Debian Security Advisory

DSA-5308-1 webkit2gtk -- security update

Date Reported:
31 Dec 2022
Affected Packages:
webkit2gtk
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2022-42852, CVE-2022-42856, CVE-2022-42867, CVE-2022-46692, CVE-2022-46698, CVE-2022-46699, CVE-2022-46700.
More information:

The following vulnerabilities have been discovered in the WebKitGTK web engine:

  • CVE-2022-42852

    hazbinhotel discovered that processing maliciously crafted web content may result in the disclosure of process memory.

  • CVE-2022-42856

    Clement Lecigne discovered that processing maliciously crafted web content may lead to arbitrary code execution.

  • CVE-2022-42867

    Maddie Stone discovered that processing maliciously crafted web content may lead to arbitrary code execution.

  • CVE-2022-46692

    KirtiKumar Anandrao Ramchandani discovered that processing maliciously crafted web content may bypass Same Origin Policy.

  • CVE-2022-46698

    Dohyun Lee and Ryan Shin discovered that processing maliciously crafted web content may disclose sensitive user information.

  • CVE-2022-46699

    Samuel Gross discovered that processing maliciously crafted web content may lead to arbitrary code execution.

  • CVE-2022-46700

    Samuel Gross discovered that processing maliciously crafted web content may lead to arbitrary code execution.

For the stable distribution (bullseye), these problems have been fixed in version 2.38.3-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk