Security update for webkit2gtk3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0278-1 Final 1 1 2020-03-01T23:15:29Z current 2020-03-01T23:15:29Z 2020-03-01T23:15:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for webkit2gtk3 This update for webkit2gtk3 to version 2.26.4 fixes the following issues: Security issues fixed: - CVE-2019-8835: Fixed multiple memory corruption issues (bsc#1161719). - CVE-2019-8844: Fixed multiple memory corruption issues (bsc#1161719). - CVE-2019-8846: Fixed a use-after-free issue (bsc#1161719). - CVE-2020-3862: Fixed a memory handling issue (bsc#1163809). - CVE-2020-3864: Fixed a logic issue in the DOM object context handling (bsc#1163809). - CVE-2020-3865: Fixed a logic issue in the DOM object context handling (bsc#1163809). - CVE-2020-3867: Fixed an XSS issue (bsc#1163809). - CVE-2020-3868: Fixed multiple memory corruption issues that could have lead to arbitrary code execution (bsc#1163809). Non-security issues fixed: - Fixed issues while trying to play a video on NextCloud. - Fixed vertical alignment of text containing arabic diacritics. - Fixed build with icu 65.1. - Fixed page loading errors with websites using HSTS. - Fixed web process crash when displaying a KaTeX formula. - Fixed several crashes and rendering issues. - Switched to a single web process for Evolution and geary (bsc#1159329 glgo#GNOME/evolution#587). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-278 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VOF6TVHJ47XHC6EPRQMZJI47W7QNTVVH/ E-Mail link for openSUSE-SU-2020:0278-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1159329 SUSE Bug 1159329 https://bugzilla.suse.com/1161719 SUSE Bug 1161719 https://bugzilla.suse.com/1163809 SUSE Bug 1163809 https://www.suse.com/security/cve/CVE-2019-8835/ SUSE CVE CVE-2019-8835 page https://www.suse.com/security/cve/CVE-2019-8844/ SUSE CVE CVE-2019-8844 page https://www.suse.com/security/cve/CVE-2019-8846/ SUSE CVE CVE-2019-8846 page https://www.suse.com/security/cve/CVE-2020-3862/ SUSE CVE CVE-2020-3862 page https://www.suse.com/security/cve/CVE-2020-3864/ SUSE CVE CVE-2020-3864 page https://www.suse.com/security/cve/CVE-2020-3865/ SUSE CVE CVE-2020-3865 page https://www.suse.com/security/cve/CVE-2020-3867/ SUSE CVE CVE-2020-3867 page https://www.suse.com/security/cve/CVE-2020-3868/ SUSE CVE CVE-2020-3868 page openSUSE Leap 15.1 libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 webkit-jsc-4-2.26.4-lp151.2.12.1 webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 webkit2gtk3-devel-2.26.4-lp151.2.12.1 webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 webkit-jsc-4-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 webkit2gtk3-devel-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 as a component of openSUSE Leap 15.1 Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2019-8835 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit-jsc-4-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-devel-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VOF6TVHJ47XHC6EPRQMZJI47W7QNTVVH/ https://www.suse.com/security/cve/CVE-2019-8835.html CVE-2019-8835 https://bugzilla.suse.com/1161719 SUSE Bug 1161719 Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, watchOS 6.1.1, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2019-8844 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit-jsc-4-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-devel-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VOF6TVHJ47XHC6EPRQMZJI47W7QNTVVH/ https://www.suse.com/security/cve/CVE-2019-8844.html CVE-2019-8844 https://bugzilla.suse.com/1161719 SUSE Bug 1161719 A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2019-8846 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit-jsc-4-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-devel-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VOF6TVHJ47XHC6EPRQMZJI47W7QNTVVH/ https://www.suse.com/security/cve/CVE-2019-8846.html CVE-2019-8846 https://bugzilla.suse.com/1161719 SUSE Bug 1161719 A denial of service issue was addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. A malicious website may be able to cause a denial of service. CVE-2020-3862 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit-jsc-4-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-devel-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VOF6TVHJ47XHC6EPRQMZJI47W7QNTVVH/ https://www.suse.com/security/cve/CVE-2020-3862.html CVE-2020-3862 https://bugzilla.suse.com/1163809 SUSE Bug 1163809 A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 13.3.1. A DOM object context may not have had a unique security origin. CVE-2020-3864 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit-jsc-4-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-devel-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VOF6TVHJ47XHC6EPRQMZJI47W7QNTVVH/ https://www.suse.com/security/cve/CVE-2020-3864.html CVE-2020-3864 https://bugzilla.suse.com/1163809 SUSE Bug 1163809 Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-3865 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit-jsc-4-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-devel-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VOF6TVHJ47XHC6EPRQMZJI47W7QNTVVH/ https://www.suse.com/security/cve/CVE-2020-3865.html CVE-2020-3865 https://bugzilla.suse.com/1163809 SUSE Bug 1163809 A logic issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to universal cross site scripting. CVE-2020-3867 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit-jsc-4-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-devel-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VOF6TVHJ47XHC6EPRQMZJI47W7QNTVVH/ https://www.suse.com/security/cve/CVE-2020-3867.html CVE-2020-3867 https://bugzilla.suse.com/1163809 SUSE Bug 1163809 Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-3868 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit-jsc-4-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-devel-2.26.4-lp151.2.12.1 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.26.4-lp151.2.12.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VOF6TVHJ47XHC6EPRQMZJI47W7QNTVVH/ https://www.suse.com/security/cve/CVE-2020-3868.html CVE-2020-3868 https://bugzilla.suse.com/1163809 SUSE Bug 1163809