Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 920664 (CVE-2023-42883) - <net-libs/webkit-gtk-2.42.2: Denial of service in SVG handling
Summary: <net-libs/webkit-gtk-2.42.2: Denial of service in SVG handling
Alias: CVE-2023-42883
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+]
Depends on: CVE-2023-35074, CVE-2023-39434, CVE-2023-39928, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993, CVE-2023-42890, WSA-2023-0009 CVE-2023-32359, CVE-2023-41983, CVE-2023-42852
  Show dependency tree
Reported: 2023-12-24 16:17 UTC by Sam James
Modified: 2024-02-12 01:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-24 16:17:30 UTC

    Versions affected: WebKitGTK and WPE WebKit before 2.42.4.
    Credit to Zoom Offensive Security Team.
    Impact: Processing a SVG image may lead to a denial-of-service. Description: The issue was addressed with improved memory handling.
    WebKit Bugzilla: 263349
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 05:27:21 UTC
The somewhat esoteric slotting here is apparently breaking kuroneko, dropping the slots so kuroneko's cache will hopefully continue updating.
Comment 2 Larry the Git Cow gentoo-dev 2024-02-12 01:16:19 UTC
The bug has been referenced in the following commit(s):

commit 27dbd0aa1207a04e72d0d05235473868999afb10
Author:     John Helmert III <>
AuthorDate: 2024-02-12 01:15:16 +0000
Commit:     John Helmert III <>
CommitDate: 2024-02-12 01:16:12 +0000

    [ GLSA 202401-33 ] add missed bug
    Signed-off-by: John Helmert III <>

 glsa-202401-33.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-12 01:17:57 UTC
The stablereq in 920667 is for 2.42.4 while >=2.42.2 is already stable for bugs 915222 and 918667, so we're fixed here once this is GLSA'd. I've just amended the last GLSA to add this.