Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 819522 (CVE-2021-42762) - <net-libs/webkit-gtk-2.34.1: limited sandbox escape (CVE-2021-42762)
Summary: <net-libs/webkit-gtk-2.34.1: limited sandbox escape (CVE-2021-42762)
Status: RESOLVED FIXED
Alias: CVE-2021-42762
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.webkit.org/show_bug.cgi?...
Whiteboard: A4 [glsa+]
Keywords:
Depends on: CVE-2021-30818, CVE-2021-30823, CVE-2021-30846, CVE-2021-30848, CVE-2021-30849, CVE-2021-30851, CVE-2021-30884, CVE-2021-30888, CVE-2021-30889, CVE-2021-30897, WSA-2021-0006 CVE-2021-30887, CVE-2021-30890 830597
Blocks:
  Show dependency tree
 
Reported: 2021-10-22 20:03 UTC by John Helmert III
Modified: 2022-02-01 03:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-22 20:03:39 UTC 
CVE-2021-42762:

BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.


Please file a stablereq when ready.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-01 03:40:48 UTC 
commit d2418b0a913a694a55e21440268b44301931867c
Author: John Helmert III <ajak@gentoo.org>
Date:   Mon Jan 31 21:31:04 2022 -0600

    [ GLSA 202202-01 ] WebkitGTK+: Multiple vulnerabilities

    Signed-off-by: John Helmert III <ajak@gentoo.org>

All done!