Overview

File _patchinfo of Package patchinfo.7831

<patchinfo incident="7831">
  <issue id="1095611" tracker="bnc">VUL-0: CVE-2018-11646: webkit2gtk3: unset pageURL leads to an application crash</issue>
  <issue id="1097693" tracker="bnc">VUL-0: webkit2gtk3: multiple security issues WSA-2018-0005</issue>
  <issue id="2018-11646" tracker="cve" />
  <issue id="2018-4190" tracker="cve" />
  <issue id="2018-4199" tracker="cve" />
  <issue id="2018-4218" tracker="cve" />
  <issue id="2018-4222" tracker="cve" />
  <issue id="2018-4232" tracker="cve" />
  <issue id="2018-4233" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>mgorse</packager>
  <description>This update for webkit2gtk3 to version 2.20.3 fixes the following issues:

These security issues were fixed:

- CVE-2018-4190: An unspecified issue allowed remote attackers to obtain
  sensitive credential information that is transmitted during a CSS mask-image
  fetch (bsc#1097693).
- CVE-2018-4199: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (buffer overflow and application
  crash) via a crafted web site (bsc#1097693) 
- CVE-2018-4218: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and application
  crash) via a crafted web site that triggers an @generatorState use-after-free
  (bsc#1097693) 
- CVE-2018-4222: An unspecified issue allowed remote attackers to execute
  arbitrary code via a crafted web site that leverages a getWasmBufferFromValue
  out-of-bounds read during WebAssembly compilation (bsc#1097693) 
- CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite
  cookies via a crafted web site (bsc#1097693) 
- CVE-2018-4233: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and application
  crash) via a crafted web site (bsc#1097693) 
- CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and
  webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading
  to an application crash (bsc#1095611).

These non-security issues were fixed:

- Disable Gigacage if mmap fails to allocate in Linux.
- Add user agent quirk for paypal website.
- Fix a network process crash when trying to get cookies of about:blank page.
- Fix UI process crash when closing the window under Wayland.
- Fix several crashes and rendering issues.
  </description>
  <summary>Security update for webkit2gtk3</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places