Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 832990 (CVE-2022-22589, CVE-2022-22590, CVE-2022-22592, WSA-2022-0002)

Summary: <net-libs/webkit-gtk-2.34.5: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: marduk
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2022-0002.html
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 833254    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-09 15:22:27 UTC 
CVE-2022-22589:

Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
Credit to Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com).
Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript.
Description: A validation issue was addressed with improved input sanitization.

CVE-2022-22590:

Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
Credit to Toan Pham from Team Orca of Sea Security (security.sea.com).
Impact: Processing maliciously crafted web content may lead to arbitrary code execution.
Description: A use after free issue was addressed with improved memory management.

CVE-2022-22592:

Versions affected: WebKitGTK and WPE WebKit before 2.34.5.
Credit to Prakash (@1lastBr3ath).
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Description: A logic issue was addressed with improved state management.

Please bump to 2.34.5.
Comment 1 Larry the Git Cow gentoo-dev 2022-02-09 19:12:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=873bf3aa31ec4bd58ad472ede5020b734f90f31d

commit 873bf3aa31ec4bd58ad472ede5020b734f90f31d
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-02-09 19:11:03 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-02-09 19:12:37 +0000

    net-libs/webkit-gtk: Version bump to 2.34.5
    
    Bug: https://bugs.gentoo.org/832990
    Closes: https://bugs.gentoo.org/832894
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.34.5.ebuild | 273 +++++++++++++++++++++++++++
 2 files changed, 274 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-09 20:34:43 UTC 
Thanks! Please stabilize when ready.
Comment 3 Albert W. Hopkins 2022-02-09 22:52:17 UTC 
For 2.34.5 I'm getting

```
>>> Configuring source in /var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5 ...
 * ERROR: net-libs/webkit-gtk-2.34.5::gentoo failed (configure phase):
 *   USE Flag 'test' not in IUSE for net-libs/webkit-gtk-2.34.5
 * 
 * Call stack:
 *          ebuild.sh, line  127:  Called src_configure
 *        environment, line 4053:  Called usex 'test'
 *   phase-helpers.sh, line  213:  Called use 'test'
 *   phase-helpers.sh, line  252:  Called die
 * The specific snippet of code:
 *   				die "USE Flag '${u}' not in IUSE for ${CATEGORY}/${PF}"
 * 
 * If you need support, post the output of `emerge --info '=net-libs/webkit-gtk-2.34.5::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=net-libs/webkit-gtk-2.34.5::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/temp/environment'.
 * Working directory: '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5'
 * S: '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5'
 * Messages for package net-libs/webkit-gtk-2.34.5:
 * ERROR: net-libs/webkit-gtk-2.34.5::gentoo failed (configure phase):
 *   USE Flag 'test' not in IUSE for net-libs/webkit-gtk-2.34.5
 * 
 * Call stack:
 *          ebuild.sh, line  127:  Called src_configure
 *        environment, line 4053:  Called usex 'test'
 *   phase-helpers.sh, line  213:  Called use 'test'
 *   phase-helpers.sh, line  252:  Called die
 * The specific snippet of code:
 *   				die "USE Flag '${u}' not in IUSE for ${CATEGORY}/${PF}"
```

Should I file this under another bug?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-10 00:16:04 UTC 
(In reply to Albert W. Hopkins from comment #3)
> For 2.34.5 I'm getting
> 
> ```
> >>> Configuring source in /var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5 ...
>  * ERROR: net-libs/webkit-gtk-2.34.5::gentoo failed (configure phase):
>  *   USE Flag 'test' not in IUSE for net-libs/webkit-gtk-2.34.5
>  * 
>  * Call stack:
>  *          ebuild.sh, line  127:  Called src_configure
>  *        environment, line 4053:  Called usex 'test'
>  *   phase-helpers.sh, line  213:  Called use 'test'
>  *   phase-helpers.sh, line  252:  Called die
>  * The specific snippet of code:
>  *   				die "USE Flag '${u}' not in IUSE for ${CATEGORY}/${PF}"
>  * 
>  * If you need support, post the output of `emerge --info
> '=net-libs/webkit-gtk-2.34.5::gentoo'`,
>  * the complete build log and the output of `emerge -pqv
> '=net-libs/webkit-gtk-2.34.5::gentoo'`.
>  * The complete build log is located at
> '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/temp/build.log'.
>  * The ebuild environment file is located at
> '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/temp/environment'.
>  * Working directory:
> '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5'
>  * S: '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5'
>  * Messages for package net-libs/webkit-gtk-2.34.5:
>  * ERROR: net-libs/webkit-gtk-2.34.5::gentoo failed (configure phase):
>  *   USE Flag 'test' not in IUSE for net-libs/webkit-gtk-2.34.5
>  * 
>  * Call stack:
>  *          ebuild.sh, line  127:  Called src_configure
>  *        environment, line 4053:  Called usex 'test'
>  *   phase-helpers.sh, line  213:  Called use 'test'
>  *   phase-helpers.sh, line  252:  Called die
>  * The specific snippet of code:
>  *   				die "USE Flag '${u}' not in IUSE for ${CATEGORY}/${PF}"
> ```
> 
> Should I file this under another bug?

Should be fixed by https://github.com/gentoo/gentoo/commit/9cbf4a0dc3a6b6412acadc9558d4d068f5af860e
Comment 5 Albert W. Hopkins 2022-02-12 01:20:37 UTC 
> Should be fixed by
> https://github.com/gentoo/gentoo/commit/
> 9cbf4a0dc3a6b6412acadc9558d4d068f5af860e

Thanks!
Comment 6 Larry the Git Cow gentoo-dev 2022-03-18 19:24:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5526c1acd16c113397ef0c689aadc00fe88ab94

commit d5526c1acd16c113397ef0c689aadc00fe88ab94
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-03-18 19:18:08 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-03-18 19:23:32 +0000

    net-libs/webkit-gtk: Drop old versions
    
    Bug: https://bugs.gentoo.org/831739
    Bug: https://bugs.gentoo.org/832990
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   2 -
 net-libs/webkit-gtk/webkit-gtk-2.34.3.ebuild | 272 ---------------------------
 net-libs/webkit-gtk/webkit-gtk-2.34.4.ebuild | 272 ---------------------------
 3 files changed, 546 deletions(-)
Comment 7 Larry the Git Cow gentoo-dev 2022-08-31 23:57:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=1d278bb93fbf8fdb34ef9c125c5f4536e11c15d7

commit 1d278bb93fbf8fdb34ef9c125c5f4536e11c15d7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-31 23:54:04 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-31 23:56:59 +0000

    [ GLSA 202208-39 ] WebKitGTK+: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/832990
    Bug: https://bugs.gentoo.org/833568
    Bug: https://bugs.gentoo.org/837305
    Bug: https://bugs.gentoo.org/839984
    Bug: https://bugs.gentoo.org/845252
    Bug: https://bugs.gentoo.org/856445
    Bug: https://bugs.gentoo.org/861740
    Bug: https://bugs.gentoo.org/864427
    Bug: https://bugs.gentoo.org/866494
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-39.xml | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)