Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 897936 (CVE-2023-26081)

Summary: <www-client/epiphany-44.0: password exfiltration via autofill
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:52:58 UTC 
CVE-2023-26081 (https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275):
https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x

In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.

Patches at above merge request, don't appear to be in any release.
Comment 1 Pacho Ramos gentoo-dev 2023-07-29 09:22:11 UTC 
This is solved in all 44.x version, as they include
https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-08-16 05:47:02 UTC 
Great, thanks! We've been cleaned up for this for a while now, then. All done!