Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 813489 (CVE-2021-30809, CVE-2021-30836, CVE-2021-30858, CVE-2021-45482, WSA-2021-0005)

Summary: <net-libs/webkit-gtk-2.32.4: remote code execution
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://mail.gnome.org/archives/gnome-announce-list/2021-September/msg00003.html
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-17 21:25:51 UTC 
From URL:

"Fix several crashes and rendering issues."

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-09-18 15:24:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abde07959df441fb48875abfb78b8277efe2d31f

commit abde07959df441fb48875abfb78b8277efe2d31f
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-09-18 14:12:24 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-09-18 15:23:14 +0000

    net-libs/webkit-gtk: bump to 2.32.4
    
    Bug: https://bugs.gentoo.org/813489
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.32.4.ebuild | 300 +++++++++++++++++++++++++++
 2 files changed, 301 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-18 15:29:01 UTC 
Thanks leio!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-07 14:26:33 UTC 
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2021-10-09 10:17:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92f9219e6d599be43705104cd0ec092a8baae2fa

commit 92f9219e6d599be43705104cd0ec092a8baae2fa
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-10-09 10:16:38 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-10-09 10:16:38 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/813489
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.32.3.ebuild | 300 ---------------------------
 2 files changed, 301 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-20 19:55:26 UTC 
More from https://webkitgtk.org/security/WSA-2021-0007.html:

CVE-2021-30809
    Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A use after free issue was
    addressed with improved memory management.

CVE-2021-30836
    Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    Credit to Peter Nguyen Vu Hoang of STAR Labs.
    Impact: Processing a maliciously crafted audio file may disclose
    restricted memory. Description: An out-of-bounds read was addressed
    with improved input validation.
Comment 6 Mart Raudsepp gentoo-dev 2022-01-04 13:10:42 UTC 
I don't see any blockers here with 2.32.4 stable for like 3 months by now.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-01 03:39:30 UTC 
commit d2418b0a913a694a55e21440268b44301931867c
Author: John Helmert III <ajak@gentoo.org>
Date:   Mon Jan 31 21:31:04 2022 -0600

    [ GLSA 202202-01 ] WebkitGTK+: Multiple vulnerabilities

    Signed-off-by: John Helmert III <ajak@gentoo.org>

All done!