Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 871732 (CVE-2022-32886, CVE-2022-32891, CVE-2023-25358, CVE-2023-25360, CVE-2023-25361, CVE-2023-25362, CVE-2023-25363, WSA-2022-0009)

Summary: <net-libs/webkit-gtk-2.36.8: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2022-0009.html
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 879809    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 16:03:04 UTC
"
    CVE-2022-32886
        Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
        Credit to P1umer, afang5472, xmzyshypnc.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
    CVE-2022-32891
        Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
        Credit to @real_as3617, an anonymous researcher.
        Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
    CVE-2022-32912
        Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
        Credit to Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking.
"

Please bump to 2.36.8.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 16:03:47 UTC
Sorry, already in tree, so please stabilize (and thanks for the quick bump!)
Comment 2 Mart Raudsepp gentoo-dev 2022-09-20 13:18:33 UTC
CVE-2022-32912 has been told to not be affecting Linux: https://mail.gnome.org/archives/distributor-list/2022-September/msg00001.html
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-20 14:26:19 UTC
(In reply to Mart Raudsepp from comment #2)
> CVE-2022-32912 has been told to not be affecting Linux:
> https://mail.gnome.org/archives/distributor-list/2022-September/msg00001.html

Feel free to change alias as necessary in these kinds of situations
Comment 4 Larry the Git Cow gentoo-dev 2022-12-19 21:11:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f2ad6c822d2d64da4ebcb1f90b23c9f78bbbd91

commit 5f2ad6c822d2d64da4ebcb1f90b23c9f78bbbd91
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-12-19 19:59:48 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-12-19 21:11:40 +0000

    net-libs/webkit-gtk: Drop old versions
    
    Bug: https://bugs.gentoo.org/871732
    Bug: https://bugs.gentoo.org/879571
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.36.7.ebuild | 250 ---------------------------
 2 files changed, 251 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 22:16:24 UTC
Thanks!
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 23:24:53 UTC
From WSA-2023-0003 (https://webkitgtk.org/security/WSA-2023-0003.html):

CVE-2023-25358
    Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
    Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher
    lab.
    A use-after-free vulnerability exists in WebCore::RenderLayer. This
    issue allows remote attackers to execute arbitrary code or cause a
    denial of service (memory corruption and application crash) via a
    crafted web site. This is the same issue than CVE-2023-25360,
    CVE-2023-25361, CVE-2023-25362 and CVE-2023-25363.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 04:35:31 UTC
GLSA request filed.
Comment 8 Larry the Git Cow gentoo-dev 2023-05-30 03:05:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a8dea8203b3b4b4cca0bdebe02a9a8ea505ae935

commit a8dea8203b3b4b4cca0bdebe02a9a8ea505ae935
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 03:01:57 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:05:03 +0000

    [ GLSA 202305-32 ] WebKitGTK+: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/871732
    Bug: https://bugs.gentoo.org/879571
    Bug: https://bugs.gentoo.org/888563
    Bug: https://bugs.gentoo.org/905346
    Bug: https://bugs.gentoo.org/905349
    Bug: https://bugs.gentoo.org/905351
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-32.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 03:08:05 UTC
GLSA released, all done!