Security update for webkit2gtk3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2285-1 Final 1 1 2018-08-09T20:45:50Z current 2018-08-09T20:45:50Z 2018-08-09T20:45:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for webkit2gtk3 This update for webkit2gtk3 to version 2.20.3 fixes the following issues: These security issues were fixed: - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693). - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted web site (bsc#1097693) - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site that triggers an @generatorState use-after-free (bsc#1097693) - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted web site that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693) - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted web site (bsc#1097693) - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site (bsc#1097693) - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading to an application crash (bsc#1095611). These non-security issues were fixed: - Disable Gigacage if mmap fails to allocate in Linux. - Add user agent quirk for paypal website. - Fix a network process crash when trying to get cookies of about:blank page. - Fix UI process crash when closing the window under Wayland. - Fix several crashes and rendering issues. This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html E-Mail link for openSUSE-SU-2018:2285-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1 libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1 libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1 libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1 libwebkit2gtk3-lang-2.20.3-lp150.2.3.1 typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1 typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1 typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1 webkit-jsc-4-2.20.3-lp150.2.3.1 webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1 webkit2gtk3-2.20.3-lp150.2.3.1 webkit2gtk3-devel-2.20.3-lp150.2.3.1 webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1 libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 libwebkit2gtk3-lang-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 webkit-jsc-4-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 webkit2gtk3-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 webkit2gtk3-devel-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash. CVE-2018-11646 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk3-lang-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit-jsc-4-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-devel-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html https://www.suse.com/security/cve/CVE-2018-11646.html CVE-2018-11646 https://bugzilla.suse.com/1095611 SUSE Bug 1095611 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch. CVE-2018-4190 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk3-lang-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit-jsc-4-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-devel-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html https://www.suse.com/security/cve/CVE-2018-4190.html CVE-2018-4190 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted web site. CVE-2018-4199 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk3-lang-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit-jsc-4-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-devel-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html https://www.suse.com/security/cve/CVE-2018-4199.html CVE-2018-4199 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site that triggers an @generatorState use-after-free. CVE-2018-4218 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk3-lang-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit-jsc-4-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-devel-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html https://www.suse.com/security/cve/CVE-2018-4218.html CVE-2018-4218 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation. CVE-2018-4222 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk3-lang-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit-jsc-4-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-devel-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html https://www.suse.com/security/cve/CVE-2018-4222.html CVE-2018-4222 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to overwrite cookies via a crafted web site. CVE-2018-4232 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk3-lang-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit-jsc-4-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-devel-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html https://www.suse.com/security/cve/CVE-2018-4232.html CVE-2018-4232 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2018-4233 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:libwebkit2gtk3-lang-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit-jsc-4-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-devel-2.20.3-lp150.2.3.1 openSUSE Leap 15.0:webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html https://www.suse.com/security/cve/CVE-2018-4233.html CVE-2018-4233 https://bugzilla.suse.com/1097693 SUSE Bug 1097693