Bug 1215868 (CVE-2023-39928) - VUL-0: CVE-2023-39928: libQtWebKit4,libqt5-qtwebkit,webkit2gtk3,webkitgtk: use-after-free in the MediaRecorder API of the WebKit GStreamer-based ports
Summary: VUL-0: CVE-2023-39928: libQtWebKit4,libqt5-qtwebkit,webkit2gtk3,webkitgtk: us...
Status: RESOLVED FIXED
Alias: CVE-2023-39928
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/380383/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39928:8.8:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-02 10:16 UTC by SMASH SMASH
Modified: 2024-06-11 08:30 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
yelp core dumped file (1.52 MB, application/x-xz)
2023-12-25 06:08 UTC, ming li
Details
webkitwebproces core file (734.95 KB, application/x-xz)
2023-12-25 06:09 UTC, ming li
Details
yelp window screenshot (8.24 KB, image/png)
2023-12-25 09:04 UTC, ming li
Details
sle15sp1 core file (4.12 MB, application/x-compressed-tar)
2023-12-27 03:02 UTC, ming li
Details
sle15sp5 core file (5.64 MB, application/x-compressed-tar)
2023-12-27 03:02 UTC, ming li
Details

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-02 10:16:36 UTC
A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to visit a malicious webpage to trigger this vulnerability.

CVE-2023-39928

Versions affected: WebKitGTK and WPE WebKit before 2.42.0.
Credit to Marcin ‘Icewall’ Noga of Cisco Talos.
A use-after-free vulnerability exists in the MediaRecorder API of the WebKit GStreamer-based ports (WebKitGTK and WPE WebKit). A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability. WebKit Bugzilla: 260649.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39928
https://webkitgtk.org/security/WSA-2023-0009.html#CVE-2023-39928
Comment 1 Dirk Mueller 2023-10-05 20:28:03 UTC
https://github.com/WebKit/WebKit/commit/37bc7427407685a224044ddc3df4b81c41d6fd38

affects the pause and resume recording function. not existing in libQtWebKit4 or libqt5-qtwebkit
Comment 6 Maintenance Automation 2023-10-26 12:30:21 UTC
SUSE-SU-2023:4211-1: An update that solves eight vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1213379, 1213581, 1213905, 1215072, 1215661, 1215866, 1215867, 1215868, 1215869, 1215870, 1216483
CVE References: CVE-2023-32393, CVE-2023-35074, CVE-2023-37450, CVE-2023-39434, CVE-2023-39928, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993
Sources used:
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): webkit2gtk3-2.42.1-150000.3.153.1
SUSE CaaS Platform 4.0 (src): webkit2gtk3-2.42.1-150000.3.153.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): webkit2gtk3-2.42.1-150000.3.153.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): webkit2gtk3-2.42.1-150000.3.153.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-10-26 12:30:29 UTC
SUSE-SU-2023:4209-1: An update that solves eight vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1213379, 1213581, 1213905, 1215072, 1215661, 1215866, 1215867, 1215868, 1215869, 1215870, 1216483
CVE References: CVE-2023-32393, CVE-2023-35074, CVE-2023-37450, CVE-2023-39434, CVE-2023-39928, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): webkit2gtk3-2.42.1-2.155.1
SUSE Linux Enterprise Server 12 SP5 (src): webkit2gtk3-2.42.1-2.155.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): webkit2gtk3-2.42.1-2.155.1
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): webkit2gtk3-2.42.1-2.155.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): webkit2gtk3-2.42.1-2.155.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-10-31 12:30:27 UTC
SUSE-SU-2023:4294-1: An update that solves six vulnerabilities and has five security fixes can now be installed.

Category: security (important)
Bug References: 1214093, 1214640, 1214835, 1215072, 1215661, 1215866, 1215867, 1215868, 1215869, 1215870, 1216483
CVE References: CVE-2023-35074, CVE-2023-39434, CVE-2023-39928, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993
Sources used:
openSUSE Leap 15.4 (src): webkit2gtk3-soup2-2.42.1-150400.4.57.2, webkit2gtk3-2.42.1-150400.4.57.2, webkit2gtk4-2.42.1-150400.4.57.3
openSUSE Leap 15.5 (src): webkit2gtk3-soup2-2.42.1-150400.4.57.2, webkit2gtk3-2.42.1-150400.4.57.2, webkit2gtk4-2.42.1-150400.4.57.3
Basesystem Module 15-SP4 (src): webkit2gtk3-soup2-2.42.1-150400.4.57.2
Basesystem Module 15-SP5 (src): webkit2gtk3-soup2-2.42.1-150400.4.57.2
Desktop Applications Module 15-SP4 (src): webkit2gtk3-2.42.1-150400.4.57.2
Desktop Applications Module 15-SP5 (src): webkit2gtk3-2.42.1-150400.4.57.2
Development Tools Module 15-SP4 (src): webkit2gtk4-2.42.1-150400.4.57.3
Development Tools Module 15-SP5 (src): webkit2gtk4-2.42.1-150400.4.57.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-11-02 16:30:50 UTC
SUSE-SU-2023:4339-1: An update that solves eight vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1213379, 1213581, 1215072, 1215661, 1215866, 1215867, 1215868, 1215869, 1215870, 1216483
CVE References: CVE-2023-32393, CVE-2023-35074, CVE-2023-37450, CVE-2023-39434, CVE-2023-39928, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993
Sources used:
SUSE Enterprise Storage 7.1 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Enterprise Storage 7 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Manager Proxy 4.2 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Manager Retail Branch Server 4.2 (src): webkit2gtk3-2.42.1-150200.87.4
SUSE Manager Server 4.2 (src): webkit2gtk3-2.42.1-150200.87.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 ming li 2023-12-25 06:08:32 UTC
Created attachment 871546 [details]
yelp core dumped file
Comment 12 ming li 2023-12-25 06:09:36 UTC
Created attachment 871547 [details]
webkitwebproces core file
Comment 13 ming li 2023-12-25 06:13:05 UTC
I am testing the S:M:31974:316278 update, when I perform regression testing on the SLE12SP5 x86_64 system, running yelp command will generate a core file:

# yelp
libEGL warning: No hardware driver found, falling back to software rendering
function is no-op
libEGL warning: DRI3: failed to query the version
libEGL warning: DRI2: failed to authenticate

(yelp:11827): Gdk-ERROR **: The program 'yelp' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadRequest (invalid request code or no such operation)'.
  (Details: serial 177 error_code 1 request_code 155 (unknown) minor_code 1)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the GDK_SYNCHRONIZE environment
   variable to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
Trace/breakpoint trap (core dumped)


dmesg:
[480439.868070] traps: yelp[1914] trap int3 ip:7f6877b3fab3 sp:7ffe219da5c0 error:0 in libglib-2.0.so.0.4800.2[7f6877aed000+10f000]
[481015.192219] traps: yelp[20450] trap int3 ip:7ff7e49e6ab3 sp:7fff1fb99ad0 error:0 in libglib-2.0.so.0.4800.2[7ff7e4994000+10f000]
[485633.872319] traps: eadedCompositor[24378] trap int3 ip:7efc0c106ab3 sp:7efbbe5eb2a0 error:0 in libglib-2.0.so.0.4800.2[7efc0c0b4000+10f000]
[486093.556758] traps: yelp[27984] trap int3 ip:7f3a13eb4ab3 sp:7ffe21bc7220 error:0 in libglib-2.0.so.0.4800.2[7f3a13e62000+10f000]
[486507.976593] traps: yelp[11827] trap int3 ip:7fb0111d4ab3 sp:7ffeb07cc660 error:0 in libglib-2.0.so.0.4800.2[7fb011182000+10f000]
[486888.712835] traps: yelp[16184] trap int3 ip:7f4a5110eab3 sp:7ffdfd54ce90 error:0 in libglib-2.0.so.0.4800.2[7f4a510bc000+10f000]


I have uploaded the generated core file attachment, please help me check it. Thank you!
Comment 14 ming li 2023-12-25 09:03:19 UTC
The following information will be displayed on SLE12SP2 and SP3, but no core file will be generated. You can open the Yelp window, but no content will be displayed, such as screenshots:

libEGL warning: DRI3: failed to query the version
libEGL warning: DRI2: failed to authenticate

(WebKitWebProcess:4330): Gdk-ERROR **: The program 'WebKitWebProcess' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadRequest (invalid request code or no such operation)'.
  (Details: serial 182 error_code 1 request_code 155 (unknown) minor_code 1)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the GDK_SYNCHRONIZE environment
   variable to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
Comment 15 ming li 2023-12-25 09:04:01 UTC
Created attachment 871548 [details]
yelp window screenshot
Comment 16 ming li 2023-12-27 03:01:26 UTC
The same issue exists in SLE15SP1, SP3, SP4, and SP5. I also uploaded the generated core file.
Comment 17 ming li 2023-12-27 03:02:16 UTC
Created attachment 871559 [details]
sle15sp1 core file
Comment 18 ming li 2023-12-27 03:02:55 UTC
Created attachment 871560 [details]
sle15sp5 core file
Comment 19 Liu Shukui 2023-12-27 08:12:49 UTC
BTW: the newest versions of webkit on sle12sp5 and sle15sp5 are both core dumped when launched through ssh. But they works well on localhost.
Comment 20 Maintenance Automation 2023-12-27 16:30:05 UTC
SUSE-SU-2023:4978-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215868, 1215869, 1215870, 1218032, 1218033
CVE References: CVE-2023-39928, CVE-2023-40451, CVE-2023-41074, CVE-2023-42883, CVE-2023-42890
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): webkit2gtk3-2.42.4-2.164.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): webkit2gtk3-2.42.4-2.164.1
SUSE Linux Enterprise Server 12 SP5 (src): webkit2gtk3-2.42.4-2.164.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): webkit2gtk3-2.42.4-2.164.1
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): webkit2gtk3-2.42.4-2.164.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Michael Gorse 2023-12-28 01:18:51 UTC
(In reply to ming li from comment #16)
> The same issue exists in SLE15SP1, SP3, SP4, and SP5. I also uploaded the
> generated core file.

To be clear, this is a regression and doesn't happen with version 2.42.3?
Comment 22 ming li 2023-12-28 01:52:06 UTC
(In reply to Michael Gorse from comment #21)
> (In reply to ming li from comment #16)
> > The same issue exists in SLE15SP1, SP3, SP4, and SP5. I also uploaded the
> > generated core file.
> 
> To be clear, this is a regression and doesn't happen with version 2.42.3?

Yes, it also happens in 2.42.3
Comment 23 Michael Gorse 2023-12-28 14:59:59 UTC
(In reply to ming li from comment #22)
> (In reply to Michael Gorse from comment #21)
> > (In reply to ming li from comment #16)
> > > The same issue exists in SLE15SP1, SP3, SP4, and SP5. I also uploaded the
> > > generated core file.
> > 
> > To be clear, this is a regression and doesn't happen with version 2.42.3?
> 
> Yes, it also happens in 2.42.3

It is unrelated to this MR then. Given that it only happens in ssh-forwarded sessions, it sounds like it might not be a new issue. You could open a separate bug for it if you'd like.
Comment 24 ming li 2024-01-02 03:10:41 UTC
(In reply to Michael Gorse from comment #23)
> It is unrelated to this MR then. Given that it only happens in ssh-forwarded
> sessions, it sounds like it might not be a new issue. You could open a
> separate bug for it if you'd like.

Thank you Michael! I have opened a new bug: https://bugzilla.suse.com/show_bug.cgi?id=1218469
Comment 25 Maintenance Automation 2024-01-02 12:30:09 UTC
SUSE-SU-2024:0004-1: An update that solves six vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215868, 1215869, 1215870, 1218032, 1218033
CVE References: CVE-2023-32359, CVE-2023-39928, CVE-2023-40451, CVE-2023-41074, CVE-2023-42883, CVE-2023-42890
Sources used:
Basesystem Module 15-SP4 (src): webkit2gtk3-soup2-2.42.4-150400.4.70.3
Basesystem Module 15-SP5 (src): webkit2gtk3-soup2-2.42.4-150400.4.70.3
Desktop Applications Module 15-SP4 (src): webkit2gtk3-2.42.4-150400.4.70.3
Desktop Applications Module 15-SP5 (src): webkit2gtk3-2.42.4-150400.4.70.3
Development Tools Module 15-SP5 (src): webkit2gtk4-2.42.4-150400.4.70.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): webkit2gtk4-2.42.4-150400.4.70.3, webkit2gtk3-soup2-2.42.4-150400.4.70.3, webkit2gtk3-2.42.4-150400.4.70.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): webkit2gtk4-2.42.4-150400.4.70.3, webkit2gtk3-soup2-2.42.4-150400.4.70.3, webkit2gtk3-2.42.4-150400.4.70.3
SUSE Linux Enterprise Real Time 15 SP4 (src): webkit2gtk4-2.42.4-150400.4.70.3, webkit2gtk3-soup2-2.42.4-150400.4.70.3, webkit2gtk3-2.42.4-150400.4.70.3
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): webkit2gtk4-2.42.4-150400.4.70.3, webkit2gtk3-soup2-2.42.4-150400.4.70.3, webkit2gtk3-2.42.4-150400.4.70.3
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): webkit2gtk4-2.42.4-150400.4.70.3, webkit2gtk3-soup2-2.42.4-150400.4.70.3, webkit2gtk3-2.42.4-150400.4.70.3
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): webkit2gtk4-2.42.4-150400.4.70.3, webkit2gtk3-soup2-2.42.4-150400.4.70.3, webkit2gtk3-2.42.4-150400.4.70.3
SUSE Manager Proxy 4.3 (src): webkit2gtk3-soup2-2.42.4-150400.4.70.3
SUSE Manager Retail Branch Server 4.3 (src): webkit2gtk3-soup2-2.42.4-150400.4.70.3
SUSE Manager Server 4.3 (src): webkit2gtk3-soup2-2.42.4-150400.4.70.3
openSUSE Leap 15.4 (src): webkit2gtk4-2.42.4-150400.4.70.3, webkit2gtk3-soup2-2.42.4-150400.4.70.3, webkit2gtk3-2.42.4-150400.4.70.3
openSUSE Leap 15.5 (src): webkit2gtk4-2.42.4-150400.4.70.3, webkit2gtk3-soup2-2.42.4-150400.4.70.3, webkit2gtk3-2.42.4-150400.4.70.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Maintenance Automation 2024-01-02 12:30:14 UTC
SUSE-SU-2024:0003-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215868, 1215870, 1218032, 1218033
CVE References: CVE-2023-32359, CVE-2023-39928, CVE-2023-41074, CVE-2023-42883, CVE-2023-42890
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): webkit2gtk3-2.42.4-150200.97.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): webkit2gtk3-2.42.4-150200.97.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): webkit2gtk3-2.42.4-150200.97.3
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): webkit2gtk3-2.42.4-150200.97.3
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): webkit2gtk3-2.42.4-150200.97.3
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): webkit2gtk3-2.42.4-150200.97.3
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): webkit2gtk3-2.42.4-150200.97.3
SUSE Enterprise Storage 7.1 (src): webkit2gtk3-2.42.4-150200.97.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Maintenance Automation 2024-01-02 12:30:16 UTC
SUSE-SU-2024:0002-1: An update that solves six vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215868, 1215869, 1215870, 1218032, 1218033
CVE References: CVE-2023-32359, CVE-2023-39928, CVE-2023-40451, CVE-2023-41074, CVE-2023-42883, CVE-2023-42890
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): webkit2gtk3-2.42.4-150000.3.163.2
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): webkit2gtk3-2.42.4-150000.3.163.2
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): webkit2gtk3-2.42.4-150000.3.163.2
SUSE CaaS Platform 4.0 (src): webkit2gtk3-2.42.4-150000.3.163.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Maintenance Automation 2024-06-11 08:30:57 UTC
SUSE-SU-2024:1976-1: An update that solves 10 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215868, 1215869, 1215870, 1218033, 1222905, 1225071
CVE References: CVE-2023-42843, CVE-2023-42950, CVE-2023-42956, CVE-2024-23226, CVE-2024-23252, CVE-2024-23254, CVE-2024-23263, CVE-2024-23280, CVE-2024-23284, CVE-2024-27834
Maintenance Incident: [SUSE:Maintenance:34144](https://smelt.suse.de/incident/34144/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 webkit2gtk3-2.44.2-4.7.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 webkit2gtk3-2.44.2-4.7.1
SUSE Linux Enterprise Server 12 SP5 (src):
 webkit2gtk3-2.44.2-4.7.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 webkit2gtk3-2.44.2-4.7.1
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src):
 webkit2gtk3-2.44.2-4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.