Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 871732 (CVE-2022-32886, CVE-2022-32891, WSA-2022-0009) - <net-libs/webkit-gtk-2.36.8: multiple vulnerabilities
Summary: <net-libs/webkit-gtk-2.36.8: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-32886, CVE-2022-32891, WSA-2022-0009
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A2 [glsa?]
Keywords:
Depends on: 879809
Blocks:
  Show dependency tree
 
Reported: 2022-09-19 16:03 UTC by John Helmert III
Modified: 2022-12-19 22:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 16:03:04 UTC 
"
    CVE-2022-32886
        Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
        Credit to P1umer, afang5472, xmzyshypnc.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
    CVE-2022-32891
        Versions affected: WebKitGTK and WPE WebKit before 2.36.5.
        Credit to @real_as3617, an anonymous researcher.
        Impact: Visiting a website that frames malicious content may lead to UI spoofing. Description: The issue was addressed with improved UI handling.
    CVE-2022-32912
        Versions affected: WebKitGTK and WPE WebKit before 2.36.8.
        Credit to Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved bounds checking.
"

Please bump to 2.36.8.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 16:03:47 UTC 
Sorry, already in tree, so please stabilize (and thanks for the quick bump!)
Comment 2 Mart Raudsepp gentoo-dev 2022-09-20 13:18:33 UTC 
CVE-2022-32912 has been told to not be affecting Linux: https://mail.gnome.org/archives/distributor-list/2022-September/msg00001.html
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-20 14:26:19 UTC 
(In reply to Mart Raudsepp from comment #2)
> CVE-2022-32912 has been told to not be affecting Linux:
> https://mail.gnome.org/archives/distributor-list/2022-September/msg00001.html

Feel free to change alias as necessary in these kinds of situations
Comment 4 Larry the Git Cow gentoo-dev 2022-12-19 21:11:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f2ad6c822d2d64da4ebcb1f90b23c9f78bbbd91

commit 5f2ad6c822d2d64da4ebcb1f90b23c9f78bbbd91
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2022-12-19 19:59:48 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2022-12-19 21:11:40 +0000

    net-libs/webkit-gtk: Drop old versions
    
    Bug: https://bugs.gentoo.org/871732
    Bug: https://bugs.gentoo.org/879571
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 -
 net-libs/webkit-gtk/webkit-gtk-2.36.7.ebuild | 250 ---------------------------
 2 files changed, 251 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 22:16:24 UTC 
Thanks!