Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 861740 (CVE-2022-32784, CVE-2022-32792, WSA-2022-0007) - <net-libs/webkit-gtk-2.36.5: multiple vulnerabilities
Summary: <net-libs/webkit-gtk-2.36.5: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-32784, CVE-2022-32792, WSA-2022-0007
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://mail.gnome.org/archives/gnome...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 865341
Blocks: CVE-2022-2294
  Show dependency tree
 
Reported: 2022-07-28 16:28 UTC by John Helmert III
Modified: 2022-09-13 21:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-28 16:28:00 UTC
"Fix several crashes and rendering issues."

We already know about three CVEs addressed in the WebKit Bugzilla thanks to Apple:

https://support.apple.com/en-us/HT213342
https://support.apple.com/en-us/HT213341

"WebKit

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

An out-of-bounds write issue was addressed with improved input validation.

WebKit Bugzilla: 240720
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero Day Initiative

WebRTC

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution.

A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 242339
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

WebKit

Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD

Impact: Visiting a website that frames malicious content may lead to UI spoofing

The issue was addressed with improved UI handling.

WebKit Bugzilla: 239316
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-28 21:13:40 UTC
The WebKit advisory is released, this time only a week after the Apple advisories: https://webkitgtk.org/security/WSA-2022-0007.html
Comment 2 Larry the Git Cow gentoo-dev 2022-07-29 02:23:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17cca544e5a7e4bd8d25dedd3b9982a879ee187b

commit 17cca544e5a7e4bd8d25dedd3b9982a879ee187b
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-07-29 02:19:34 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-07-29 02:23:44 +0000

    net-libs/webkit-gtk: Version bump to 2.36.5
    
    Bug: https://bugs.gentoo.org/861740
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/webkit-gtk-2.36.5.ebuild | 250 +++++++++++++++++++++++++++
 2 files changed, 251 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2022-08-31 23:57:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=1d278bb93fbf8fdb34ef9c125c5f4536e11c15d7

commit 1d278bb93fbf8fdb34ef9c125c5f4536e11c15d7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-31 23:54:04 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-31 23:56:59 +0000

    [ GLSA 202208-39 ] WebKitGTK+: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/832990
    Bug: https://bugs.gentoo.org/833568
    Bug: https://bugs.gentoo.org/837305
    Bug: https://bugs.gentoo.org/839984
    Bug: https://bugs.gentoo.org/845252
    Bug: https://bugs.gentoo.org/856445
    Bug: https://bugs.gentoo.org/861740
    Bug: https://bugs.gentoo.org/864427
    Bug: https://bugs.gentoo.org/866494
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-39.xml | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-09-13 17:56:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30fb91bb7302f3fcc8587a46bfcb330bd530490d

commit 30fb91bb7302f3fcc8587a46bfcb330bd530490d
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-09-13 17:54:56 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-09-13 17:56:02 +0000

    net-libs/webkit-gtk: Drop old versions
    
    Bug: https://bugs.gentoo.org/861740
    Bug: https://bugs.gentoo.org/864427
    Bug: https://bugs.gentoo.org/866494
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                     |   4 -
 net-libs/webkit-gtk/files/2.36.5-fix-crash.patch |  82 --------
 net-libs/webkit-gtk/metadata.xml                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.36.3.ebuild     | 249 ----------------------
 net-libs/webkit-gtk/webkit-gtk-2.36.4.ebuild     | 250 ----------------------
 net-libs/webkit-gtk/webkit-gtk-2.36.5-r1.ebuild  | 252 -----------------------
 net-libs/webkit-gtk/webkit-gtk-2.36.6.ebuild     | 250 ----------------------
 7 files changed, 1088 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-13 21:30:21 UTC
Thanks Matt, all done!