Bug 879607 - (CVE-2013-2875) VUL-0: webkit: tracker-bug for multiple CVEs
VUL-0: webkit: tracker-bug for multiple CVEs
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Federico Mena Quintero
Security Team bot
Depends on: 1069669
  Show dependency treegraph
Reported: 2014-05-23 08:44 UTC by Johannes Segitz
Modified: 2019-07-24 06:54 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-05-23 08:44:54 UTC
Safari 6.1.4 and Safari 7.0.4 are now available and address the

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
- CVE-2013-2875 : miaubiz
- CVE-2013-2927 : cloudfuzzer
- CVE-2014-1323 : banty
- CVE-2014-1324 : Google Chrome Security Team
- CVE-2014-1326 : Apple
- CVE-2014-1327 : Google Chrome Security Team, Apple
- CVE-2014-1329 : Google Chrome Security Team
- CVE-2014-1330 : Google Chrome Security Team
- CVE-2014-1331 : cloudfuzzer
- CVE-2014-1333 : Google Chrome Security Team
- CVE-2014-1334 : Apple
- CVE-2014-1335 : Google Chrome Security Team
- CVE-2014-1336 : Apple
- CVE-2014-1337 : Apple
- CVE-2014-1338 : Google Chrome Security Team
- CVE-2014-1339 : Atte Kettunen of OUSPG
- CVE-2014-1341 : Google Chrome Security Team
- CVE-2014-1342 : Apple
- CVE-2014-1343 : Google Chrome Security Team
- CVE-2014-1344 : Ian Beer of Google Project Zero
- CVE-2014-1731 : an anonymous member of the Blink development community

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
Impact: A malicious site can send messages to a connected frame or window in a way that might circumvent the receiver's origin check
Description: An encoding issue existed in the handling of unicode characters in URLs. A maliciously crafted URL could have led to sending an incorrect postMessage origin. This issue was addressed through improved encoding/decoding.
- CVE-2014-1346 : Erling Ellingsen of Facebook
Comment 1 Mu Lei 2014-05-23 11:28:26 UTC
This is duplicated with bnc#871792, no?
Comment 2 Johannes Segitz 2014-05-23 11:50:09 UTC
no, those are the issues discovered and fixed since then. They look similar but don't share CVEs.
Comment 3 Swamp Workflow Management 2014-05-23 22:00:12 UTC
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2014-06-05 12:44:56 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-06-19.
When done, reassign the bug to security-team@suse.de.
Comment 5 SMASH SMASH 2014-06-05 12:45:19 UTC
Affected packages:

SLE-11-SP3: webkit-sharp, libwebkit, libQtWebKit-devel
Comment 19 Federico Mena Quintero 2015-01-17 02:08:58 UTC
OK, these are fixed in webkitgtk-2.4.8.  I'm making a package right now.
Comment 20 Federico Mena Quintero 2015-01-23 21:57:46 UTC
I've submitted webkitgtk 2.4.8 to SUSE:SLE-11:Update, with id 49176.  This is the same package that is now in GNOME:Factory (openSUSE:Factory).
Comment 22 Swamp Workflow Management 2015-04-08 16:05:29 UTC
SUSE-SU-2015:0688-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 866728,871792,879607,883026
CVE References: CVE-2014-1344,CVE-2014-1384,CVE-2014-1385,CVE-2014-1386,CVE-2014-1387,CVE-2014-1388,CVE-2014-1389,CVE-2014-1390,CVE-2015-2330
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    webkitgtk-2.4.8-16.2, webkitgtk3-2.4.8-16.2
SUSE Linux Enterprise Software Development Kit 12 (src):    webkitgtk-2.4.8-16.2, webkitgtk3-2.4.8-16.2
SUSE Linux Enterprise Server 12 (src):    webkitgtk3-2.4.8-16.2
SUSE Linux Enterprise Desktop 12 (src):    webkitgtk-2.4.8-16.2, webkitgtk3-2.4.8-16.2
Comment 23 Swamp Workflow Management 2015-05-28 08:05:43 UTC
openSUSE-RU-2015:0957-1: An update that fixes 8 vulnerabilities is now available.

Category: recommended (moderate)
Bug References: 871792,879607,905667,927357
CVE References: CVE-2014-1344,CVE-2014-1384,CVE-2014-1385,CVE-2014-1386,CVE-2014-1387,CVE-2014-1388,CVE-2014-1389,CVE-2014-1390
Sources used:
openSUSE 13.2 (src):    brasero-3.12.1-8.5, clutter-1.20.2-7.4, empathy-3.12.9-7.6, gedit-code-assistance-3.14.3-2.12.1, gnome-bluetooth-3.14.1-3.2, gnome-control-center-3.14.5-18.1, gnome-documents-3.14.3-7.1, gnome-online-accounts-3.14.4-11.1, gnome-online-miners-3.14.3-7.1, gnome-photos-3.14.3-7.3, gnome-settings-daemon-3.14.4-10.1, gnonlin-1.4.0-2.3.1, goobox-3.4.0-2.7.2, gsettings-desktop-schemas-3.14.2-3.1, gstreamer-editing-services-1.4.0-2.3.1, gthumb-3.4.0-2.4.4, gtk2-2.24.28-4.11.2, gtk2-branding-SLED-13.2-11.3, gtk2-branding-openSUSE-13.2-11.3, gtk2-engines-2.20.2-18.11.2, gtk3-3.14.13-18.1, gtk3-branding-SLED-13.2-17.3, gtk3-branding-openSUSE-13.2-17.3, libgsf-1.14.33-2.7.1, libgweather-3.14.4-7.1, pitivi-0.94-2.3.1, rygel-0.24.4-7.1, totem-3.14.3-11.2, webkit2gtk3-2.6.6-7.2, webkitgtk-2.4.8-7.2, webkitgtk3-2.4.8-7.2, yelp-3.14.2-3.1
Comment 26 Marcus Meissner 2019-07-24 06:54:53 UTC
unfixable sadly