Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 831739 (CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954, CVE-2021-30984)

Summary: <net-libs/webkit-gtk-2.34.4: multiple vulnerabilites (including IndexedDB leaks)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gnome, mjo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2022-0001.html
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Bump commit none

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-21 15:58:24 UTC
https://discourse.gnome.org/t/webkitgtk-2-34-4-fixes-safari-leaks-vulnerability/8692
https://safarileaks.com/

Changelog says "Fix several crashes and rendering issues." but Discourse post says 2.34.4 fixes "Safari leaks" vulnerability which can leak website data to other websites. Seemingly no CVEs.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-21 18:41:24 UTC
Advisory released but apparently no CVE for the Safari leaks issue yet
Comment 2 Mart Raudsepp gentoo-dev 2022-01-21 21:57:36 UTC
Created attachment 763084 [details, diff]
Bump commit

I have the bump build-testing, but off to bed before it completes.
If someone wants to take the commit with git-am, build test and push it in if all good, I'd be fine with that. Otherwise I'll get to it in the morning.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-22 00:43:07 UTC
*** Bug 831761 has been marked as a duplicate of this bug. ***
Comment 4 Larry the Git Cow gentoo-dev 2022-01-22 01:17:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5bad592e6fceebff1ebf5a0d488c9d732f49e42

commit f5bad592e6fceebff1ebf5a0d488c9d732f49e42
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2022-01-21 21:54:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-22 01:17:09 +0000

    net-libs/webkit-gtk: security bump to 2.34.4
    
    Bug: https://bugs.gentoo.org/831739
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.34.4.ebuild | 272 +++++++++++++++++++++++++++
 2 files changed, 273 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-01 03:40:04 UTC
commit d2418b0a913a694a55e21440268b44301931867c
Author: John Helmert III <ajak@gentoo.org>
Date:   Mon Jan 31 21:31:04 2022 -0600

    [ GLSA 202202-01 ] WebkitGTK+: Multiple vulnerabilities

    Signed-off-by: John Helmert III <ajak@gentoo.org>
Comment 6 Larry the Git Cow gentoo-dev 2022-03-18 19:24:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5526c1acd16c113397ef0c689aadc00fe88ab94

commit d5526c1acd16c113397ef0c689aadc00fe88ab94
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-03-18 19:18:08 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-03-18 19:23:32 +0000

    net-libs/webkit-gtk: Drop old versions
    
    Bug: https://bugs.gentoo.org/831739
    Bug: https://bugs.gentoo.org/832990
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   2 -
 net-libs/webkit-gtk/webkit-gtk-2.34.3.ebuild | 272 ---------------------------
 net-libs/webkit-gtk/webkit-gtk-2.34.4.ebuild | 272 ---------------------------
 3 files changed, 546 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 05:52:59 UTC
All done, thanks!