Security update for webkit2gtk3 (moderate)

This update for webkit2gtk3 to version 2.20.3 fixes the issues:

The following security vulnerabilities were addressed:

• CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs
  (boo#1101999)
• CVE-2017-13884: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1075775).
• CVE-2017-13885: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1075775).
• CVE-2017-7153: An unspecified issue allowed remote attackers to spoof
  user-interface information (about whether the entire content is derived
  from a valid TLS session) via a crafted web site that sends a 401
  Unauthorized redirect (bsc#1077535).
• CVE-2017-7160: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1075775).
• CVE-2017-7161: An unspecified issue allowed remote attackers to execute
  arbitrary code via special characters that trigger command injection
  (bsc#1075775, bsc#1077535).
• CVE-2017-7165: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1075775).
• CVE-2018-4088: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1075775).
• CVE-2018-4096: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1075775).
• CVE-2018-4200: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site that triggers a
  WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).
• CVE-2018-4204: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1092279).
• CVE-2018-4101: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4113: An issue in the JavaScriptCore function in the "WebKit"
  component allowed attackers to trigger an assertion failure by
  leveraging improper array indexing (bsc#1088182)
• CVE-2018-4114: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182)
• CVE-2018-4117: An unspecified issue allowed remote attackers to bypass
  the Same Origin Policy and obtain sensitive information via a crafted
  web site (bsc#1088182, bsc#1102530).
• CVE-2018-4118: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182)
• CVE-2018-4119: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182)
• CVE-2018-4120: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4121: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1092278).
• CVE-2018-4122: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4125: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4127: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4128: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4129: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4146: An unspecified issue allowed attackers to cause a denial
  of service (memory corruption) via a crafted web site (bsc#1088182).
• CVE-2018-4161: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4162: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4163: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4165: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1088182).
• CVE-2018-4190: An unspecified issue allowed remote attackers to obtain
  sensitive credential information that is transmitted during a CSS
  mask-image fetch (bsc#1097693)
• CVE-2018-4199: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (buffer overflow and
  application crash) via a crafted web site (bsc#1097693)
• CVE-2018-4218: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site that triggers an
  @generatorState use-after-free (bsc#1097693)
• CVE-2018-4222: An unspecified issue allowed remote attackers to execute
  arbitrary code via a crafted web site that leverages a
  getWasmBufferFromValue
  out-of-bounds read during WebAssembly compilation (bsc#1097693)
• CVE-2018-4232: An unspecified issue allowed remote attackers to
  overwrite cookies via a crafted web site (bsc#1097693)
• CVE-2018-4233: An unspecified issue allowed remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted web site (bsc#1097693)
• CVE-2018-4246: An unspecified issue allowed remote attackers to execute
  arbitrary code via a crafted web site that leverages type confusion
  (bsc#1104169)
• CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and
  webkitFaviconDatabaseSetIconURLForPageURL mishandled an unset pageURL,
  leading to an application crash (bsc#1095611)
• CVE-2018-4133: A Safari cross-site scripting (XSS) vulnerability allowed
  remote attackers to inject arbitrary web script or HTML via a crafted
  URL (bsc#1088182).
• CVE-2018-11713: The libsoup network backend of WebKit unexpectedly
  failed to use system proxy settings for WebSocket connections. As a
  result, users could be deanonymized by crafted web sites via a WebSocket
  connection (bsc#1096060).
• CVE-2018-11712: The libsoup network backend of WebKit failed to perform
  TLS certificate verification for WebSocket connections (bsc#1096061).

This update for webkit2gtk3 fixes the following issues:

• Fixed a crash when atk_object_ref_state_set is called on an AtkObject
  that’s being destroyed (bsc#1088932).
• Fixed crash when using Wayland with QXL/virtio (bsc#1079512)
• Disable Gigacage if mmap fails to allocate in Linux.
• Add user agent quirk for paypal website.
• Properly detect compiler flags, needed libs, and fallbacks for usage of
  64-bit atomic operations.
• Fix a network process crash when trying to get cookies of about:blank
  page.
• Fix UI process crash when closing the window under Wayland.
• Fix several crashes and rendering issues.
• Do TLS error checking on GTlsConnection::accept-certificate to finish
  the load earlier in case of errors.
• Properly close the connection to the nested wayland compositor in the
  Web Process.
• Avoid painting backing stores for zero-opacity layers.
• Fix downloads started by context menu failing in some websites due to
  missing user agent HTTP header.
• Fix video unpause when GStreamerGL is disabled.
• Fix several GObject introspection annotations.
• Update user agent quiks to fix Outlook.com and Chase.com.
• Fix several crashes and rendering issues.
• Improve error message when Gigacage cannot allocate virtual memory.
• Add missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.
• Improve web process memory monitor thresholds.
• Fix a web process crash when the web view is created and destroyed
  quickly.
• Fix a network process crash when load is cancelled while searching for
  stored HTTP auth credentials.
• Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and ENABLE_XSLT are
  disabled.
• New API to retrieve and delete cookies with WebKitCookieManager.
• New web process API to detect when form is submitted via JavaScript.
• Several improvements and fixes in the touch/gestures support.
• Support for the “system” CSS font family.
• Complex text rendering improvements and fixes.
• More complete and spec compliant WebDriver implementation.
• Ensure DNS prefetching cannot be re-enabled if disabled by settings.
• Fix seek sometimes not working.
• Fix rendering of emojis that were using the wrong scale factor in some
  cases.
• Fix rendering of combining enclosed keycap.
• Fix rendering scale of some layers in HiDPI.
• Fix a crash in Wayland when closing the web view.
• Fix crashes upower crashes when running inside a chroot or on systems
  with broken dbus/upower.
• Fix memory leaks in GStreamer media backend when using GStreamer 1.14.
• Fix several crashes and rendering issues.
• Add ENABLE_ADDRESS_SANITIZER to make it easier to build with asan
  support.
• Fix a crash a under Wayland when using mesa software rasterization.
• Make fullscreen video work again.
• Fix handling of missing GStreamer elements.
• Fix rendering when webm video is played twice.
• Fix kinetic scrolling sometimes jumping around.
• Fix build with ICU configured without collation support.
• WebSockets use system proxy settings now (requires libsoup 2.61.90).
• Show the context menu on long-press gesture.
• Add support for Shift + mouse scroll to scroll horizontally.
• Fix zoom gesture to actually zoom instead of changing the page scale.
• Implement support for Graphics ARIA roles.
• Make sleep inhibitors work under Flatpak.
• Add get element CSS value command to WebDriver.
• Fix a crash aftter a swipe gesture.
• Fix several crashes and rendering issues.
• Fix crashes due to duplicated symbols in libjavascriptcoregtk and
  libwebkit2gtk.
• Fix parsing of timeout values in WebDriver.
• Implement get timeouts command in WebDriver.
• Fix deadlock in GStreamer video sink during shutdown when accelerated
  compositing is disabled.
• Fix several crashes and rendering issues.
• Add web process API to detect when form is submitted via JavaScript.
• Add new API to replace webkit_form_submission_request_get_text_fields()
  that is now deprecated.
• Add WebKitWebView::web-process-terminated signal and deprecate
  web-process-crashed.
• Fix rendering issues when editing text areas.
• Use FastMalloc based GstAllocator for GStreamer.
• Fix web process crash at startup in bmalloc.
• Fix several memory leaks in GStreamer media backend.
• WebKitWebDriver process no longer links to libjavascriptcoregtk.
• Fix several crashes and rendering issues.
• Add new API to add, retrieve and delete cookies via WebKitCookieManager.
• Add functions to WebSettings to convert font sizes between points and
  pixels.
• Ensure cookie operations take effect when they happen before a web
  process has been spawned.
• Automatically adjust font size when GtkSettings:gtk-xft-dpi changes.
• Add initial resource load statistics support.
• Add API to expose availability of certain editing commands in
  WebKitEditorState.
• Add API to query whether a WebKitNavigationAction is a redirect
  or not.
• Improve complex text rendering.
• Add support for the "system" CSS font family.
• Disable USE_GSTREAMER_GL

This update was imported from the SUSE:SLE-12-SP2:Update update project.