Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 770793 (CVE-2020-13558, WSA-2021-0001) - <net-libs/webkit-gtk-2.30.5: code execution via crafted web content (CVE-2020-13558)
Summary: <net-libs/webkit-gtk-2.30.5: code execution via crafted web content (CVE-2020...
Status: RESOLVED FIXED
Alias: CVE-2020-13558, WSA-2021-0001
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-15 15:56 UTC by John Helmert III
Modified: 2021-05-01 00:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-15 15:56:00 UTC
CVE-2020-13558:

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An use after free issue in the AudioSourceProviderGStreamer class was addressed with improved memory management.


Fixed in 2.30.5, please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-18 22:53:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbec848dd4cee78c72e9702952e82229d0a0440c

commit fbec848dd4cee78c72e9702952e82229d0a0440c
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-02-18 22:44:40 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-02-18 22:44:40 +0000

    net-libs/webkit-gtk: security bump to 2.30.5
    
    Bug: https://bugs.gentoo.org/770793
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.30.5.ebuild | 300 +++++++++++++++++++++++++++
 2 files changed, 301 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2021-02-19 01:14:13 UTC
x86 stable
Comment 3 Sam James archtester gentoo-dev Security 2021-02-19 03:00:55 UTC
ppc64 done
Comment 4 Sam James archtester gentoo-dev Security 2021-02-19 12:02:29 UTC
arm64 done
Comment 5 Sam James archtester gentoo-dev Security 2021-02-19 16:16:53 UTC
arm done
Comment 6 Sam James archtester gentoo-dev Security 2021-02-20 01:26:13 UTC
amd64 done

all arches done
Comment 7 John Helmert III gentoo-dev Security 2021-02-20 01:29:54 UTC
Please cleanup
Comment 8 Larry the Git Cow gentoo-dev 2021-02-20 09:44:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d357471062a5ed1dacf0662ac581bb79388ff92

commit 3d357471062a5ed1dacf0662ac581bb79388ff92
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-02-20 09:44:50 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-02-20 09:44:50 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/770793
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                    |   2 -
 net-libs/webkit-gtk/files/2.30.3-icu68.patch    | 179 --------------
 net-libs/webkit-gtk/webkit-gtk-2.30.3.ebuild    | 297 -----------------------
 net-libs/webkit-gtk/webkit-gtk-2.30.4-r1.ebuild | 300 ------------------------
 net-libs/webkit-gtk/webkit-gtk-2.30.4.ebuild    | 296 -----------------------
 5 files changed, 1074 deletions(-)
Comment 9 Thomas Deutschmann gentoo-dev Security 2021-04-30 22:07:30 UTC
Added to an existing GLSA.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-05-01 00:01:29 UTC
This issue was resolved and addressed in
 GLSA 202104-03 at https://security.gentoo.org/glsa/202104-03
by GLSA coordinator Thomas Deutschmann (whissi).