Security Information / 2021 / Security Information -- DSA-4945-1 webkit2gtk

Debian Security Advisory

DSA-4945-1 webkit2gtk -- security update

Date Reported:

28 Jul 2021

Affected Packages:

webkit2gtk

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2021-21775, CVE-2021-21779, CVE-2021-30663, CVE-2021-30665, CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, CVE-2021-30749, CVE-2021-30758, CVE-2021-30795, CVE-2021-30797, CVE-2021-30799.

More information:

The following vulnerabilities have been discovered in the webkit2gtk web engine:

• CVE-2021-21775

  Marcin Towalski discovered that a specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage.

• CVE-2021-21779

  Marcin Towalski discovered that a specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage.

• CVE-2021-30663

  An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution.

• CVE-2021-30665

  yangkang discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

• CVE-2021-30689

  An anonymous researcher discovered that processing maliciously crafted web content may lead to universal cross site scripting.

• CVE-2021-30720

  David Schutz discovered that a malicious website may be able to access restricted ports on arbitrary servers.

• CVE-2021-30734

  Jack Dates discovered that processing maliciously crafted web content may lead to arbitrary code execution.

• CVE-2021-30744

  Dan Hite discovered that processing maliciously crafted web content may lead to universal cross site scripting.

• CVE-2021-30749

  An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution.

• CVE-2021-30758

  Christoph Guttandin discovered that processing maliciously crafted web content may lead to arbitrary code execution.

• CVE-2021-30795

  Sergei Glazunov discovered that processing maliciously crafted web content may lead to arbitrary code execution.

• CVE-2021-30797

  Ivan Fratric discovered that processing maliciously crafted web content may lead to code execution.

• CVE-2021-30799

  Sergei Glazunov discovered that processing maliciously crafted web content may lead to arbitrary code execution.

For the stable distribution (buster), these problems have been fixed in version 2.32.3-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk