#1077535).
– CVE-2017-7165: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1075775).
– CVE-2018-4088: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1075775).
– CVE-2018-4096: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1075775).
– CVE-2018-4200: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site that triggers a
WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).
– CVE-2018-4204: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1092279).
– CVE-2018-4101: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4113: An issue in the JavaScriptCore function in the “WebKit”
component allowed attackers to trigger an assertion failure by
leveraging improper array indexing (bsc#1088182)
– CVE-2018-4114: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182)
– CVE-2018-4117: An unspecified issue allowed remote attackers to bypass
the Same Origin Policy and obtain sensitive information via a crafted
web site (bsc#1088182, bsc#1102530).
– CVE-2018-4118: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182)
– CVE-2018-4119: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182)
– CVE-2018-4120: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4121: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1092278).
– CVE-2018-4122: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4125: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4127: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4128: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4129: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4146: An unspecified issue allowed attackers to cause a denial
of service (memory corruption) via a crafted web site (bsc#1088182).
– CVE-2018-4161: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4162: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4163: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4165: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1088182).
– CVE-2018-4190: An unspecified issue allowed remote attackers to obtain
sensitive credential information that is transmitted during a CSS
mask-image fetch (bsc#1097693)
– CVE-2018-4199: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (buffer overflow and
application crash) via a crafted web site (bsc#1097693)
– CVE-2018-4218: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site that triggers an
@generatorState use-after-free (bsc#1097693)
– CVE-2018-4222: An unspecified issue allowed remote attackers to execute
arbitrary code via a crafted web site that leverages a
getWasmBufferFromValue
out-of-bounds read during WebAssembly compilation (bsc#1097693)
– CVE-2018-4232: An unspecified issue allowed remote attackers to
overwrite cookies via a crafted web site (bsc#1097693)
– CVE-2018-4233: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1097693)
– CVE-2018-4246: An unspecified issue allowed remote attackers to execute
arbitrary code via a crafted web site that leverages type confusion
(bsc#1104169)
– CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and
webkitFaviconDatabaseSetIconURLForPageURL mishandled an unset pageURL,
leading to an application crash (bsc#1095611)
– CVE-2018-4133: A Safari cross-site scripting (XSS) vulnerability allowed
remote attackers to inject arbitrary web script or HTML via a crafted
URL (bsc#1088182).
– CVE-2018-11713: The libsoup network backend of WebKit unexpectedly
failed to use system proxy settings for WebSocket connections. As a
result, users could be deanonymized by crafted web sites via a WebSocket
connection (bsc#1096060).
– CVE-2018-11712: The libsoup network backend of WebKit failed to perform
TLS certificate verification for WebSocket connections (bsc#1096061).

This update for webkit2gtk3 fixes the following issues:

– Fixed a crash when atk_object_ref_state_set is called on an AtkObject
that’s being destroyed (bsc#1088932).
– Fixed crash when using Wayland with QXL/virtio (bsc#1079512)
– Disable Gigacage if mmap fails to allocate in Linux.
– Add user agent quirk for paypal website.
– Properly detect compiler flags, needed libs, and fallbacks for usage of
64-bit atomic operations.
– Fix a network process crash when trying to get cookies of about:blank
page.
– Fix UI process crash when closing the window under Wayland.
– Fix several crashes and rendering issues.
– Do TLS error checking on GTlsConnection::accept-certificate to finish
the load earlier in case of errors.
– Properly close the connection to the nested wayland compositor in the
Web Process.
– Avoid painting backing stores for zero-opacity layers.
– Fix downloads started by context menu failing in some websites due to
missing user agent HTTP header.
– Fix video unpause when GStreamerGL is disabled.
– Fix several GObject introspection annotations.
– Update user agent quiks to fix Outlook.com and Chase.com.
– Fix several crashes and rendering issues.
– Improve error message when Gigacage cannot allocate virtual memory.
– Add missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.
– Improve web process memory monitor thresholds.
– Fix a web process crash when the web view is created and destroyed
quickly.
– Fix a network process crash when load is cancelled while searching for
stored HTTP auth credentials.
– Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and ENABLE_XSLT are
disabled.
– New API to retrieve and delete cookies with WebKitCookieManager.
– New web process API to detect when form is submitted via JavaScript.
– Several improvements and fixes in the touch/gestures support.
– Support for the “system” CSS font family.
– Complex text rendering improvements and fixes.
– More complete and spec compliant WebDriver implementation.
– Ensure DNS prefetching cannot be re-enabled if disabled by settings.
– Fix seek sometimes not working.
– Fix rendering of emojis that were using the wrong scale factor in some
cases.
– Fix rendering of combining enclosed keycap.
– Fix rendering scale of some layers in HiDPI.
– Fix a crash in Wayland when closing the web view.
– Fix crashes upower crashes when running inside a chroot or on systems
with broken dbus/upower.
– Fix memory leaks in GStreamer media backend when using GStreamer 1.14.
– Fix several crashes and rendering issues.
– Add ENABLE_ADDRESS_SANITIZER to make it easier to build with asan
support.
– Fix a crash a under Wayland when using mesa software rasterization.
– Make fullscreen video work again.
– Fix handling of missing GStreamer elements.
– Fix rendering when webm video is played twice.
– Fix kinetic scrolling sometimes jumping around.
– Fix build with ICU configured without collation support.
– WebSockets use system proxy settings now (requires libsoup 2.61.90).
– Show the context menu on long-press gesture.
– Add support for Shift + mouse scroll to scroll horizontally.
– Fix zoom gesture to actually zoom instead of changing the page scale.
– Implement support for Graphics ARIA roles.
– Make sleep inhibitors work under Flatpak.
– Add get element CSS value command to WebDriver.
– Fix a crash aftter a swipe gesture.
– Fix several crashes and rendering issues.
– Fix crashes due to duplicated symbols in libjavascriptcoregtk and
libwebkit2gtk.
– Fix parsing of timeout values in WebDriver.
– Implement get timeouts command in WebDriver.
– Fix deadlock in GStreamer video sink during shutdown when accelerated
compositing is disabled.
– Fix several crashes and rendering issues.
– Add web process API to detect when form is submitted via JavaScript.
– Add new API to replace webkit_form_submission_request_get_text_fields()
that is now deprecated.
– Add WebKitWebView::web-process-terminated signal and deprecate
web-process-crashed.
– Fix rendering issues when editing text areas.
– Use FastMalloc based GstAllocator for GStreamer.
– Fix web process crash at startup in bmalloc.
– Fix several memory leaks in GStreamer media backend.
– WebKitWebDriver process no longer links to libjavascriptcoregtk.
– Fix several crashes and rendering issues.
– Add new API to add, retrieve and delete cookies via WebKitCookieManager.
– Add functions to WebSettings to convert font sizes between points and
pixels.
– Ensure cookie operations take effect when they happen before a web
process has been spawned.
– Automatically adjust font size when GtkSettings:gtk-xft-dpi changes.
– Add initial resource load statistics support.
– Add API to expose availability of certain editing commands in
WebKitEditorState.
– Add API to query whether a WebKitNavigationAction is a redirect
or not.
– Improve complex text rendering.
– Add support for the “system” CSS font family.
– Disable USE_GSTREAMER_GL

This update was imported from the SUSE:SLE-12-SP2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1288=1

Package List:

– openSUSE Leap 42.3 (i586 x86_64):

libjavascriptcoregtk-4_0-18-2.20.3-11.1
libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-11.1
libwebkit2gtk-4_0-37-2.20.3-11.1
libwebkit2gtk-4_0-37-debuginfo-2.20.3-11.1
typelib-1_0-JavaScriptCore-4_0-2.20.3-11.1
typelib-1_0-WebKit2-4_0-2.20.3-11.1
typelib-1_0-WebKit2WebExtension-4_0-2.20.3-11.1
webkit-jsc-4-2.20.3-11.1
webkit-jsc-4-debuginfo-2.20.3-11.1
webkit2gtk-4_0-injected-bundles-2.20.3-11.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-11.1
webkit2gtk3-debugsource-2.20.3-11.1
webkit2gtk3-devel-2.20.3-11.1
webkit2gtk3-plugin-process-gtk2-2.20.3-11.1
webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-11.1

– openSUSE Leap 42.3 (noarch):

libwebkit2gtk3-lang-2.20.3-11.1

– openSUSE Leap 42.3 (x86_64):

libjavascriptcoregtk-4_0-18-32bit-2.20.3-11.1
libjavascriptcoregtk-4_0-18-debuginfo-32bit-2.20.3-11.1
libwebkit2gtk-4_0-37-32bit-2.20.3-11.1
libwebkit2gtk-4_0-37-debuginfo-32bit-2.20.3-11.1

References:

https://www.suse.com/security/cve/CVE-2017-13884.html
https://www.suse.com/security/cve/CVE-2017-13885.html
https://www.suse.com/security/cve/CVE-2017-7153.html
https://www.suse.com/security/cve/CVE-2017-7160.html
https://www.suse.com/security/cve/CVE-2017-7161.html
https://www.suse.com/security/cve/CVE-2017-7165.html
https://www.suse.com/security/cve/CVE-2018-11646.html
https://www.suse.com/security/cve/CVE-2018-11712.html
https://www.suse.com/security/cve/CVE-2018-11713.html
https://www.suse.com/security/cve/CVE-2018-12911.html
https://www.suse.com/security/cve/CVE-2018-4088.html
https://www.suse.com/security/cve/CVE-2018-4096.html
https://www.suse.com/security/cve/CVE-2018-4101.html
https://www.suse.com/security/cve/CVE-2018-4113.html
https://www.suse.com/security/cve/CVE-2018-4114.html
https://www.suse.com/security/cve/CVE-2018-4117.html
https://www.suse.com/security/cve/CVE-2018-4118.html
https://www.suse.com/security/cve/CVE-2018-4119.html
https://www.suse.com/security/cve/CVE-2018-4120.html
https://www.suse.com/security/cve/CVE-2018-4121.html
https://www.suse.com/security/cve/CVE-2018-4122.html
https://www.suse.com/security/cve/CVE-2018-4125.html
https://www.suse.com/security/cve/CVE-2018-4127.html
https://www.suse.com/security/cve/CVE-2018-4128.html
https://www.suse.com/security/cve/CVE-2018-4129.html
https://www.suse.com/security/cve/CVE-2018-4133.html
https://www.suse.com/security/cve/CVE-2018-4146.html
https://www.suse.com/security/cve/CVE-2018-4161.html
https://www.suse.com/security/cve/CVE-2018-4162.html
https://www.suse.com/security/cve/CVE-2018-4163.html
https://www.suse.com/security/cve/CVE-2018-4165.html
https://www.suse.com/security/cve/CVE-2018-4190.html
https://www.suse.com/security/cve/CVE-2018-4199.html
https://www.suse.com/security/cve/CVE-2018-4200.html
https://www.suse.com/security/cve/CVE-2018-4204.html
https://www.suse.com/security/cve/CVE-2018-4218.html
https://www.suse.com/security/cve/CVE-2018-4222.html
https://www.suse.com/security/cve/CVE-2018-4232.html
https://www.suse.com/security/cve/CVE-2018-4233.html
https://www.suse.com/security/cve/CVE-2018-4246.html
https://bugzilla.suse.com/1075775
https://bugzilla.suse.com/1077535
https://bugzilla.suse.com/1079512
https://bugzilla.suse.com/1088182
https://bugzilla.suse.com/1088932
https://bugzilla.suse.com/1092278
https://bugzilla.suse.com/1092279
https://bugzilla.suse.com/1092280
https://bugzilla.suse.com/1095611
https://bugzilla.suse.com/1096060
https://bugzilla.suse.com/1096061
https://bugzilla.suse.com/1097693
https://bugzilla.suse.com/1101999
https://bugzilla.suse.com/1102530
https://bugzilla.suse.com/1104169

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org