Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 871732 (CVE-2022-32886, CVE-2022-32891, WSA-2022-0009) - <net-libs/webkit-gtk-2.36.8: multiple vulnerabilities
Summary: <net-libs/webkit-gtk-2.36.8: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-32886, CVE-2022-32891, WSA-2022-0009
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-19 16:03 UTC by John Helmert III
Modified: 2022-09-20 14:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 16:03:04 UTC
"
    CVE-2022-32886
        Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
        Credit to P1umer, afang5472, xmzyshypnc.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
    CVE-2022-32891
        Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
        Credit to @real_as3617, an anonymous researcher.
        Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
    CVE-2022-32912
        Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
        Credit to Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking.
"

Please bump to 2.36.8.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 16:03:47 UTC
Sorry, already in tree, so please stabilize (and thanks for the quick bump!)
Comment 2 Mart Raudsepp gentoo-dev 2022-09-20 13:18:33 UTC
CVE-2022-32912 has been told to not be affecting Linux: https://mail.gnome.org/archives/distributor-list/2022-September/msg00001.html
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-20 14:26:19 UTC
(In reply to Mart Raudsepp from comment #2)
> CVE-2022-32912 has been told to not be affecting Linux:
> https://mail.gnome.org/archives/distributor-list/2022-September/msg00001.html

Feel free to change alias as necessary in these kinds of situations