Advisory ID: WSA-2021-0006 CVE identifiers: CVE-2021-30846, CVE-2021-30848, CVE-2021-30849, CVE-2021-30851, CVE-2021-30858, CVE-2021-42762. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2021-30846 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to Sergei Glazunov of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved memory handling. CVE-2021-30848 Versions affected: WebKitGTK and WPE WebKit before 2.32.4. Credit to Sergei Glazunov of Google Project Zero. Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption issue was addressed with improved memory handling. CVE-2021-30849 Versions affected: WebKitGTK and WPE WebKit before 2.32.4. Credit to Sergei Glazunov of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2021-30851 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to Samuel Groß of Google Project Zero. Impact: Processing maliciously crafted web content may lead to code execution. Description: A memory corruption vulnerability was addressed with improved locking. CVE-2021-30858 Versions affected: WebKitGTK and WPE WebKit before 2.32.4. Credit to an anonymous researcher. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management. CVE-2021-42762 Versions affected: WebKitGTK and WPE WebKit before 2.34.1. Credit to an anonymous reporter. BubblewrapLauncher.cpp allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.
Note that CVE-2021-30858 was in bug 813489 and CVE-2021-42762 was in bug 819522.
More from https://webkitgtk.org/security/WSA-2021-0007.html. CVE-2021-30818 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to Amar Menezes (@amarekano) of Zon8Research. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A type confusion issue was addressed with improved state handling. CVE-2021-30823 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to David Gullasch of Recurity Labs. Impact: An attacker in a privileged network position may be able to bypass HSTS. Description: A logic issue was addressed with improved restrictions. CVE-2021-30884 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to an anonymous researcher. Impact: Visiting a maliciously crafted website may reveal a user's browsing history. Description: The issue was resolved with additional restrictions on CSS compositing. CVE-2021-30888 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to Prakash (@1lastBr3ath). Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior. Description: An information leakage issue was addressed. CVE-2021-30889 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab. Impact: Processing maliciously crafted web content may lead to arbitrary code execution, Description: A buffer overflow issue was addressed with improved memory handling. CVE-2021-30897 Versions affected: WebKitGTK and WPE WebKit before 2.34.0. Credit to an anonymous researcher. Impact: A malicious website may exfiltrate data cross-origin. Description: An issue existed in the specification for the resource timing API. The specification was updated and the updated specification was implemented.
commit d2418b0a913a694a55e21440268b44301931867c Author: John Helmert III <ajak@gentoo.org> Date: Mon Jan 31 21:31:04 2022 -0600 [ GLSA 202202-01 ] WebkitGTK+: Multiple vulnerabilities Signed-off-by: John Helmert III <ajak@gentoo.org> All done!
