Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2023-42916 Versions affected: WebKitGTK and WPE WebKit before 2.42.3. Credit to Clément Lecigne of Google's Threat Analysis Group. Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited. Description: An out-of-bounds read was addressed with improved input validation. WebKit Bugzilla: 265041 CVE-2023-42917 Versions affected: WebKitGTK and WPE WebKit before 2.42.3. Credit to Clément Lecigne of Google's Threat Analysis Group. Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption vulnerability was addressed with improved locking. WebKit Bugzilla: 265067 And the usual change log (WARNING: the first one looks important): What’s new in the WebKitGTK 2.43.2 release? Remove the X11 and WPE renderers. Release unused buffers when the view is hidden. Fix flickering while playing videos with DMA-BUF sink. Do not special case the “sans” font family name. Fix webkit_web_context_allow_tls_certificate_for_host() for IPv6 URIs produced by SoupURI. Fix several crashes and rendering issues.
The summary (title) for the bug should only contain fixed versions in tree.
*** Bug 919327 has been marked as a duplicate of this bug. ***
It was politely pointed out that I can't read. Here are the correct release notes that look unproblematic: What’s new in the WebKitGTK 2.42.3 release? Fix flickering while playing videos with DMA-BUF sink. Fix color picker being triggered in the inspector when typing “tan”. Do not special case the “sans” font family name. Fix build failure with libxml2 version 2.12.0 due to an API change. Fix several crashes and rendering issues.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8c55c4a144a719cece728ebf9293ba3ff029657 commit c8c55c4a144a719cece728ebf9293ba3ff029657 Author: Branko Grubic <bitlord0xff@gmail.com> AuthorDate: 2023-12-05 23:37:16 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2023-12-07 13:26:39 +0000 net-libs/webkit-gtk: Version bump to 2.42.3 Bug: https://bugs.gentoo.org/919290 Closes: https://github.com/gentoo/gentoo/pull/34137 Signed-off-by: Branko Grubic <bitlord0xff@gmail.com> Signed-off-by: Michael Orlitzky <mjo@gentoo.org> net-libs/webkit-gtk/Manifest | 1 + net-libs/webkit-gtk/webkit-gtk-2.42.3-r410.ebuild | 262 ++++++++++++++++++++++ net-libs/webkit-gtk/webkit-gtk-2.42.3-r600.ebuild | 255 +++++++++++++++++++++ net-libs/webkit-gtk/webkit-gtk-2.42.3.ebuild | 252 +++++++++++++++++++++ 4 files changed, 770 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba49d7c8bf7ef3433a36fbe3e23ff871c2bbcd77 commit ba49d7c8bf7ef3433a36fbe3e23ff871c2bbcd77 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2023-12-24 15:07:00 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2023-12-24 15:54:27 +0000 net-libs/webkit-gtk: security cleanup Bug: https://bugs.gentoo.org/918667 Bug: https://bugs.gentoo.org/919290 Signed-off-by: Mart Raudsepp <leio@gentoo.org> net-libs/webkit-gtk/Manifest | 3 - ...ailure-when-gstreamer-support-is-disabled.patch | 33 --- net-libs/webkit-gtk/webkit-gtk-2.40.5-r410.ebuild | 264 --------------------- net-libs/webkit-gtk/webkit-gtk-2.40.5-r600.ebuild | 257 -------------------- net-libs/webkit-gtk/webkit-gtk-2.40.5.ebuild | 254 -------------------- net-libs/webkit-gtk/webkit-gtk-2.42.1-r410.ebuild | 262 -------------------- net-libs/webkit-gtk/webkit-gtk-2.42.1-r600.ebuild | 255 -------------------- net-libs/webkit-gtk/webkit-gtk-2.42.1.ebuild | 252 -------------------- net-libs/webkit-gtk/webkit-gtk-2.42.2-r410.ebuild | 262 -------------------- net-libs/webkit-gtk/webkit-gtk-2.42.2-r600.ebuild | 255 -------------------- net-libs/webkit-gtk/webkit-gtk-2.42.2.ebuild | 252 -------------------- 11 files changed, 2349 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a3a0841120687c62c97e02dfd392564da420eec4 commit a3a0841120687c62c97e02dfd392564da420eec4 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-05 13:00:45 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-05 13:01:13 +0000 [ GLSA 202401-04 ] WebKitGTK+: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/907818 Bug: https://bugs.gentoo.org/909663 Bug: https://bugs.gentoo.org/910656 Bug: https://bugs.gentoo.org/918087 Bug: https://bugs.gentoo.org/918099 Bug: https://bugs.gentoo.org/919290 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-04.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+)
