Alerts This Week
Warning Icon 1 914
Alerts This Week
Warning Icon 1 914

Red Hat 9: RHSA-2023-2256-01 Important: WebKit2GTK3 Security Update

red hat
Calendar Grey May 9, 2023
Dist Redhat Esm H88
A crucial patch for webkit2gtk3 has been released, tackling various vulnerabilities in Red Hat Enterprise Linux 9.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
Security Fix(es):
* webkitgtk: use-after-free issue leading to arbitrary code execution (CVE-2022-42826)
* webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2023-23517)
* webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2023-23518)
* webkitgtk: buffer overflow issue was addressed with improved memory handling (CVE-2022-32886)
* webkitgtk: out-of-bounds write issue was addressed with improved bounds checking (CVE-2022-32888)
* webkitgtk: correctness issue in the JIT was addressed with improved checks (CVE-2022-32923)
* webkitgtk: issue was addressed with improved UI handling (CVE-2022-42799)
* webkitgtk: type confusion issue leading to arbitrary code execution (CVE-2022-42823)
* webkitgtk: sensitive information disclosure issue (CVE-2022-42824)
* webkitgtk: memory disclosure issue was addressed with improved memory handling (CVE-2022-42852)
* webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2022-42863)
* webkitgtk: use-after-free issue leading to arbitrary code execution (CVE-2022-42867)
* webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2022-46691)
* webkitgtk: Same Origin Policy bypass issue (CVE-2022-46692)
* webkitgtk: logic issue leading to user information disclosure (CVE-2022-46698)
* webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2022-46699)
* webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2022-46700)
* webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild() (CVE-2023-25358)
* webkitgtk: heap-use-after-free in WebCore::RenderLayer::renderer() (CVE-2023-25360)
* webkitgtk: heap-use-after-free in WebCore::RenderLayer::setNextSibling() (CVE-2023-25361)
* webkitgtk: heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps() (CVE-2023-25362)
* webkitgtk: heap-use-after-free in WebCore::RenderLayer::updateDescendantDependentFlags() (CVE-2023-25363)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.

Topics%20covered

Topics Covered

security advisory buffer overflow arbitrary code execution memory corruption Red Hat Enterprise Linux important webkit2gtk3

References

https://access.redhat.com/security/cve/CVE-2022-32886 https://access.redhat.com/security/cve/CVE-2022-32888 https://access.redhat.com/security/cve/CVE-2022-32923 https://access.redhat.com/security/cve/CVE-2022-42799 https://access.redhat.com/security/cve/CVE-2022-42823 https://access.redhat.com/security/cve/CVE-2022-42824 https://access.redhat.com/security/cve/CVE-2022-42826 https://access.redhat.com/security/cve/CVE-2022-42852 https://access.redhat.com/security/cve/CVE-2022-42863 https://access.redhat.com/security/cve/CVE-2022-42867 https://access.redhat.com/security/cve/CVE-2022-46691 https://access.redhat.com/security/cve/CVE-2022-46692 https://access.redhat.com/security/cve/CVE-2022-46698 https://access.redhat.com/security/cve/CVE-2022-46699 https://access.redhat.com/security/cve/CVE-2022-46700 https://access.redhat.com/security/cve/CVE-2023-23517 https://access.redhat.com/security/cve/CVE-2023-23518 https://access.redhat.com/security/cve/CVE-2023-25358 https://access.redhat.com/security/cve/CVE-2023-25360 https://access.redhat.com/security/cve/CVE-2023-25361 https://access.redhat.com/security/cve/CVE-2023-25362 https://access.redhat.com/security/cve/CVE-2023-25363 https://access.redhat.com/security/updates/classification#important Read the Full Advisory

Package List

Red Hat Enterprise Linux AppStream (v. 9):
Source: webkit2gtk3-2.38.5-1.el9.src.rpm
aarch64: webkit2gtk3-2.38.5-1.el9.aarch64.rpm webkit2gtk3-debuginfo-2.38.5-1.el9.aarch64.rpm webkit2gtk3-debugsource-2.38.5-1.el9.aarch64.rpm webkit2gtk3-devel-2.38.5-1.el9.aarch64.rpm webkit2gtk3-devel-debuginfo-2.38.5-1.el9.aarch64.rpm webkit2gtk3-jsc-2.38.5-1.el9.aarch64.rpm webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.aarch64.rpm webkit2gtk3-jsc-devel-2.38.5-1.el9.aarch64.rpm webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.aarch64.rpm
ppc64le: webkit2gtk3-2.38.5-1.el9.ppc64le.rpm webkit2gtk3-debuginfo-2.38.5-1.el9.ppc64le.rpm webkit2gtk3-debugsource-2.38.5-1.el9.ppc64le.rpm webkit2gtk3-devel-2.38.5-1.el9.ppc64le.rpm webkit2gtk3-devel-debuginfo-2.38.5-1.el9.ppc64le.rpm webkit2gtk3-jsc-2.38.5-1.el9.ppc64le.rpm webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.ppc64le.rpm webkit2gtk3-jsc-devel-2.38.5-1.el9.ppc64le.rpm webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9.ppc64le.rpm
s390x: webkit2gtk3-2.38.5-1.el9.s390x.rpm webkit2gtk3-debuginfo-2.38.5-1.el9.s390x.rpm webkit2gtk3-debugsource-2.38.5-1.el9.s390x.rpm webkit2gtk3-devel-2.38.5-1.el9.s390x.rpm webkit2gtk3-devel-debuginfo-2.38.5-1.el9.s390x.rpm webkit2gtk3-jsc-2.38.5-1.el9.s390x.rpm webkit2gtk3-jsc-debuginfo-2.38.5-1.el9.s390x.rpm

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2023:2256-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2256
Issue date: 2023-05-09

Topic

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory buffer overflow arbitrary code execution memory corruption Red Hat Enterprise Linux important webkit2gtk3

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

Bugs Fixed

2127467 - Upgrade WebKitGTK for RHEL 9.2

2128643 - CVE-2022-32886 webkitgtk: buffer overflow issue was addressed with improved memory handling

2140501 - CVE-2022-32888 webkitgtk: out-of-bounds write issue was addressed with improved bounds checking

2140502 - CVE-2022-32923 webkitgtk: correctness issue in the JIT was addressed with improved checks

2140503 - CVE-2022-42799 webkitgtk: issue was addressed with improved UI handling

2140504 - CVE-2022-42824 webkitgtk: sensitive information disclosure issue

2140505 - CVE-2022-42823 webkitgtk: type confusion issue leading to arbitrary code execution

2156986 - CVE-2022-42852 webkitgtk: memory disclosure issue was addressed with improved memory handling

2156987 - CVE-2022-42863 webkitgtk: memory corruption issue leading to arbitrary code execution

2156989 - CVE-2022-42867 webkitgtk: use-after-free issue leading to arbitrary code execution

2156990 - CVE-2022-46691 webkitgtk: memory corruption issue leading to arbitrary code execution

2156991 - CVE-2022-46692 webkitgtk: Same Origin Policy bypass issue

2156992 - CVE-2022-46698 webkitgtk: logic issue leading to user information disclosure

2156993 - CVE-2022-46699 webkitgtk: memory corruption issue leading to arbitrary code execution

2156994 - CVE-2022-46700 webkitgtk: memory corruption issue leading to arbitrary code execution

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here