Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 779175 (CVE-2021-1788, CVE-2021-1844, CVE-2021-1871)

Summary: <net-libs/webkit-gtk-2.32.1: multiple vulnerabilities (CVE-2021-{1788,1844,1871})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: lethbridgejason
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2021-0003.html
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-29 21:48:51 UTC
CVE-2021-1788
        Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
        Credit to Francisco Alonso (@revskills).
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

    CVE-2021-1844
        Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
        Credit to Clément Lecigne of Google’s Threat Analysis Group, Alison Huffman of Microsoft Browser Vulnerability Research.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved validation.

    CVE-2021-1871
        Versions affected: WebKitGTK before 2.32.0 and WPE WebKit before 2.32.0.
        Credit to an anonymous researcher.
        Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A logic issue was addressed with improved restrictions.


Please bump.
Comment 1 Steve Arnold archtester gentoo-dev 2021-04-21 18:26:43 UTC
net-libs/webkit-gtk-2.32.0 works on armv7, should be okay to push to upstream "stable".
Comment 2 Matt Turner gentoo-dev 2021-04-21 19:06:06 UTC
(In reply to Steve Arnold from comment #1)
> net-libs/webkit-gtk-2.32.0 works on armv7, should be okay to push to
> upstream "stable".

Um, what are you talking about? No such version exists in ::gentoo.
Comment 3 Steve Arnold archtester gentoo-dev 2021-04-25 23:32:20 UTC
I had to make one from net-libs/webkit-gtk-2.30.5 due to arm compile error and 2.32.0 is listed as "stable" upstream with the CVE fix...
Comment 4 Jason Lethbridge 2021-05-16 23:41:26 UTC
"net-libs/webkit-gtk-2.32.1" wants ">=dev-libs/glib-2.67.1:2" but `ebuild webkit-gtk-2.32.1.ebuild merge` completes and appears to run without error on amd64 with "dev-libs/glib-2.66.7"
Comment 5 Larry the Git Cow gentoo-dev 2021-05-31 01:59:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f2d5eb9782f51dff1cb6a485292601a24a39049

commit 1f2d5eb9782f51dff1cb6a485292601a24a39049
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-05-30 23:56:25 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-05-31 01:58:21 +0000

    net-libs/webkit-gtk: Drop old versions
    
    Bug: https://bugs.gentoo.org/779175
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                       |   1 -
 .../webkit-gtk/files/2.28.2-non-jumbo-fix.patch    |  34 ---
 .../webkit-gtk/files/2.28.4-non-jumbo-fix2.patch   |  31 ---
 .../webkit-gtk/files/2.30.3-fix-noGL-build.patch   |  27 --
 .../webkit-gtk-2.24.4-eglmesaext-include.patch     |  10 -
 net-libs/webkit-gtk/webkit-gtk-2.30.6.ebuild       | 300 ---------------------
 6 files changed, 403 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-31 16:49:46 UTC
Thanks!
Comment 7 Jernej Jakob 2021-06-24 11:26:01 UTC
I have ebuilds for 2.33.1 and 2.33.2 in my personal overlay: https://github.com/jjakob/gentoo-overlay/tree/master/net-libs/webkit-gtk
What's the process for getting them merged into the official repo? Become a proxy maintainer and submit PRs?
Comment 8 Mart Raudsepp gentoo-dev 2021-06-24 12:03:22 UTC
2.33.x are early unstable development versions and do not belong in the tree in ~arch. Not sure what this has to do with the security ticket here though.
Comment 9 Jernej Jakob 2021-06-24 12:39:25 UTC
(In reply to Mart Raudsepp from comment #8)
> 2.33.x are early unstable development versions and do not belong in the tree
> in ~arch. Not sure what this has to do with the security ticket here though.

I apologise, I missed that 2.32.1 was already stable in the tree, since the bug is still marked as in progress.
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:23:23 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:31:45 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:39:40 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:47:51 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 18:03:47 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 18:12:06 UTC
Package list is empty or all packages have requested keywords.
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 00:10:17 UTC
GLSA request filed.
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-01 03:39:30 UTC
commit d2418b0a913a694a55e21440268b44301931867c
Author: John Helmert III <ajak@gentoo.org>
Date:   Mon Jan 31 21:31:04 2022 -0600

    [ GLSA 202202-01 ] WebkitGTK+: Multiple vulnerabilities

    Signed-off-by: John Helmert III <ajak@gentoo.org>

All done!