Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-0016-01

Red Hat Security Advisory 2023-0016-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

Packet Storm
Open in Source
#vulnerability#web#linux#red_hat#js#pdf#webkit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: webkit2gtk3 security update
Advisory ID: RHSA-2023:0016-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0016
Issue date: 2023-01-04
CVE Names: CVE-2022-42856
====================================================================

  1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

  1. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the
GTK platform.

Security Fix(es):

  • webkitgtk: processing maliciously crafted web content may lead to an
    arbitrary code execution (CVE-2022-42856)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2153683 - CVE-2022-42856 webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
webkit2gtk3-2.36.7-1.el8_7.1.src.rpm

aarch64:
webkit2gtk3-2.36.7-1.el8_7.1.aarch64.rpm
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.aarch64.rpm
webkit2gtk3-devel-2.36.7-1.el8_7.1.aarch64.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm
webkit2gtk3-jsc-2.36.7-1.el8_7.1.aarch64.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.aarch64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm

ppc64le:
webkit2gtk3-2.36.7-1.el8_7.1.ppc64le.rpm
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.ppc64le.rpm
webkit2gtk3-devel-2.36.7-1.el8_7.1.ppc64le.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm
webkit2gtk3-jsc-2.36.7-1.el8_7.1.ppc64le.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.ppc64le.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm

s390x:
webkit2gtk3-2.36.7-1.el8_7.1.s390x.rpm
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.s390x.rpm
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.s390x.rpm
webkit2gtk3-devel-2.36.7-1.el8_7.1.s390x.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.s390x.rpm
webkit2gtk3-jsc-2.36.7-1.el8_7.1.s390x.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.s390x.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.s390x.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.s390x.rpm

x86_64:
webkit2gtk3-2.36.7-1.el8_7.1.i686.rpm
webkit2gtk3-2.36.7-1.el8_7.1.x86_64.rpm
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.i686.rpm
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.i686.rpm
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.x86_64.rpm
webkit2gtk3-devel-2.36.7-1.el8_7.1.i686.rpm
webkit2gtk3-devel-2.36.7-1.el8_7.1.x86_64.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.i686.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm
webkit2gtk3-jsc-2.36.7-1.el8_7.1.i686.rpm
webkit2gtk3-jsc-2.36.7-1.el8_7.1.x86_64.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.i686.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.i686.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.x86_64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.i686.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-42856
https://access.redhat.com/security/updates/classification/#important

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY7VWL9zjgjWX9erEAQg3Gw//e0sGMYczRnNrkhBxX5J4lP7xUO+/+Pnk
+ncXuaQpC5qToXl3w/YspsBZ8YCmNTso0WqIZjovsAbAQGgtAHh9tyrtheWkLiEf
4dS4wocfSQOFjcmrNLVc+hECWUz9RfVuyt758uRzz/pLgKXgrIlVVnMhLk5qCYWD
gkwYhOHBnWE1iRHVMgdFjwcsk7/V1Pcv3jGjGwy4anK+YbcWpEvHTOyT4E5gO5oj
Fl6RU3M+cKDOcg5Uxmn5d1/MvWBvQOCu8RvJy5GPdfhZjoiWJKn43pS94Yz8RaMR
MMa2txkibrcDalMzcFzGdWMcjnCrp30imqzrEdUbs0qeSXUgSjSUN2EEcSSOjnge
MhkEbZTFHdGakJxWSLXLHP3YC7eJMrawDTzfUotVoQpw6uBNFZQeCrhP25gsTff3
OSj/m3bCHSOlGZ7gVAFdLuHIomZHU6di66EFeSVIh56ukriNUkDfG3/3v8VYpSY6
7F0PdLbbw5kW0VfOwuMrznRpzC1Vl2+r7hKBw+WqnYDr8xcI8CgObz+D64JXO3WX
kFP9NqFYB9M4+5fB9SGcZ+0DUIPpf5w6qB4Wb+3k3IdYLXutUH61/2dCFnTxevKv
EkVv+aTEcGDnyTgWV8FOTWXGhUBoCYgUbAHYxIbTX3TtIaMesZennJPRvQa63QAc
nJngrnwCTog=+XpK
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Gentoo Linux Security Advisory 202305-32

Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.

Google reveals spyware attack on Android, iOS, and Chrome

By Habiba Rashid Google's Threat Analysis Group (TAG) labeled the spyware campaign as limited but highly targeted. This is a post from HackRead.com Read the original post: Google reveals spyware attack on Android, iOS, and Chrome

Patch Now: Apple's iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw

Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild. Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. The iPhone maker said the

Apple Issues Updates for Older Devices to Fix Actively Exploited Vulnerability

Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content. While it was originally addressed by the company on November

Own an older iPhone? Check you're on the latest version to avoid this bug

Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: iOS 12.5.7 Tags: CVE-2022-42856 Tags: type confusion Tags: WebKit Apple has now released security content for iOS 12.5.7 which includes a patch for an actively exploited vulnerability in WebKit and many other updates. (Read more...) The post Own an older iPhone? Check you're on the latest version to avoid this bug appeared first on Malwarebytes Labs.

Red Hat Security Advisory 2023-0021-01

Red Hat Security Advisory 2023-0021-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

RHSA-2023:0021: Red Hat Security Advisory: webkit2gtk3 security update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42856: webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution

Debian Security Advisory 5309-1

Debian Linux Security Advisory 5309-1 - Vulnerabilities have been discovered in the WPE WebKit web engine. hazbinhotel discovered that processing maliciously crafted web content may result in the disclosure of process memory. KirtiKumar Anandrao Ramchandani discovered that processing maliciously crafted web content may bypass Same Origin Policy. Dohyun Lee and Ryan Shin discovered that processing maliciously crafted web content may disclose sensitive user information. Various other issues have also been addressed.

Debian Security Advisory 5308-1

Debian Linux Security Advisory 5308-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. hazbinhotel discovered that processing maliciously crafted web content may result in the disclosure of process memory. Maddie Stone discovered that processing maliciously crafted web content may lead to arbitrary code execution. KirtiKumar Anandrao Ramchandani discovered that processing maliciously crafted web content may bypass Same Origin Policy. Multiple other issues were also addressed.

Apple Security Advisory 2022-12-13-9

Apple Security Advisory 2022-12-13-9 - Safari 16.2 addresses bypass, code execution, and use-after-free vulnerabilities.

Apple Security Advisory 2022-12-13-4

Apple Security Advisory 2022-12-13-4 - macOS Ventura 13.1 addresses bypass, code execution, out of bounds access, out of bounds write, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 2022-12-13-3

Apple Security Advisory 2022-12-13-3 - iOS 16.1.2 addresses a code execution vulnerability.

Apple Security Advisory 2022-12-13-2

Apple Security Advisory 2022-12-13-2 - iOS 15.7.2 and iPadOS 15.7.2 addresses bypass, code execution, integer overflow, out of bounds write, and spoofing vulnerabilities.

Update now! Apple patches active exploit vulnerability for iPhones

Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: iOS 16.1.2 Tags: Safari 16.2 Tags: CVE-2022-42856 Tags: type confusion Apple has released new security content for iOS 16.1.2 and Safari 16.2. to fix a zero-day security vulnerability that was actively exploited (Read more...) The post Update now! Apple patches active exploit vulnerability for iPhones appeared first on Malwarebytes Labs.

CVE-2022-46701: About the security content of macOS Ventura 13.1

The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2. Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges.

New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products

Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code. Tracked as CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to

Packet Storm: Latest News

Zeek 6.0.9
Packet Storm