webkit2gtk3-2.40.5-1.el9

エラータID: AXSA:2023-6828:17

Release date: 
Monday, December 11, 2023 - 02:07
Subject: 
webkit2gtk3-2.40.5-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

* webkitgtk: arbitrary code execution (CVE-2023-32393)
* webkitgtk: bypass Same Origin Policy (CVE-2023-38572)
* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-38592)
* webkitgtk: arbitrary code execution (CVE-2023-38594)
* webkitgtk: arbitrary code execution (CVE-2023-38595)
* webkitgtk: arbitrary code execution (CVE-2023-38597)
* webkitgtk: arbitrary code execution (CVE-2023-38600)
* webkitgtk: arbitrary code execution (CVE-2023-38611)
* webkitgtk: Memory corruption issue when processing web content (CVE-2022-32885)
* webkitgtk: Same Origin Policy bypass via crafted web content (CVE-2023-27932)
* webkitgtk: Website may be able to track sensitive user information (CVE-2023-27954)
* webkitgtk: use after free vulnerability (CVE-2023-28198)
* webkitgtk: content security policy blacklist failure (CVE-2023-32370)
* webkitgtk: disclose sensitive information (CVE-2023-38133)
* webkitgtk: track sensitive user information (CVE-2023-38599)
* webkitgtk: processing web content may lead to arbitrary code execution (CVE-2023-39434)
* webkitgtk: arbitrary javascript code execution (CVE-2023-40397)
* webkitgtk: attacker with JavaScript execution may be able to execute arbitrary code (CVE-2023-40451)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.3 Release Notes linked from the References section.

CVE-2022-32885
A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5, Safari 15.6. Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2023-27932
This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, tvOS 16.4, watchOS 9.4. Processing maliciously crafted web content may bypass Same Origin Policy.
CVE-2023-27954
The issue was addressed by removing origin information. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, tvOS 16.4, watchOS 9.4. A website may be able to track sensitive user information.
CVE-2023-28198
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 16.4 and iPadOS 16.4, macOS Ventura 13.3. Processing web content may lead to arbitrary code execution.
CVE-2023-32370
A logic issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.3. Content Security Policy to block domains with wildcards may fail.
CVE-2023-32393
The issue was addressed with improved memory handling. This issue is fixed in watchOS 9.3, tvOS 16.3, macOS Ventura 13.2, iOS 16.3 and iPadOS 16.3. Processing web content may lead to arbitrary code execution.
CVE-2023-38133
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may disclose sensitive information.
CVE-2023-38572
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. A website may be able to bypass Same Origin Policy.
CVE-2023-38592
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16.6 and iPadOS 16.6, watchOS 9.6, tvOS 16.6, macOS Ventura 13.5. Processing web content may lead to arbitrary code execution.
CVE-2023-38594
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution.
CVE-2023-38595
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution.
CVE-2023-38597
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.
CVE-2023-38599
A logic issue was addressed with improved state management. This issue is fixed in Safari 16.6, watchOS 9.6, iOS 15.7.8 and iPadOS 15.7.8, tvOS 16.6, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A website may be able to track sensitive user information.
CVE-2023-38600
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution.
CVE-2023-38611
The issue was addressed with improved memory handling. This issue is fixed in iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution.
CVE-2023-39434
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. Processing web content may lead to arbitrary code execution.
CVE-2023-40397
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.5. A remote attacker may be able to cause arbitrary javascript code execution.
CVE-2023-40451
This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 17. An attacker with JavaScript execution may be able to execute arbitrary code.

Solution: 

Update packages.

CVEs: 
CVE-2022-32885
A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5, Safari 15.6. Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2023-27932
This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, tvOS 16.4, watchOS 9.4. Processing maliciously crafted web content may bypass Same Origin Policy.
CVE-2023-27954
The issue was addressed by removing origin information. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, tvOS 16.4, watchOS 9.4. A website may be able to track sensitive user information.
CVE-2023-28198
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 16.4 and iPadOS 16.4, macOS Ventura 13.3. Processing web content may lead to arbitrary code execution.
CVE-2023-32370
A logic issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.3. Content Security Policy to block domains with wildcards may fail.
CVE-2023-32393
The issue was addressed with improved memory handling. This issue is fixed in watchOS 9.3, tvOS 16.3, macOS Ventura 13.2, iOS 16.3 and iPadOS 16.3. Processing web content may lead to arbitrary code execution.
CVE-2023-38133
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may disclose sensitive information.
CVE-2023-38572
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. A website may be able to bypass Same Origin Policy.
CVE-2023-38592
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16.6 and iPadOS 16.6, watchOS 9.6, tvOS 16.6, macOS Ventura 13.5. Processing web content may lead to arbitrary code execution.
CVE-2023-38594
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution.
CVE-2023-38595
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution.
CVE-2023-38597
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.
CVE-2023-38599
A logic issue was addressed with improved state management. This issue is fixed in Safari 16.6, watchOS 9.6, iOS 15.7.8 and iPadOS 15.7.8, tvOS 16.6, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A website may be able to track sensitive user information.
CVE-2023-38600
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution.
CVE-2023-38611
The issue was addressed with improved memory handling. This issue is fixed in iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution.
CVE-2023-39434
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. Processing web content may lead to arbitrary code execution.
CVE-2023-40397
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.5. A remote attacker may be able to cause arbitrary javascript code execution.
CVE-2023-40451
This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 17. An attacker with JavaScript execution may be able to execute arbitrary code.
Additional Info: 

N/A

Download: 

SRPMS
  1. webkit2gtk3-2.40.5-1.el9.src.rpm
    MD5: c9a24fe7e66041f321fc0ce78b39d45f
    SHA-256: 297e0a78af34bb9ac6780fad18f8b38e925c83a20f61ec32b3683dfeb86ba7cc
    Size: 38.24 MB

Asianux Server 9 for x86_64
  1. webkit2gtk3-2.40.5-1.el9.i686.rpm
    MD5: e588191a1dc8fac3adb86050dbc2a74d
    SHA-256: 4875b180e77fe09c19cb963dde9eec3735ced7b0e5ea42f1ebef55ec78ab935e
    Size: 20.84 MB
  2. webkit2gtk3-2.40.5-1.el9.x86_64.rpm
    MD5: 8c5172696ad82d802aa43a5d26ecb137
    SHA-256: 6bf204d4e12ce317679703017614955d3436e5ef1c1067e460b2cf93ae3d5d09
    Size: 19.88 MB
  3. webkit2gtk3-devel-2.40.5-1.el9.i686.rpm
    MD5: 48ae45399a27c9af598d52f2d1526e50
    SHA-256: 477b4cf3280c3ebdc792bfb8c4e1442b7e7e6c0a48cf93e04854fb4ba781ef1f
    Size: 318.84 kB
  4. webkit2gtk3-devel-2.40.5-1.el9.x86_64.rpm
    MD5: 81b879804a76b6a3b0c9c298ebb561ac
    SHA-256: 86e90b754fb2f84ccc4d0274f6edbcd319c3ed0188a2072c7adffc29f13edab7
    Size: 313.45 kB
  5. webkit2gtk3-jsc-2.40.5-1.el9.i686.rpm
    MD5: d8d2caef098c2df713ab17e81f1bc1b3
    SHA-256: 18d5450689d3b08b6c2f128a97957d556c7f66b31832a1ab351890d5b250dd1d
    Size: 3.38 MB
  6. webkit2gtk3-jsc-2.40.5-1.el9.x86_64.rpm
    MD5: 529c1e05ceb4929319e47be9dae1d147
    SHA-256: a487920b678dc921f84a2de6606899672aedd373c7cd4d143a50d903455f0e29
    Size: 3.37 MB
  7. webkit2gtk3-jsc-devel-2.40.5-1.el9.i686.rpm
    MD5: e5e49e4875ac5e06c0b87b6a84e31a75
    SHA-256: 311c7c958f1809b69aab81aae4853f76c2fd007931e781bea58a18e4f301ac3d
    Size: 161.08 kB
  8. webkit2gtk3-jsc-devel-2.40.5-1.el9.x86_64.rpm
    MD5: 3387fcfa108d3c29c1d12420850b4cb3
    SHA-256: 482cf9e22282e27b4bdeee1adcb2d40b7c4db38cab998e8cc301102dd7173eb6
    Size: 152.31 kB