Bug 1161719 - VUL-0: CVE-2019-8835, CVE-2019-8844, CVE-2019-8846: webkitgtk, webkit2gtk3: Security Advisory WSA-2020-0001
VUL-0: CVE-2019-8835, CVE-2019-8844, CVE-2019-8846: webkitgtk, webkit2gtk3: S...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/251595/
CVSSv3.1:SUSE:CVE-2019-8835:7.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-23 17:42 UTC by Wolfgang Frisch
Modified: 2020-06-30 07:45 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-01-23 17:42:08 UTC
Via oss-security:

------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory                 WSA-2020-0001
------------------------------------------------------------------------

Date reported           : January 23, 2020
Advisory ID             : WSA-2020-0001
WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2020-0001.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2020-0001.html
CVE identifiers         : CVE-2019-8835, CVE-2019-8844, CVE-2019-8846.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2019-8835
    Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before
    2.26.3.
    Credit to Anonymous working with Trend Micro's Zero Day Initiative,
    Mike Zhang of Pangu Team.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8844
    Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before
    2.26.3.
    Credit to William Bowling (@wcbowling).
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8846
    Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before
    2.26.3.
    Credit to Marcin Towalski of Cisco Talos.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A use after free issue was
    addressed with improved memory management.
Comment 3 Swamp Workflow Management 2020-02-25 14:22:34 UTC
SUSE-SU-2020:0468-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1159329,1161719,1163809
CVE References: CVE-2019-8835,CVE-2019-8844,CVE-2019-8846,CVE-2020-3862,CVE-2020-3864,CVE-2020-3865,CVE-2020-3867,CVE-2020-3868
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    webkit2gtk3-2.26.4-3.43.1
SUSE Linux Enterprise Server 15-LTSS (src):    webkit2gtk3-2.26.4-3.43.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    webkit2gtk3-2.26.4-3.43.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    webkit2gtk3-2.26.4-3.43.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    webkit2gtk3-2.26.4-3.43.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    webkit2gtk3-2.26.4-3.43.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    webkit2gtk3-2.26.4-3.43.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    webkit2gtk3-2.26.4-3.43.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    webkit2gtk3-2.26.4-3.43.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    webkit2gtk3-2.26.4-3.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2020-03-02 05:11:54 UTC
openSUSE-SU-2020:0278-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1159329,1161719,1163809
CVE References: CVE-2019-8835,CVE-2019-8844,CVE-2019-8846,CVE-2020-3862,CVE-2020-3864,CVE-2020-3865,CVE-2020-3867,CVE-2020-3868
Sources used:
openSUSE Leap 15.1 (src):    webkit2gtk3-2.26.4-lp151.2.12.1
Comment 7 Swamp Workflow Management 2020-04-29 10:17:33 UTC
SUSE-SU-2020:1135-1: An update that fixes 30 vulnerabilities is now available.

Category: security (important)
Bug References: 1155321,1156318,1159329,1161719,1163809,1165528,1169658
CVE References: CVE-2019-8625,CVE-2019-8710,CVE-2019-8720,CVE-2019-8743,CVE-2019-8764,CVE-2019-8766,CVE-2019-8769,CVE-2019-8771,CVE-2019-8782,CVE-2019-8783,CVE-2019-8808,CVE-2019-8811,CVE-2019-8812,CVE-2019-8813,CVE-2019-8814,CVE-2019-8815,CVE-2019-8816,CVE-2019-8819,CVE-2019-8820,CVE-2019-8823,CVE-2019-8835,CVE-2019-8844,CVE-2019-8846,CVE-2020-10018,CVE-2020-11793,CVE-2020-3862,CVE-2020-3864,CVE-2020-3865,CVE-2020-3867,CVE-2020-3868
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE OpenStack Cloud 8 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE OpenStack Cloud 7 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Server 12-SP5 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Server 12-SP4 (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Server 12-SP3-BCL (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Linux Enterprise Server 12-SP2-BCL (src):    webkit2gtk3-2.28.1-2.50.3
SUSE Enterprise Storage 5 (src):    webkit2gtk3-2.28.1-2.50.3
HPE Helion Openstack 8 (src):    webkit2gtk3-2.28.1-2.50.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Alexandros Toptsoglou 2020-06-30 07:45:58 UTC
Done