Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 920664 (CVE-2023-42883) - <net-libs/webkit-gtk-2.42.2: Denial of service in SVG handling
Summary: <net-libs/webkit-gtk-2.42.2: Denial of service in SVG handling
Status: RESOLVED FIXED
Alias: CVE-2023-42883
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://webkitgtk.org/security/WSA-20...
Whiteboard: A3 [glsa+]
Keywords:
Depends on: CVE-2023-35074, CVE-2023-39434, CVE-2023-39928, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993, CVE-2023-42890, WSA-2023-0009 CVE-2023-32359, CVE-2023-41983, CVE-2023-42852
Blocks:
  Show dependency tree
 
Reported: 2023-12-24 16:17 UTC by Sam James
Modified: 2024-02-12 01:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-12-24 16:17:30 UTC 
CVE-2023-42883

    Versions affected: WebKitGTK and WPE WebKit before 2.42.4.
    Credit to Zoom Offensive Security Team.
    Impact: Processing a SVG image may lead to a denial-of-service. Description: The issue was addressed with improved memory handling.
    WebKit Bugzilla: 263349
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 05:27:21 UTC 
The somewhat esoteric slotting here is apparently breaking kuroneko, dropping the slots so kuroneko's cache will hopefully continue updating.
Comment 2 Larry the Git Cow gentoo-dev 2024-02-12 01:16:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=27dbd0aa1207a04e72d0d05235473868999afb10

commit 27dbd0aa1207a04e72d0d05235473868999afb10
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-02-12 01:15:16 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-12 01:16:12 +0000

    [ GLSA 202401-33 ] add missed bug
    
    Bug: https://bugs.gentoo.org/920664
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202401-33.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-12 01:17:57 UTC 
The stablereq in 920667 is for 2.42.4 while >=2.42.2 is already stable for bugs 915222 and 918667, so we're fixed here once this is GLSA'd. I've just amended the last GLSA to add this.