951739 – (CVE-2024-44192, CVE-2024-54467, CVE-2025-24201) net-libs/webkit-gtk: multiple vulnerabilities

Bug 951739 (CVE-2024-44192, CVE-2024-54467, CVE-2025-24201) - net-libs/webkit-gtk: multiple vulnerabilities

Summary: net-libs/webkit-gtk: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2024-44192, CVE-2024-54467, CVE-2025-24201

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://webkitgtk.org/security/WSA-20...
Whiteboard:	A2 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2025-03-22 00:11 UTC by Christopher Fore
Modified:	2025-03-27 11:11 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2025-1920, CVE-2025-2135, CVE-2025-2136, CVE-2025-2137
Package list:
Runtime testing required:	---

Attachments
net-libs/webkit-gtk-2.48.0 version bump (webkitgtk-2.48.0.patch,27.40 KB, patch) 2025-03-27 11:05 UTC, zyxhere	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2025-03-22 00:11:53 UTC

CVE-2024-44192:

Processing maliciously crafted web content may lead to an unexpected process crash.


CVE-2024-54467:

A malicious website may exfiltrate data cross-origin.


CVE-2025-24201:

Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).



The above are fixed in 2.48.0.

Comment 1 zyxhere 2025-03-27 11:05:09 UTC

Created attachment 922991 [details, diff]
net-libs/webkit-gtk-2.48.0 version bump

Comment 2 zyxhere 2025-03-27 11:11:13 UTC

Plz ignore my patch its not working (forgot to remove the icu patch)