Headline
RHSA-2020:4451: Red Hat Security Advisory: GNOME security, bug fix, and enhancement update
An update for GNOME is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.GNOME is the default desktop environment of Red Hat Enterprise Linux. The following packages have been upgraded to a later upstream version: gnome-remote-desktop (0.1.8), pipewire (0.3.6), vte291 (0.52.4), webkit2gtk3 (2.28.4), xdg-desktop-portal (1.6.0), xdg-desktop-portal-gtk (1.6.0). (BZ#1775345, BZ#1779691, BZ#1817143, BZ#1832347, BZ#1837406) Security Fix(es):
- webkitgtk: Multiple security issues (CVE-2019-8625, CVE-2019-8710, CVE-2019-8720, CVE-2019-8743, CVE-2019-8764, CVE-2019-8766, CVE-2019-8769, CVE-2019-8771, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8823, CVE-2019-8835, CVE-2019-8844, CVE-2019-8846, CVE-2020-3862, CVE-2020-3864, CVE-2020-3865, CVE-2020-3867, CVE-2020-3868, CVE-2020-3885, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-9802, CVE-2020-9803, CVE-2020-9805, CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850, CVE-2020-9862, CVE-2020-9893, CVE-2020-9894, CVE-2020-9895, CVE-2020-9915, CVE-2020-9925, CVE-2020-10018, CVE-2020-11793)
- gnome-settings-daemon: Red Hat Customer Portal password logged and passed as command line argument when user registers through GNOME control center (CVE-2020-14391)
- LibRaw: lack of thumbnail size range check can lead to buffer overflow (CVE-2020-15503) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section. Related CVEs:
- CVE-2019-8625: webkitgtk: Incorrect state management leading to universal cross-site scripting
- CVE-2019-8710: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8720: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8743: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8764: webkitgtk: Incorrect state management leading to universal cross-site scripting
- CVE-2019-8766: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8769: webkitgtk: Websites could reveal browsing history
- CVE-2019-8771: webkitgtk: Violation of iframe sandboxing policy
- CVE-2019-8782: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8783: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8808: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8811: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8812: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8813: webkitgtk: Incorrect state management leading to universal cross-site scripting
- CVE-2019-8814: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8815: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8816: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8819: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8820: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8823: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2019-8835: webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
- CVE-2019-8844: webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
- CVE-2019-8846: webkitgtk: Use after free issue may lead to remote code execution
- CVE-2020-3862: webkitgtk: Denial of service via incorrect memory handling
- CVE-2020-3864: webkitgtk: Non-unique security origin for DOM object contexts
- CVE-2020-3865: webkitgtk: Incorrect security check for a top-level DOM object context
- CVE-2020-3867: webkitgtk: Incorrect state management leading to universal cross-site scripting
- CVE-2020-3868: webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
- CVE-2020-3885: webkitgtk: Incorrect processing of file URLs
- CVE-2020-3894: webkitgtk: Race condition allows reading of restricted memory
- CVE-2020-3895: webkitgtk: Memory corruption triggered by a malicious web content
- CVE-2020-3897: webkitgtk: Type confusion leading to arbitrary code execution
- CVE-2020-3899: webkitgtk: Memory consumption issue leading to arbitrary code execution
- CVE-2020-3900: webkitgtk: Memory corruption triggered by a malicious web content
- CVE-2020-3901: webkitgtk: Type confusion leading to arbitrary code execution
- CVE-2020-3902: webkitgtk: Input validation issue leading to cross-site script attack
- CVE-2020-9802: webkitgtk: Logic issue may lead to arbitrary code execution
- CVE-2020-9803: webkitgtk: Memory corruption may lead to arbitrary code execution
- CVE-2020-9805: webkitgtk: Logic issue may lead to cross site scripting
- CVE-2020-9806: webkitgtk: Memory corruption may lead to arbitrary code execution
- CVE-2020-9807: webkitgtk: Memory corruption may lead to arbitrary code execution
- CVE-2020-9843: webkitgtk: Input validation issue may lead to cross site scripting
- CVE-2020-9850: webkitgtk: Logic issue may lead to arbitrary code execution
- CVE-2020-9862: webkitgtk: Command injection in web inspector
- CVE-2020-9893: webkitgtk: Use-after-free may lead to application termination or arbitrary code execution
- CVE-2020-9894: webkitgtk: Out-of-bounds read may lead to unexpected application termination or arbitrary code execution
- CVE-2020-9895: webkitgtk: Use-after-free may lead to application termination or arbitrary code execution
- CVE-2020-9915: webkitgtk: Access issue in content security policy
- CVE-2020-9925: webkitgtk: A logic issue may lead to cross site scripting
- CVE-2020-9952: webkitgtk: input validation issue may lead to a cross site scripting
- CVE-2020-10018: webkitgtk: Use-after-free issue in accessibility/AXObjectCache.cpp
- CVE-2020-11793: webkitgtk: use-after-free via crafted web content
- CVE-2020-14391: gnome-settings-daemon: Red Hat Customer Portal password logged and passed as command line argument when user registers through GNOME control center
- CVE-2020-15503: LibRaw: lack of thumbnail size range check can lead to buffer overflow
- CVE-2021-30666: webkitgtk: Buffer overflow leading to arbitrary code execution
- CVE-2021-30761: webkitgtk: Memory corruption leading to arbitrary code execution
- CVE-2021-30762: webkitgtk: Use-after-free leading to arbitrary code execution