Security update for webkit2gtk3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:2075-1 Final 1 1 2018-07-26T14:34:55Z current 2018-07-26T14:34:55Z 2018-07-26T14:34:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for webkit2gtk3 This update for webkit2gtk3 to version 2.20.3 fixes the following issues: These security issues were fixed: - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693). - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted web site (bsc#1097693) - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site that triggers an @generatorState use-after-free (bsc#1097693) - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted web site that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693) - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted web site (bsc#1097693) - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site (bsc#1097693) - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading to an application crash (bsc#1095611). These non-security issues were fixed: - Disable Gigacage if mmap fails to allocate in Linux. - Add user agent quirk for paypal website. - Fix a network process crash when trying to get cookies of about:blank page. - Fix UI process crash when closing the window under Wayland. - Fix several crashes and rendering issues. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Module-Basesystem-15-2018-1401,SUSE-SLE-Module-Desktop-Applications-15-2018-1401 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/ Link for SUSE-SU-2018:2075-1 https://lists.suse.com/pipermail/sle-security-updates/2018-July/004321.html E-Mail link for SUSE-SU-2018:2075-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1095611 SUSE Bug 1095611 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 https://www.suse.com/security/cve/CVE-2018-11646/ SUSE CVE CVE-2018-11646 page https://www.suse.com/security/cve/CVE-2018-4190/ SUSE CVE CVE-2018-4190 page https://www.suse.com/security/cve/CVE-2018-4199/ SUSE CVE CVE-2018-4199 page https://www.suse.com/security/cve/CVE-2018-4218/ SUSE CVE CVE-2018-4218 page https://www.suse.com/security/cve/CVE-2018-4222/ SUSE CVE CVE-2018-4222 page https://www.suse.com/security/cve/CVE-2018-4232/ SUSE CVE CVE-2018-4232 page https://www.suse.com/security/cve/CVE-2018-4233/ SUSE CVE CVE-2018-4233 page SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Module for Desktop Applications 15 libjavascriptcoregtk-4_0-18-2.20.3-3.3.1 libwebkit2gtk-4_0-37-2.20.3-3.3.1 libwebkit2gtk3-lang-2.20.3-3.3.1 webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1 typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1 typelib-1_0-WebKit2-4_0-2.20.3-3.3.1 typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1 webkit2gtk3-devel-2.20.3-3.3.1 libjavascriptcoregtk-4_0-18-2.20.3-3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 libwebkit2gtk-4_0-37-2.20.3-3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 libwebkit2gtk3-lang-2.20.3-3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 typelib-1_0-WebKit2-4_0-2.20.3-3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 webkit2gtk3-devel-2.20.3-3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash. CVE-2018-11646 SUSE Linux Enterprise Module for Basesystem 15:libjavascriptcoregtk-4_0-18-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk-4_0-37-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk3-lang-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:webkit2gtk3-devel-2.20.3-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/ https://www.suse.com/security/cve/CVE-2018-11646.html CVE-2018-11646 https://bugzilla.suse.com/1095611 SUSE Bug 1095611 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch. CVE-2018-4190 SUSE Linux Enterprise Module for Basesystem 15:libjavascriptcoregtk-4_0-18-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk-4_0-37-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk3-lang-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:webkit2gtk3-devel-2.20.3-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/ https://www.suse.com/security/cve/CVE-2018-4190.html CVE-2018-4190 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted web site. CVE-2018-4199 SUSE Linux Enterprise Module for Basesystem 15:libjavascriptcoregtk-4_0-18-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk-4_0-37-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk3-lang-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:webkit2gtk3-devel-2.20.3-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/ https://www.suse.com/security/cve/CVE-2018-4199.html CVE-2018-4199 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site that triggers an @generatorState use-after-free. CVE-2018-4218 SUSE Linux Enterprise Module for Basesystem 15:libjavascriptcoregtk-4_0-18-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk-4_0-37-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk3-lang-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:webkit2gtk3-devel-2.20.3-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/ https://www.suse.com/security/cve/CVE-2018-4218.html CVE-2018-4218 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation. CVE-2018-4222 SUSE Linux Enterprise Module for Basesystem 15:libjavascriptcoregtk-4_0-18-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk-4_0-37-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk3-lang-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:webkit2gtk3-devel-2.20.3-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/ https://www.suse.com/security/cve/CVE-2018-4222.html CVE-2018-4222 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to overwrite cookies via a crafted web site. CVE-2018-4232 SUSE Linux Enterprise Module for Basesystem 15:libjavascriptcoregtk-4_0-18-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk-4_0-37-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk3-lang-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:webkit2gtk3-devel-2.20.3-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/ https://www.suse.com/security/cve/CVE-2018-4232.html CVE-2018-4232 https://bugzilla.suse.com/1097693 SUSE Bug 1097693 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2018-4233 SUSE Linux Enterprise Module for Basesystem 15:libjavascriptcoregtk-4_0-18-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk-4_0-37-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk3-lang-2.20.3-3.3.1 SUSE Linux Enterprise Module for Basesystem 15:webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15:webkit2gtk3-devel-2.20.3-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/ https://www.suse.com/security/cve/CVE-2018-4233.html CVE-2018-4233 https://bugzilla.suse.com/1097693 SUSE Bug 1097693