Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 871732 (CVE-2022-32886, CVE-2022-32891, WSA-2022-0009)

Summary: <net-libs/webkit-gtk-2.36.8: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2022-0009.html
Whiteboard: A2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 879809    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 16:03:04 UTC
"
    CVE-2022-32886
        Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
        Credit to P1umer, afang5472, xmzyshypnc.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
    CVE-2022-32891
        Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
        Credit to @real_as3617, an anonymous researcher.
        Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
    CVE-2022-32912
        Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
        Credit to Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking.
"

Please bump to 2.36.8.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 16:03:47 UTC
Sorry, already in tree, so please stabilize (and thanks for the quick bump!)
Comment 2 Mart Raudsepp gentoo-dev 2022-09-20 13:18:33 UTC
CVE-2022-32912 has been told to not be affecting Linux: https://mail.gnome.org/archives/distributor-list/2022-September/msg00001.html
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-20 14:26:19 UTC
(In reply to Mart Raudsepp from comment #2)
> CVE-2022-32912 has been told to not be affecting Linux:
> https://mail.gnome.org/archives/distributor-list/2022-September/msg00001.html

Feel free to change alias as necessary in these kinds of situations
Comment 4 Larry the Git Cow gentoo-dev 2022-12-19 21:11:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f2ad6c822d2d64da4ebcb1f90b23c9f78bbbd91

commit 5f2ad6c822d2d64da4ebcb1f90b23c9f78bbbd91
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-12-19 19:59:48 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-12-19 21:11:40 +0000

    net-libs/webkit-gtk: Drop old versions
    
    Bug: https://bugs.gentoo.org/871732
    Bug: https://bugs.gentoo.org/879571
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.36.7.ebuild | 250 ---------------------------
 2 files changed, 251 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 22:16:24 UTC
Thanks!