[gentoo-announce] [ GLSA 201801-09 ] WebkitGTK+: Multiple vulnerabilities - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201801-09 ] WebkitGTK+: Multiple vulnerabilities
Date:	Mon, 08 Jan 2018 00:00:28
Message-Id:	`2888654.iBRd33jdSF@localhost.localdomain`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201801-09

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: WebkitGTK+: Multiple vulnerabilities

9

     Date: January 07, 2018

10

     Bugs: #641752

11

       ID: 201801-09

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in WebkitGTK+, the worst of

19

which may lead to arbitrary code execution.

20

21

Background

22

==========

23

24

WebKitGTK+ is a full-featured port of the WebKit rendering engine.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  net-libs/webkit-gtk         < 2.18.4:4               >= 2.18.4:4 

33

34

Description

35

===========

36

37

Multiple vulnerabilities have been discovered in WebkitGTK+. Please

38

review the referenced CVE Identifiers for details.

39

40

Impact

41

======

42

43

An attacker, by enticing a user to visit maliciously crafted web

44

content, may be able to execute arbitrary code or cause memory

45

corruption.

46

47

Workaround

48

==========

49

50

There are no known workarounds at this time.

51

52

Resolution

53

==========

54

55

All WebkitGTK+ users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.18.4:4"

59

60

References

61

==========

62

63

[ 1 ] CVE-2017-13856

64

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13856

65

[ 2 ] CVE-2017-13866

66

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13866

67

[ 3 ] CVE-2017-13870

68

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13870

69

[ 4 ] CVE-2017-7156

70

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7156

71

[ 5 ] CVE-2017-7157

72

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7157

73

74

Availability

75

============

76

77

This GLSA and any updates to it are available for viewing at

78

the Gentoo Security Website:

79

80

 https://security.gentoo.org/glsa/201801-09

81

82

Concerns?

83

=========

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201801-09
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: WebkitGTK+: Multiple vulnerabilities
9	Date: January 07, 2018
10	Bugs: #641752
11	ID: 201801-09
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in WebkitGTK+, the worst of
19	which may lead to arbitrary code execution.
20
21	Background
22	==========
23
24	WebKitGTK+ is a full-featured port of the WebKit rendering engine.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-libs/webkit-gtk < 2.18.4:4 >= 2.18.4:4
33
34	Description
35	===========
36
37	Multiple vulnerabilities have been discovered in WebkitGTK+. Please
38	review the referenced CVE Identifiers for details.
39
40	Impact
41	======
42
43	An attacker, by enticing a user to visit maliciously crafted web
44	content, may be able to execute arbitrary code or cause memory
45	corruption.
46
47	Workaround
48	==========
49
50	There are no known workarounds at this time.
51
52	Resolution
53	==========
54
55	All WebkitGTK+ users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.18.4:4"
59
60	References
61	==========
62
63	[ 1 ] CVE-2017-13856
64	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13856
65	[ 2 ] CVE-2017-13866
66	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13866
67	[ 3 ] CVE-2017-13870
68	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13870
69	[ 4 ] CVE-2017-7156
70	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7156
71	[ 5 ] CVE-2017-7157
72	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7157
73
74	Availability
75	============
76
77	This GLSA and any updates to it are available for viewing at
78	the Gentoo Security Website:
79
80	https://security.gentoo.org/glsa/201801-09
81
82	Concerns?
83	=========