Summary: | <net-libs/webkit-gtk-2.34.1: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | gnome, it |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A2 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 819384, 820437, 820440, 820443, 822696, 829723, 830597 | ||
Bug Blocks: | 819522 |
Description
Sam James
2021-10-27 03:51:38 UTC
Note that CVE-2021-30858 was in bug 813489 and CVE-2021-42762 was in bug 819522. More from https://webkitgtk.org/security/WSA-2021-0007.html. CVE-2021-30818 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to Amar Menezes (@amarekano) of Zon8Research. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling. CVE-2021-30823 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to David Gullasch of Recurity Labs. Impact: An attacker in a privileged network position may be able to bypass HSTS. Description: A logic issue was addressed with improved restrictions. CVE-2021-30884 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to an anonymous researcher. Impact: Visiting a maliciously crafted website may reveal a user's browsing history. Description: The issue was resolved with additional restrictions on CSS compositing. CVE-2021-30888 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to Prakash (@1lastBr3ath). Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior. Description: An information leakage issue was addressed. CVE-2021-30889 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab. Impact: Processing maliciously crafted web content may lead to arbitrary code execution, Description: A buffer overflow issue was addressed with improved memory handling. CVE-2021-30897 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to an anonymous researcher. Impact: A malicious website may exfiltrate data cross-origin. Description: An issue existed in the specification for the resource timing API. The specification was updated and the updated specification was implemented. commit d2418b0a913a694a55e21440268b44301931867c Author: John Helmert III <ajak@gentoo.org> Date: Mon Jan 31 21:31:04 2022 -0600 [ GLSA 202202-01 ] WebkitGTK+: Multiple vulnerabilities Signed-off-by: John Helmert III <ajak@gentoo.org> All done! |