CVE-2021-1788 Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0. Credit to Francisco Alonso (@revskills). Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management. CVE-2021-1844 Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0. Credit to Clément Lecigne of Google’s Threat Analysis Group, Alison Huffman of Microsoft Browser Vulnerability Research. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved validation. CVE-2021-1871 Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0. Credit to an anonymous researcher. Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A logic issue was addressed with improved restrictions. Please bump.
net-libs/webkit-gtk-2.32.0 works on armv7, should be okay to push to upstream "stable".
(In reply to Steve Arnold from comment #1) > net-libs/webkit-gtk-2.32.0 works on armv7, should be okay to push to > upstream "stable". Um, what are you talking about? No such version exists in ::gentoo.
I had to make one from net-libs/webkit-gtk-2.30.5 due to arm compile error and 2.32.0 is listed as "stable" upstream with the CVE fix...
"net-libs/webkit-gtk-2.32.1" wants ">=dev-libs/glib-2.67.1:2" but `ebuild webkit-gtk-2.32.1.ebuild merge` completes and appears to run without error on amd64 with "dev-libs/glib-2.66.7"
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f2d5eb9782f51dff1cb6a485292601a24a39049 commit 1f2d5eb9782f51dff1cb6a485292601a24a39049 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2021-05-30 23:56:25 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2021-05-31 01:58:21 +0000 net-libs/webkit-gtk: Drop old versions Bug: https://bugs.gentoo.org/779175 Signed-off-by: Matt Turner <mattst88@gentoo.org> net-libs/webkit-gtk/Manifest | 1 - .../webkit-gtk/files/2.28.2-non-jumbo-fix.patch | 34 --- .../webkit-gtk/files/2.28.4-non-jumbo-fix2.patch | 31 --- .../webkit-gtk/files/2.30.3-fix-noGL-build.patch | 27 -- .../webkit-gtk-2.24.4-eglmesaext-include.patch | 10 - net-libs/webkit-gtk/webkit-gtk-2.30.6.ebuild | 300 --------------------- 6 files changed, 403 deletions(-)
Thanks!
I have ebuilds for 2.33.1 and 2.33.2 in my personal overlay: https://github.com/jjakob/gentoo-overlay/tree/master/net-libs/webkit-gtk What's the process for getting them merged into the official repo? Become a proxy maintainer and submit PRs?
2.33.x are early unstable development versions and do not belong in the tree in ~arch. Not sure what this has to do with the security ticket here though.
(In reply to Mart Raudsepp from comment #8) > 2.33.x are early unstable development versions and do not belong in the tree > in ~arch. Not sure what this has to do with the security ticket here though. I apologise, I missed that 2.32.1 was already stable in the tree, since the bug is still marked as in progress.
Package list is empty or all packages have requested keywords.
GLSA request filed.
commit d2418b0a913a694a55e21440268b44301931867c Author: John Helmert III <ajak@gentoo.org> Date: Mon Jan 31 21:31:04 2022 -0600 [ GLSA 202202-01 ] WebkitGTK+: Multiple vulnerabilities Signed-off-by: John Helmert III <ajak@gentoo.org> All done!
