Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918667 (CVE-2023-32359, CVE-2023-41983, CVE-2023-42852)

Summary: <net-libs/webkit-gtk-2.42.2: multiple vulnerabilities
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 919979    
Bug Blocks: 920664    

Description Christopher Fore 2023-11-27 18:35:33 UTC 
CVE-2023-32359 (https://wpewebkit.org/security/WSA-2023-0010.html#CVE-2023-32359):

This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 16.7.2 and iPadOS 16.7.2. A user's password may be read aloud by VoiceOver. 

CVE-2023-41983 (https://wpewebkit.org/security/WSA-2023-0010.html#CVE-2023-41983):

The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.1, Safari 17.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. Processing web content may lead to a denial-of-service. 

CVE-2023-42852 (https://wpewebkit.org/security/WSA-2023-0010.html#CVE-2023-42852):

A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, macOS Sonoma 14.1, Safari 17.1, tvOS 17.1. Processing web content may lead to arbitrary code execution.
Comment 1 Larry the Git Cow gentoo-dev 2023-12-24 15:54:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba49d7c8bf7ef3433a36fbe3e23ff871c2bbcd77

commit ba49d7c8bf7ef3433a36fbe3e23ff871c2bbcd77
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2023-12-24 15:07:00 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2023-12-24 15:54:27 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/918667
    Bug: https://bugs.gentoo.org/919290
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                       |   3 -
 ...ailure-when-gstreamer-support-is-disabled.patch |  33 ---
 net-libs/webkit-gtk/webkit-gtk-2.40.5-r410.ebuild  | 264 ---------------------
 net-libs/webkit-gtk/webkit-gtk-2.40.5-r600.ebuild  | 257 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.40.5.ebuild       | 254 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.42.1-r410.ebuild  | 262 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.42.1-r600.ebuild  | 255 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.42.1.ebuild       | 252 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.42.2-r410.ebuild  | 262 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.42.2-r600.ebuild  | 255 --------------------
 net-libs/webkit-gtk/webkit-gtk-2.42.2.ebuild       | 252 --------------------
 11 files changed, 2349 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-01-31 14:30:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4a07754d6de45c14716438f4a3e32fda6124b30f

commit 4a07754d6de45c14716438f4a3e32fda6124b30f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-31 14:29:39 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-31 14:30:12 +0000

    [ GLSA 202401-33 ] WebKitGTK+: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/915222
    Bug: https://bugs.gentoo.org/918667
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-33.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)