Comment 1 Mart Raudsepp 2021-02-27 09:53:43 UTC

No, I'm not bumping to alpha/beta releases.

Comment 2 John Helmert III 2021-02-27 21:09:20 UTC

(In reply to Mart Raudsepp from comment #1)
> No, I'm not bumping to alpha/beta releases.

Ok, didn't realize! We'll wait.

Comment 3 John Helmert III 2021-03-18 23:06:17 UTC

I suppose 2.30.6 is suitable for packaging in Gentoo? Same changelog message here.


https://mail.gnome.org/archives/gnome-announce-list/2021-March/msg00005.html

Comment 4 John Helmert III 2021-03-22 20:01:12 UTC

A proper advisory for <2.30.6 was released, with several code execution bugs:

CVE-2020-27918
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Liu Long of Ant Security Light-Year Lab.
    Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

CVE-2020-29623
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Simon Hunt of OvalTwo LTD.
    Impact: A user may be unable to fully delete browsing history. Description: “Clear History and Website Data” did not clear the history in some circumstances. The issue was addressed with improved data deletion.

CVE-2020-9947
    Versions affected: WebKitGTK before 2.30.0 and WPE WebKit before 2.30.0.
    Credit to cc working with Trend Micro Zero Day Initiative.
    Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management.

CVE-2021-1765
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Eliya Stein of Confiant.
    Impact: Maliciously crafted web content may violate iframe sandboxing policy. Description: This issue was addressed with improved iframe sandbox enforcement.

CVE-2021-1789
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to @S0rryMybad of 360 Vulcan Team.
    Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling.

CVE-2021-1799
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Gregory Vishnepolsky & Ben Seri of Armis Security, and Samy Kamkar.
    Impact: A malicious website may be able to access restricted ports on arbitrary servers, Description: A port redirection issue was addressed with additional port validation.

CVE-2021-1801
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to Eliya Stein of Confiant.
    Impact: Maliciously crafted web content may violate iframe sandboxing policy. Description: This issue was addressed with improved iframe sandbox enforcement.

CVE-2021-1870
    Versions affected: WebKitGTK before 2.30.6 and WPE WebKit before 2.30.6.
    Credit to an anonymous researcher.
    Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A logic issue was addressed with improved restrictions.

Comment 5 Larry the Git Cow 2021-04-23 10:18:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5e8511b02c9fb2006d34ce299af13f2069ca8d7

commit f5e8511b02c9fb2006d34ce299af13f2069ca8d7
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-04-23 10:17:18 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-04-23 10:17:28 +0000

    net-libs/webkit-gtk: security bump to 2.30.6
    
    Bug: https://bugs.gentoo.org/773193
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.30.6.ebuild | 300 +++++++++++++++++++++++++++
 2 files changed, 301 insertions(+)

Comment 6 Sam James 2021-04-25 05:14:58 UTC

arm64 done

Comment 7 Sam James 2021-04-25 06:19:33 UTC

amd64 done

Comment 8 Sam James 2021-04-25 09:27:28 UTC

arm done

Comment 9 Sam James 2021-04-25 09:29:15 UTC

arm done

Comment 10 Sam James 2021-04-25 17:40:24 UTC

x86 done

Comment 11 Sam James 2021-04-26 19:17:02 UTC

ppc64 done

all arches done

Comment 12 John Helmert III 2021-04-26 23:44:43 UTC

Please cleanup.

Comment 13 Larry the Git Cow 2021-04-30 22:06:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a8d3a6ed37d6d4870c91ba9691286e671092089

commit 7a8d3a6ed37d6d4870c91ba9691286e671092089
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-04-30 22:05:44 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-04-30 22:06:14 +0000

    net-libs/webkit-gtk: security cleanup
    
    Bug: https://bugs.gentoo.org/773193
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.30.5.ebuild | 300 ---------------------------
 2 files changed, 301 deletions(-)

Comment 14 Thomas Deutschmann (RETIRED) 2021-04-30 22:07:07 UTC

New GLSA request filed.

Comment 15 GLSAMaker/CVETool Bot 2021-05-01 00:01:32 UTC

This issue was resolved and addressed in
 GLSA 202104-03 at https://security.gentoo.org/glsa/202104-03
by GLSA coordinator Thomas Deutschmann (whissi).