Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 941276 (CVE-2024-40857, CVE-2024-40866, CVE-2024-44185, CVE-2024-44187, CVE-2024-44244, CVE-2024-44296) - <net-libs/webkit-gtk-2.46.3{,-r410,-r600}: multiple vulnerabilities
Summary: <net-libs/webkit-gtk-2.46.3{,-r410,-r600}: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2024-40857, CVE-2024-40866, CVE-2024-44185, CVE-2024-44187, CVE-2024-44244, CVE-2024-44296
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A4 [stable?]
Keywords:
Depends on: 943636 941277
Blocks:
  Show dependency tree
 
Reported: 2024-10-11 13:23 UTC by Michael Orlitzky
Modified: 2024-11-16 15:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2024-10-11 13:23:36 UTC
CVE-2024-40857
    Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
    Credit to Ron Masas.
    Impact: Processing maliciously crafted web content may lead to
    universal cross site scripting. Description: This issue was
    addressed through improved state management.
    WebKit Bugzilla: 268724

CVE-2024-40866
    Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
    Credit to Hafiizh and YoKo Kho (@yokoacc) of HakTrak.
    Impact: Visiting a malicious website may lead to address bar
    spoofing. Description: The issue was addressed with improved UI.
    WebKit Bugzilla: 279451

CVE-2024-44187
    Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
    Credit to Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd,
    Pune (India).
    Impact: A malicious website may exfiltrate data cross-origin.
    Description: A cross-origin issue existed with "iframe" elements.
    This was addressed with improved tracking of security origins.
    WebKit Bugzilla: 279452
Comment 1 Michael Orlitzky gentoo-dev 2024-10-31 18:52:13 UTC
https://webkitgtk.org/security/WSA-2024-0006.html

* CVE-2024-44185
  Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
  Credit to Gary Kwong.
  Impact: Processing maliciously crafted web content may lead to an unexpected
  process crash Description: The issue was addressed with improved checks.
  WebKit Bugzilla: 276097

* CVE-2024-44244
  Versions affected: WebKitGTK and WPE WebKit before 2.46.3.
  Credit to an anonymous researcher, Q1IQ (@q1iqF) and P1umer (@p1umer).
  Impact: Processing maliciously crafted web content may lead to an unexpected process crash   Description: A memory corruption issue was addressed with improved input validation.
  WebKit Bugzilla: 279780


* CVE-2024-44296
  Versions affected: WebKitGTK and WPE WebKit before 2.46.3.
  Credit to Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd, Pune (India).
  Impact: Processing maliciously crafted web content may prevent Content Security Policy from
  being enforced Description: The issue was addressed with improved checks.
  WebKit Bugzilla: 278765