Debian Security Advisory

DSA-5468-1 webkit2gtk -- security update

Date Reported:
05 Aug 2023
Affected Packages:
webkit2gtk
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2023-38133, CVE-2023-38572, CVE-2023-38592, CVE-2023-38594, CVE-2023-38595, CVE-2023-38597, CVE-2023-38599, CVE-2023-38600, CVE-2023-38611.
More information:

The following vulnerabilities have been discovered in the WebKitGTK web engine:

  • CVE-2023-38133

    YeongHyeon Choi discovered that processing web content may disclose sensitive information.

  • CVE-2023-38572

    Narendra Bhati discovered that a website may be able to bypass the Same Origin Policy.

  • CVE-2023-38592

    Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco Squarcina, and Lorenzo Veronese discovered that processing web content may lead to arbitrary code execution.

  • CVE-2023-38594

    Yuhao Hu discovered that processing web content may lead to arbitrary code execution.

  • CVE-2023-38595

    An anonymous researcher, Jiming Wang, and Jikai Ren discovered that processing web content may lead to arbitrary code execution.

  • CVE-2023-38597

    Junsung Lee discovered that processing web content may lead to arbitrary code execution.

  • CVE-2023-38599

    Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel Genkin, and Yuval Yarom discovered that a website may be able to track sensitive user information.

  • CVE-2023-38600

    An anonymous researcher discovered that processing web content may lead to arbitrary code execution.

  • CVE-2023-38611

    Francisco Alonso discovered that processing web content may lead to arbitrary code execution.

For the oldstable distribution (bullseye), these problems have been fixed in version 2.40.5-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 2.40.5-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk