Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 801400 (CVE-2021-1817, CVE-2021-1820, CVE-2021-1825, CVE-2021-1826, CVE-2021-21775, CVE-2021-21779, CVE-2021-21806, CVE-2021-30661, CVE-2021-30663, CVE-2021-30665, CVE-2021-30666, CVE-2021-30682, CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, CVE-2021-30749, CVE-2021-30758, CVE-2021-30761, CVE-2021-30762, CVE-2021-30795, CVE-2021-30797, CVE-2021-30799, WSA-2021-0004)

Summary: <net-libs/webkit-gtk-2.32.3: multiple vulnerabilities (CVE-2021-{1817,1820,1825,1826,21775,21779,21806,30661,30663,30665,30666,30682,30689,30720,30734,30744,30749,30758,30761,30762,30795,30797,30799})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: joakim.tjernlund
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2021-0004.html
Whiteboard: A2 [glsa cve]
Package list:
net-libs/webkit-gtk-2.32.3
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2021-07-09 21:14:17 UTC
From URL (2.32.2 release announcement):

Fix several crashes and rendering issues.


Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-23 01:11:22 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63ff9992d1901baf5a3bb65c01f1885381522a48

commit 63ff9992d1901baf5a3bb65c01f1885381522a48
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-07-23 00:45:36 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-07-23 01:10:58 +0000

    net-libs/webkit-gtk: Version bump to 2.32.2
    
    Closes: https://bugs.gentoo.org/801400
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.32.2.ebuild | 300 +++++++++++++++++++++++++++
 2 files changed, 301 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-07-23 15:30:55 UTC
Advisory finally released:

    CVE-2021-1817
        Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
        Credit to zhunki.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
    CVE-2021-1820
        Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
        Credit to André Bargull.
        Impact: Processing maliciously crafted web content may result in the disclosure of process memory. Description: A memory initialization issue was addressed with improved memory handling.
    CVE-2021-1825
        Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
        Credit to Alex Camboe of Aon’s Cyber Solutions.
        Impact: Processing maliciously crafted web content may lead to a cross site scripting attack. Description: An input validation issue was addressed with improved input validation.
    CVE-2021-1826
        Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
        Credit to an anonymous researcher.
        Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved restrictions.
    CVE-2021-21775
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to Marcin Towalski of Cisco Talos.
        A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of WebKit. A specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage.
    CVE-2021-21779
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to Marcin Towalski of Cisco Talos.
        A use-after-free vulnerability exists in the way that WebKit GraphicsContext handles certain events. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
    CVE-2021-21806
        Versions affected: WebKitGTK and WPE WebKit before 2.30.6.
        Credit to Marcin ‘Icewall’ Noga of Cisco Talos.
        An exploitable use-after-free vulnerability exists in WebKit. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability.
    CVE-2021-30661
        Versions affected: WebKitGTK and WPE WebKit before 2.30.0.
        Credit to yangkang(@dnpushme) of 360 ATA.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.
    CVE-2021-30663
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to an anonymous researcher.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An integer overflow was addressed with improved input validation.
    CVE-2021-30665
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved state management.
    CVE-2021-30666
        Versions affected: WebKitGTK and WPE WebKit before 2.26.0.
        Credit to yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A buffer overflow issue was addressed with improved memory handling.
    CVE-2021-30682
        Versions affected: WebKitGTK and WPE WebKit before 2.32.0.
        Credit to an anonymous researcher and 1lastBr3ath.
        Impact: A malicious application may be able to leak sensitive user information. Description: A logic issue was addressed with improved restrictions.
    CVE-2021-30689
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to an anonymous researcher.
        Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
    CVE-2021-30720
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to David Schütz (@xdavidhu).
        Impact: A malicious website may be able to access restricted ports on arbitrary servers. Description: A logic issue was addressed with improved restrictions.
    CVE-2021-30734
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to Jack Dates of RET2 Systems, Inc. (@ret2systems) working with Trend Micro Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2021-30744
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to Dan Hite of jsontop.
        Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A cross-origin issue with iframe elements was addressed with improved tracking of security origins.
    CVE-2021-30749
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to an anonymous researcher and mipu94 of SEFCOM lab, ASU. working with Trend Micro Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
    CVE-2021-30758
        Versions affected: WebKitGTK and WPE WebKit before 2.32.2.
        Credit to Christoph Guttandin of Media Codings.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.
    CVE-2021-30761
        Versions affected: WebKitGTK and WPE WebKit before 2.26.0.
        Credit to an anonymous researcher.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved state management.
    CVE-2021-30762
        Versions affected: WebKitGTK and WPE WebKit before 2.28.0.
        Credit to an anonymous researcher.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management.
    CVE-2021-30795
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to Sergei Glazunov of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.
    CVE-2021-30797
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to Ivan Fratric of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to code execution. Description: This issue was addressed with improved checks.
    CVE-2021-30799
        Versions affected: WebKitGTK and WPE WebKit before 2.32.3.
        Credit to Sergei Glazunov of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.


Please bump to 2.32.3.
Comment 3 NATTkA bot gentoo-dev 2021-07-23 15:32:20 UTC Comment hidden (obsolete)
Comment 4 Matt Turner gentoo-dev 2021-07-23 20:11:25 UTC
2.32.3 in tree.
Comment 5 Sam James archtester gentoo-dev Security 2021-07-23 21:10:25 UTC
Let us know when ready to stable, thanks!
Comment 6 Matt Turner gentoo-dev 2021-07-26 19:12:33 UTC
Let's do it.
Comment 7 Agostino Sarubbo gentoo-dev 2021-07-28 06:42:16 UTC
amd64 stable
Comment 8 Sam James archtester gentoo-dev Security 2021-07-28 16:43:46 UTC
arm64 done
Comment 9 Agostino Sarubbo gentoo-dev 2021-07-30 15:18:02 UTC
ppc64 stable
Comment 10 Sam James archtester gentoo-dev Security 2021-07-30 22:35:46 UTC
x86 done
Comment 11 Sam James archtester gentoo-dev Security 2021-07-30 22:35:54 UTC
arm done

all arches done
Comment 12 Larry the Git Cow gentoo-dev 2021-08-04 22:36:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=682fc608631b55c0247b14599b024a7b3aa8ef09

commit 682fc608631b55c0247b14599b024a7b3aa8ef09
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-08-04 22:34:01 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-08-04 22:36:04 +0000

    net-libs/webkit-gtk: Drop old versions
    
    Bug: https://bugs.gentoo.org/801400
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                       |   2 -
 ...e-CompletionHandler-when-USE_OPENGL_OR_ES.patch |  36 ---
 net-libs/webkit-gtk/webkit-gtk-2.32.1.ebuild       | 301 ---------------------
 net-libs/webkit-gtk/webkit-gtk-2.32.2.ebuild       | 300 --------------------
 4 files changed, 639 deletions(-)
Comment 13 John Helmert III gentoo-dev Security 2021-08-06 22:01:21 UTC
Thanks Matt!
Comment 14 John Helmert III gentoo-dev Security 2021-08-07 00:10:18 UTC
GLSA request filed.
Comment 15 NATTkA bot gentoo-dev 2021-10-09 10:20:35 UTC
Unable to check for sanity:

> no match for package: net-libs/webkit-gtk-2.32.3