Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 941276 (CVE-2024-40857, CVE-2024-40866, CVE-2024-44185, CVE-2024-44187, CVE-2024-44244, CVE-2024-44296)

Summary: <net-libs/webkit-gtk-2.46.3{,-r410,-r600}: multiple vulnerabilities
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: gnome, mjo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2024-0005.html
Whiteboard: A4 [stable?]
Package list:
Runtime testing required: ---
Bug Depends on: 943636, 941277    
Bug Blocks:    

Description Michael Orlitzky gentoo-dev 2024-10-11 13:23:36 UTC
CVE-2024-40857
    Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
    Credit to Ron Masas.
    Impact: Processing maliciously crafted web content may lead to
    universal cross site scripting. Description: This issue was
    addressed through improved state management.
    WebKit Bugzilla: 268724

CVE-2024-40866
    Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
    Credit to Hafiizh and YoKo Kho (@yokoacc) of HakTrak.
    Impact: Visiting a malicious website may lead to address bar
    spoofing. Description: The issue was addressed with improved UI.
    WebKit Bugzilla: 279451

CVE-2024-44187
    Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
    Credit to Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd,
    Pune (India).
    Impact: A malicious website may exfiltrate data cross-origin.
    Description: A cross-origin issue existed with "iframe" elements.
    This was addressed with improved tracking of security origins.
    WebKit Bugzilla: 279452
Comment 1 Michael Orlitzky gentoo-dev 2024-10-31 18:52:13 UTC
https://webkitgtk.org/security/WSA-2024-0006.html

* CVE-2024-44185
  Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
  Credit to Gary Kwong.
  Impact: Processing maliciously crafted web content may lead to an unexpected
  process crash Description: The issue was addressed with improved checks.
  WebKit Bugzilla: 276097

* CVE-2024-44244
  Versions affected: WebKitGTK and WPE WebKit before 2.46.3.
  Credit to an anonymous researcher, Q1IQ (@q1iqF) and P1umer (@p1umer).
  Impact: Processing maliciously crafted web content may lead to an unexpected process crash   Description: A memory corruption issue was addressed with improved input validation.
  WebKit Bugzilla: 279780


* CVE-2024-44296
  Versions affected: WebKitGTK and WPE WebKit before 2.46.3.
  Credit to Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd, Pune (India).
  Impact: Processing maliciously crafted web content may prevent Content Security Policy from
  being enforced Description: The issue was addressed with improved checks.
  WebKit Bugzilla: 278765