Security update for webkit2gtk3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:0890-1 Final 1 1 2019-04-05T11:31:34Z current 2019-04-05T11:31:34Z 2019-04-05T11:31:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for webkit2gtk3 This update for webkit2gtk3 to version 2.24.0 fixes the following issue: Security issue fixed: - CVE-2019-8375: Fixed an issue in UIProcess subsystem which could allow the script dialog size to exceed the web view size leading to Buffer Overflow or other unspecified impact (bsc#1126768). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-890,SUSE-SLE-Module-Basesystem-15-2019-890,SUSE-SLE-Module-Desktop-Applications-15-2019-890,SUSE-SLE-Module-Development-Tools-OBS-15-2019-890 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20190890-1/ Link for SUSE-SU-2019:0890-1 https://lists.suse.com/pipermail/sle-security-updates/2019-April/005306.html E-Mail link for SUSE-SU-2019:0890-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1126768 SUSE Bug 1126768 https://www.suse.com/security/cve/CVE-2019-8375/ SUSE CVE CVE-2019-8375 page SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Module for Desktop Applications 15 libjavascriptcoregtk-4_0-18-2.24.0-3.21.1 libjavascriptcoregtk-4_0-18-32bit-2.24.0-3.21.1 libjavascriptcoregtk-4_0-18-64bit-2.24.0-3.21.1 libwebkit2gtk-4_0-37-2.24.0-3.21.1 libwebkit2gtk-4_0-37-32bit-2.24.0-3.21.1 libwebkit2gtk-4_0-37-64bit-2.24.0-3.21.1 libwebkit2gtk3-lang-2.24.0-3.21.1 typelib-1_0-JavaScriptCore-4_0-2.24.0-3.21.1 typelib-1_0-WebKit2-4_0-2.24.0-3.21.1 typelib-1_0-WebKit2WebExtension-4_0-2.24.0-3.21.1 webkit-jsc-4-2.24.0-3.21.1 webkit2gtk-4_0-injected-bundles-2.24.0-3.21.1 webkit2gtk3-devel-2.24.0-3.21.1 webkit2gtk3-minibrowser-2.24.0-3.21.1 libjavascriptcoregtk-4_0-18-2.24.0-3.21.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 libwebkit2gtk-4_0-37-2.24.0-3.21.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 libwebkit2gtk3-lang-2.24.0-3.21.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 webkit2gtk-4_0-injected-bundles-2.24.0-3.21.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 typelib-1_0-JavaScriptCore-4_0-2.24.0-3.21.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 typelib-1_0-WebKit2-4_0-2.24.0-3.21.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 typelib-1_0-WebKit2WebExtension-4_0-2.24.0-3.21.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 webkit2gtk3-devel-2.24.0-3.21.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 The UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.90 and WebKitGTK+ through 2.22.6 and other products, does not prevent the script dialog size from exceeding the web view size, which allows remote attackers to cause a denial of service (Buffer Overflow) or possibly have unspecified other impact, related to UIProcess/API/gtk/WebKitScriptDialogGtk.cpp, UIProcess/API/gtk/WebKitScriptDialogImpl.cpp, and UIProcess/API/gtk/WebKitWebViewGtk.cpp, as demonstrated by GNOME Web (aka Epiphany). CVE-2019-8375 SUSE Linux Enterprise Module for Basesystem 15:libjavascriptcoregtk-4_0-18-2.24.0-3.21.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk-4_0-37-2.24.0-3.21.1 SUSE Linux Enterprise Module for Basesystem 15:libwebkit2gtk3-lang-2.24.0-3.21.1 SUSE Linux Enterprise Module for Basesystem 15:webkit2gtk-4_0-injected-bundles-2.24.0-3.21.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-JavaScriptCore-4_0-2.24.0-3.21.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2-4_0-2.24.0-3.21.1 SUSE Linux Enterprise Module for Desktop Applications 15:typelib-1_0-WebKit2WebExtension-4_0-2.24.0-3.21.1 SUSE Linux Enterprise Module for Desktop Applications 15:webkit2gtk3-devel-2.24.0-3.21.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190890-1/ https://www.suse.com/security/cve/CVE-2019-8375.html CVE-2019-8375 https://bugzilla.suse.com/1126768 SUSE Bug 1126768