Lucene search

K
almalinuxAlmaLinuxALSA-2022:7704
HistoryNov 08, 2022 - 12:00 a.m.

Moderate: webkit2gtk3 security and bug fix update

2022-11-0800:00:00
errata.almalinux.org
16
webkitgtk
glib
security fix
bug fix
cve-2022-22624
cve-2022-22628
cve-2022-22629
cve-2022-22662
cve-2022-26700
cve-2022-26709
cve-2022-26710
cve-2022-26716
cve-2022-26717
cve-2022-26719
cve-2022-30293
unix

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.2%

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.

Security Fix(es):

  • webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-22624)
  • webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-22628)
  • webkitgtk: Buffer overflow leading to arbitrary code execution (CVE-2022-22629)
  • webkitgtk: Cookie management issue leading to sensitive user information disclosure (CVE-2022-22662)
  • webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2022-26700)
  • webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-26709)
  • webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-26710)
  • webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2022-26716)
  • webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-26717)
  • webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2022-26719)
  • webkitgtk: Heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer leading to arbitrary code execution (CVE-2022-30293)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.2%