Bugzilla – Bug 1214253
VUL-0: CVE-2023-38597: webkitgtk: processing web content may lead to arbitrary code execution
Last modified: 2023-10-27 14:15:54 UTC
CVE-2023-38597 The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2023-38133 YeongHyeon Choi discovered that processing web content may disclose sensitive information. CVE-2023-38572 Narendra Bhati discovered that a website may be able to bypass the Same Origin Policy. CVE-2023-38592 Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco Squarcina, and Lorenzo Veronese discovered that processing web content may lead to arbitrary code execution. CVE-2023-38594 Yuhao Hu discovered that processing web content may lead to arbitrary code execution. CVE-2023-38595 An anonymous researcher, Jiming Wang, and Jikai Ren discovered that processing web content may lead to arbitrary code execution. CVE-2023-38597 Junsung Lee discovered that processing web content may lead to arbitrary code execution. CVE-2023-38599 Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel Genkin, and Yuval Yarom discovered that a website may be able to track sensitive user information. CVE-2023-38600 An anonymous researcher discovered that processing web content may lead to arbitrary code execution. CVE-2023-38611 Francisco Alonso discovered that processing web content may lead to arbitrary code execution. For the oldstable distribution (bullseye), these problems have been fixed in version 2.40.5-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 2.40.5-1~deb12u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: \ https://security-tracker.debian.org/tracker/webkit2gtk References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38597 https://bugzilla.redhat.com/show_bug.cgi?id=2231043 https://www.cve.org/CVERecord?id=CVE-2023-38597 https://security-tracker.debian.org/tracker/DSA-5468-1 http://www.openwall.com/lists/oss-security/2023/08/02/1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJ4DG5LHWG2INDOTPB7MO4JVJN6LKL3M/ https://support.apple.com/en-us/HT213841 https://support.apple.com/en-us/HT213842 https://support.apple.com/en-us/HT213843 https://support.apple.com/en-us/HT213847 https://www.debian.org/security/2023/dsa-5468
Dirk, I looked at the source of libQtWebKit4 from SLE12-SP2, the function createPageForSanitizingWebContent is not present there too. Would I be correct assuming that CVE-2023-38597 doesn't affect libQtWebKit4 from SLE12-SP2?
(In reply to Brahmajit Das from comment #4) > correct assuming that CVE-2023-38597 doesn't affect libQtWebKit4 from > SLE12-SP2? Thats correct.