Bug 951739 (CVE-2024-44192, CVE-2024-54467, CVE-2024-54551, CVE-2025-24201, CVE-2025-24208, CVE-2025-24209, CVE-2025-24213, CVE-2025-24216, CVE-2025-24264, CVE-2025-30427, WSA-2025-0002, WSA-2025-0003)

Summary:

<net-libs/webkit-gtk-2.48.3: multiple vulnerabilities

Product:

Gentoo Security

Reporter:

Christopher Fore <csfore>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

CONFIRMED ---

Severity:

normal

CC:

gnome, theodor

Priority:

Normal

Version:

unspecified

Hardware:

All

OS:

Linux

See Also:

https://bugs.gentoo.org/show_bug.cgi?id=951155

Whiteboard:

A2 [stable?]

Package list:

Runtime testing required:

---

Bug Depends on:

955769

Bug Blocks:

Attachments:

Description	Flags
net-libs/webkit-gtk-2.48.0 version bump	none

Description Christopher Fore 2025-03-22 00:11:53 UTC

CVE-2024-44192:

Processing maliciously crafted web content may lead to an unexpected process crash.


CVE-2024-54467:

A malicious website may exfiltrate data cross-origin.


CVE-2025-24201:

Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).



The above are fixed in 2.48.0.

Comment 1 zyxhere 2025-03-27 11:05:09 UTC

Created attachment 922991 [details, diff]
net-libs/webkit-gtk-2.48.0 version bump

Comment 2 zyxhere 2025-03-27 11:11:13 UTC

Plz ignore my patch its not working (forgot to remove the icu patch)

Comment 3 Sam James archtester

2025-04-21 06:01:33 UTC

*** Bug 954111 has been marked as a duplicate of this bug. ***

Comment 4 Sam James archtester

2025-04-21 06:02:14 UTC

* https://webkitgtk.org/security/WSA-2025-0002.html 
* https://webkitgtk.org/security/WSA-2025-0003.html

Comment 5 zyxhere 2025-05-12 15:46:13 UTC

Depends on https://bugs.gentoo.org/955769