[gentoo-announce] [ GLSA 202104-03 ] WebkitGTK+: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202104-03 ] WebkitGTK+: Multiple vulnerabilities
Date:	Sat, 01 May 2021 00:04:27
Message-Id:	`bc567884-2409-da7e-fd0f-6b1772336cd5@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202104-03

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: WebkitGTK+: Multiple vulnerabilities

9

      Date: April 30, 2021

10

      Bugs: #770793, #773193

11

        ID: 202104-03

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in WebkitGTK+, the worst of

19

which could result in the arbitrary execution of code.

20

21

Background

22

==========

23

24

WebKitGTK+ is a full-featured port of the WebKit rendering engine,

25

suitable for projects requiring any kind of web integration, from

26

hybrid HTML/CSS applications to full-fledged web browsers.

27

28

Affected packages

29

=================

30

31

     -------------------------------------------------------------------

32

      Package              /     Vulnerable     /            Unaffected

33

     -------------------------------------------------------------------

34

   1  net-libs/webkit-gtk          < 2.30.6                  >= 2.30.6

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in WebkitGTK+. Please

40

review the CVE identifiers referenced below for details.

41

42

Impact

43

======

44

45

An attacker, by enticing a user to visit maliciously crafted web

46

content, may be able to execute arbitrary code, violate iframe

47

sandboxing policy, access restricted ports on arbitrary servers, cause

48

memory corruption, or could cause a Denial of Service condition.

49

50

Workaround

51

==========

52

53

There is no known workaround at this time.

54

55

Resolution

56

==========

57

58

All WebkitGTK+ users should upgrade to the latest version:

59

60

   # emerge --sync

61

   # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.30.6"

62

63

References

64

==========

65

66

[  1 ] CVE-2020-13558

67

        https://nvd.nist.gov/vuln/detail/CVE-2020-13558

68

[  2 ] CVE-2020-27918

69

        https://nvd.nist.gov/vuln/detail/CVE-2020-27918

70

[  3 ] CVE-2020-29623

71

        https://nvd.nist.gov/vuln/detail/CVE-2020-29623

72

[  4 ] CVE-2020-9947

73

        https://nvd.nist.gov/vuln/detail/CVE-2020-9947

74

[  5 ] CVE-2021-1765

75

        https://nvd.nist.gov/vuln/detail/CVE-2021-1765

76

[  6 ] CVE-2021-1789

77

        https://nvd.nist.gov/vuln/detail/CVE-2021-1789

78

[  7 ] CVE-2021-1799

79

        https://nvd.nist.gov/vuln/detail/CVE-2021-1799

80

[  8 ] CVE-2021-1801

81

        https://nvd.nist.gov/vuln/detail/CVE-2021-1801

82

[  9 ] CVE-2021-1870

83

        https://nvd.nist.gov/vuln/detail/CVE-2021-1870

84

[ 10 ] WSA-2021-0001

85

        https://webkitgtk.org/security/WSA-2021-0001.html

86

[ 11 ] WSA-2021-0002

87

        https://webkitgtk.org/security/WSA-2021-0002.html

88

89

Availability

90

============

91

92

This GLSA and any updates to it are available for viewing at

93

the Gentoo Security Website:

94

95

  https://security.gentoo.org/glsa/202104-03

96

97

Concerns?

98

=========

99

100

Security is a primary focus of Gentoo Linux and ensuring the

101

confidentiality and security of our users' machines is of utmost

102

importance to us. Any security concerns should be addressed to

103

security@g.o or alternatively, you may file a bug at

104

https://bugs.gentoo.org.

105

106

License

107

=======

108

109

Copyright 2021 Gentoo Foundation, Inc; referenced text

110

belongs to its owner(s).

111

112

The contents of this document are licensed under the

113

Creative Commons - Attribution / Share Alike license.

114

115

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202104-03
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: WebkitGTK+: Multiple vulnerabilities
9	Date: April 30, 2021
10	Bugs: #770793, #773193
11	ID: 202104-03
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in WebkitGTK+, the worst of
19	which could result in the arbitrary execution of code.
20
21	Background
22	==========
23
24	WebKitGTK+ is a full-featured port of the WebKit rendering engine,
25	suitable for projects requiring any kind of web integration, from
26	hybrid HTML/CSS applications to full-fledged web browsers.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 net-libs/webkit-gtk < 2.30.6 >= 2.30.6
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in WebkitGTK+. Please
40	review the CVE identifiers referenced below for details.
41
42	Impact
43	======
44
45	An attacker, by enticing a user to visit maliciously crafted web
46	content, may be able to execute arbitrary code, violate iframe
47	sandboxing policy, access restricted ports on arbitrary servers, cause
48	memory corruption, or could cause a Denial of Service condition.
49
50	Workaround
51	==========
52
53	There is no known workaround at this time.
54
55	Resolution
56	==========
57
58	All WebkitGTK+ users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.30.6"
62
63	References
64	==========
65
66	[ 1 ] CVE-2020-13558
67	https://nvd.nist.gov/vuln/detail/CVE-2020-13558
68	[ 2 ] CVE-2020-27918
69	https://nvd.nist.gov/vuln/detail/CVE-2020-27918
70	[ 3 ] CVE-2020-29623
71	https://nvd.nist.gov/vuln/detail/CVE-2020-29623
72	[ 4 ] CVE-2020-9947
73	https://nvd.nist.gov/vuln/detail/CVE-2020-9947
74	[ 5 ] CVE-2021-1765
75	https://nvd.nist.gov/vuln/detail/CVE-2021-1765
76	[ 6 ] CVE-2021-1789
77	https://nvd.nist.gov/vuln/detail/CVE-2021-1789
78	[ 7 ] CVE-2021-1799
79	https://nvd.nist.gov/vuln/detail/CVE-2021-1799
80	[ 8 ] CVE-2021-1801
81	https://nvd.nist.gov/vuln/detail/CVE-2021-1801
82	[ 9 ] CVE-2021-1870
83	https://nvd.nist.gov/vuln/detail/CVE-2021-1870
84	[ 10 ] WSA-2021-0001
85	https://webkitgtk.org/security/WSA-2021-0001.html
86	[ 11 ] WSA-2021-0002
87	https://webkitgtk.org/security/WSA-2021-0002.html
88
89	Availability
90	============
91
92	This GLSA and any updates to it are available for viewing at
93	the Gentoo Security Website:
94
95	https://security.gentoo.org/glsa/202104-03
96
97	Concerns?
98	=========
99
100	Security is a primary focus of Gentoo Linux and ensuring the
101	confidentiality and security of our users' machines is of utmost
102	importance to us. Any security concerns should be addressed to
103	security@g.o or alternatively, you may file a bug at
104	https://bugs.gentoo.org.
105
106	License
107	=======
108
109	Copyright 2021 Gentoo Foundation, Inc; referenced text
110	belongs to its owner(s).
111
112	The contents of this document are licensed under the
113	Creative Commons - Attribution / Share Alike license.
114
115	https://creativecommons.org/licenses/by-sa/2.5