Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 773193 (CVE-2020-27918, CVE-2020-29623, CVE-2020-9947, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, CVE-2021-1870, WSA-2021-0002) - <net-libs/webkit-gtk-2.30.6: multiple vulnerabilities (CVE-2020-{9947,27918,29623}, CVE-2021-{1765,1789,1799,1801,1870})
Summary: <net-libs/webkit-gtk-2.30.6: multiple vulnerabilities (CVE-2020-{9947,27918,2...
Status: RESOLVED FIXED
Alias: CVE-2020-27918, CVE-2020-29623, CVE-2020-9947, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, CVE-2021-1870, WSA-2021-0002
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-27 00:12 UTC by John Helmert III
Modified: 2021-05-01 00:01 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/webkit-gtk-2.30.6
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-27 00:12:29 UTC
From 2.31.90 release notes:

  - Fix several crashes and rendering issues.


Please bump.
Comment 1 Mart Raudsepp gentoo-dev 2021-02-27 09:53:43 UTC
No, I'm not bumping to alpha/beta releases.
Comment 2 John Helmert III gentoo-dev Security 2021-02-27 21:09:20 UTC
(In reply to Mart Raudsepp from comment #1)
> No, I'm not bumping to alpha/beta releases.

Ok, didn't realize! We'll wait.
Comment 3 John Helmert III gentoo-dev Security 2021-03-18 23:06:17 UTC
I suppose 2.30.6 is suitable for packaging in Gentoo? Same changelog message here.


https://mail.gnome.org/archives/gnome-announce-list/2021-March/msg00005.html
Comment 4 John Helmert III gentoo-dev Security 2021-03-22 20:01:12 UTC
A proper advisory for <2.30.6 was released, with several code execution bugs:

CVE-2020-27918
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Liu Long of Ant Security Light-Year Lab.
    Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

CVE-2020-29623
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Simon Hunt of OvalTwo LTD.
    Impact: A user may be unable to fully delete browsing history. Description: “Clear History and Website Data” did not clear the history in some circumstances. The issue was addressed with improved data deletion.

CVE-2020-9947
    Versions affected: WebKitGTK before 2.30.0 and WPE WebKit before 2.30.0.
    Credit to cc working with Trend Micro Zero Day Initiative.
    Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

CVE-2021-1765
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Eliya Stein of Confiant.
    Impact: Maliciously crafted web content may violate iframe sandboxing policy. Description: This issue was addressed with improved iframe sandbox enforcement.

CVE-2021-1789
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to @S0rryMybad of 360 Vulcan Team.
    Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.

CVE-2021-1799
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar.
    Impact: A malicious website may be able to access restricted ports on arbitrary servers, Description: A port redirection issue was addressed with additional port validation.

CVE-2021-1801
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Eliya Stein of Confiant.
    Impact: Maliciously crafted web content may violate iframe sandboxing policy. Description: This issue was addressed with improved iframe sandbox enforcement.

CVE-2021-1870
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to an anonymous researcher.
    Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A logic issue was addressed with improved restrictions.
Comment 5 Larry the Git Cow gentoo-dev 2021-04-23 10:18:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5e8511b02c9fb2006d34ce299af13f2069ca8d7

commit f5e8511b02c9fb2006d34ce299af13f2069ca8d7
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-04-23 10:17:18 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-04-23 10:17:28 +0000

    net-libs/webkit-gtk: security bump to 2.30.6
    
    Bug: https://bugs.gentoo.org/773193
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.30.6.ebuild | 300 +++++++++++++++++++++++++++
 2 files changed, 301 insertions(+)
Comment 6 Sam James archtester gentoo-dev Security 2021-04-25 05:14:58 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-04-25 06:19:33 UTC
amd64 done
Comment 8 Sam James archtester gentoo-dev Security 2021-04-25 09:27:28 UTC
arm done
Comment 9 Sam James archtester gentoo-dev Security 2021-04-25 09:29:15 UTC
arm done
Comment 10 Sam James archtester gentoo-dev Security 2021-04-25 17:40:24 UTC
x86 done
Comment 11 Sam James archtester gentoo-dev Security 2021-04-26 19:17:02 UTC
ppc64 done

all arches done
Comment 12 John Helmert III gentoo-dev Security 2021-04-26 23:44:43 UTC
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2021-04-30 22:06:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a8d3a6ed37d6d4870c91ba9691286e671092089

commit 7a8d3a6ed37d6d4870c91ba9691286e671092089
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-04-30 22:05:44 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-04-30 22:06:14 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/773193
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.30.5.ebuild | 300 ---------------------------
 2 files changed, 301 deletions(-)
Comment 14 Thomas Deutschmann gentoo-dev Security 2021-04-30 22:07:07 UTC
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2021-05-01 00:01:32 UTC
This issue was resolved and addressed in
 GLSA 202104-03 at https://security.gentoo.org/glsa/202104-03
by GLSA coordinator Thomas Deutschmann (whissi).