Bugzilla – Bug 1190701
VUL-0: CVE-2021-30858: webkit2gtk3: webkitgtk: Maliciously crafted web content may lead to arbitrary code execution
Last modified: 2022-04-11 08:11:56 UTC
A flaw was found in webkitgtk. Processing maliciously crafted web content may lead to arbitrary code execution. References: https://www.openwall.com/lists/oss-security/2021/09/20/1 https://webkitgtk.org/security/WSA-2021-0005.html https://mail.gnome.org/archives/gnome-announce-list/2021-September/msg00003.html References: https://bugzilla.redhat.com/show_bug.cgi?id=2006099 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30858 http://seclists.org/oss-sec/2021/q3/182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30858 http://www.cvedetails.com/cve/CVE-2021-30858/
This issue started as an Apple Security Advisory [0] about webkit, so all the webkit packages such as libqt5-webkit could also be affected. webkit2gtk3: - SUSE:SLE-12-SP2:Update/webkit2gtk3 2.32.3 - SUSE:SLE-15-SP2:Update/webkit2gtk3 2.32.3 - SUSE:SLE-15:Update/webkit2gtk3 2.32.3 - openSUSE:Factory/webkit2gtk3 2.32.3 Upstream recommends to update to a new version (2.32.4). libqt5-webkit: - SUSE:SLE-12-SP2:Update/libqt5-qtwebkit 5.6.1 - SUSE:SLE-12-SP3:Update/libqt5-qtwebkit 5.6.2 - openSUSE:Backports:SLE-15-SP2/libqt5-qtwebkit 5.212~alpha3 - openSUSE:Backports:SLE-15-SP3/libqt5-qtwebkit 5.212~alpha3 - openSUSE:Backports:SLE-15-SP4/libqt5-qtwebkit 5.212~alpha4 - openSUSE:Factory/libqt5-qtwebkit 5.212~alpha4 [0] https://seclists.org/fulldisclosure/2021/Sep/29
SUSE-SU-2021:3282-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188697,1190701 CVE References: CVE-2021-21806,CVE-2021-30858 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): webkit2gtk3-2.32.4-3.82.1 SUSE Linux Enterprise Server for SAP 15 (src): webkit2gtk3-2.32.4-3.82.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): webkit2gtk3-2.32.4-3.82.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): webkit2gtk3-2.32.4-3.82.1 SUSE Linux Enterprise Server 15-LTSS (src): webkit2gtk3-2.32.4-3.82.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): webkit2gtk3-2.32.4-3.82.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): webkit2gtk3-2.32.4-3.82.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): webkit2gtk3-2.32.4-3.82.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): webkit2gtk3-2.32.4-3.82.1 SUSE Enterprise Storage 6 (src): webkit2gtk3-2.32.4-3.82.1 SUSE CaaS Platform 4.0 (src): webkit2gtk3-2.32.4-3.82.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Gabriele Sonnu from comment #1) > libqt5-webkit: > > - SUSE:SLE-12-SP2:Update/libqt5-qtwebkit 5.6.1 > - SUSE:SLE-12-SP3:Update/libqt5-qtwebkit 5.6.2 > - openSUSE:Backports:SLE-15-SP2/libqt5-qtwebkit 5.212~alpha3 > - openSUSE:Backports:SLE-15-SP3/libqt5-qtwebkit 5.212~alpha3 > - openSUSE:Backports:SLE-15-SP4/libqt5-qtwebkit 5.212~alpha4 > - openSUSE:Factory/libqt5-qtwebkit 5.212~alpha4 > > [0] https://seclists.org/fulldisclosure/2021/Sep/29 We can't do much for libqt5-qtwebkit, the code in libqt5-qtwebkit is far far far behind from recent webkit2gtk3, there are some reasons we fails to maintain libqt5-qtwebkit then we dropped libqt5-qtwebkit started from SLE15, 1) any recent change in webkit2gtk3 causing the issue would not happen in libqt5-qtwebkit often since qtwebkit's code is quite aged, 2) it's nearly impossible to cherry-pick patch from webkit2gtk3 upstream tree, most of CVE commit doesn't mention CVE number thus they just engage users update to new version, some more explanation https://bugzilla.suse.com/show_bug.cgi?id=1050469#c5 , 3) libqt5-qtwebkit is dead since qt 5.9, qtwebkit 5.212 is a community project with community support only, it's still so far behind, been years it was alpha phase still, and IMO it's upstream isn't so active. All in all, I don't know how to handle any recent webkit2gtk3 CVEs in libqt5-qtwebkit, the *codebase* in libqt5-qtwebkit is really aged and dead, not just this one, https://bugzilla.suse.com/show_bug.cgi?id=1050469 as well, so could security team please don't add libqt5-qtwebkit if any webkit2gtk3 CVE issue by any chance? we just can not to fix such issues in libqt5-qtwebkit if webkit2gtk3 related.
SUSE-SU-2021:3296-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188697,1190701 CVE References: CVE-2021-21806,CVE-2021-30858 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): webkit2gtk3-2.32.4-2.71.2 SUSE OpenStack Cloud Crowbar 8 (src): webkit2gtk3-2.32.4-2.71.2 SUSE OpenStack Cloud 9 (src): webkit2gtk3-2.32.4-2.71.2 SUSE OpenStack Cloud 8 (src): webkit2gtk3-2.32.4-2.71.2 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): webkit2gtk3-2.32.4-2.71.2 SUSE Linux Enterprise Server for SAP 12-SP4 (src): webkit2gtk3-2.32.4-2.71.2 SUSE Linux Enterprise Server for SAP 12-SP3 (src): webkit2gtk3-2.32.4-2.71.2 SUSE Linux Enterprise Server 12-SP5 (src): webkit2gtk3-2.32.4-2.71.2 SUSE Linux Enterprise Server 12-SP4-LTSS (src): webkit2gtk3-2.32.4-2.71.2 SUSE Linux Enterprise Server 12-SP3-LTSS (src): webkit2gtk3-2.32.4-2.71.2 SUSE Linux Enterprise Server 12-SP3-BCL (src): webkit2gtk3-2.32.4-2.71.2 SUSE Linux Enterprise Server 12-SP2-BCL (src): webkit2gtk3-2.32.4-2.71.2 HPE Helion Openstack 8 (src): webkit2gtk3-2.32.4-2.71.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3353-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188697,1190701 CVE References: CVE-2021-21806,CVE-2021-30858 JIRA References: Sources used: openSUSE Leap 15.3 (src): webkit2gtk3-2.32.4-12.3
SUSE-SU-2021:3353-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188697,1190701 CVE References: CVE-2021-21806,CVE-2021-30858 JIRA References: Sources used: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): webkit2gtk3-2.32.4-12.3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): webkit2gtk3-2.32.4-12.3 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): webkit2gtk3-2.32.4-12.3 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): webkit2gtk3-2.32.4-12.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1369-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188697,1190701 CVE References: CVE-2021-21806,CVE-2021-30858 JIRA References: Sources used: openSUSE Leap 15.2 (src): webkit2gtk3-2.32.4-lp152.2.19.1
I've updated webkitgtk for this one. Re-assigning.
Done.