Security update for webkit2gtk3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:2304-1 Final 1 1 2020-12-21T04:21:59Z current 2020-12-21T04:21:59Z 2020-12-21T04:21:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for webkit2gtk3 This update for webkit2gtk3 fixes the following issues: -webkit2gtk3 was updated to version 2.30.3 (bsc#1179122 bsc#1179451): - CVE-2021-13543: Fixed a use after free which could have led to arbitrary code execution. - CVE-2021-13584: Fixed a use after free which could have led to arbitrary code execution. - CVE-2021-9948: Fixed a type confusion which could have led to arbitrary code execution. - CVE-2021-9951: Fixed a use after free which could have led to arbitrary code execution. - CVE-2021-9983: Fixed an out of bounds write which could have led to arbitrary code execution. - Have the libwebkit2gtk package require libjavascriptcoregtk of the same version (bsc#1171531). - Enable c_loop on aarch64: currently needed for compilation to succeed with JIT disabled. Also disable sampling profiler, since it conflicts with c_loop (bsc#1177087). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-2304 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7IUIQR7TXEJAY36F5QQB7QCCGHWKYG7E/ E-Mail link for openSUSE-SU-2020:2304-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1171531 SUSE Bug 1171531 https://bugzilla.suse.com/1177087 SUSE Bug 1177087 https://bugzilla.suse.com/1179122 SUSE Bug 1179122 https://bugzilla.suse.com/1179451 SUSE Bug 1179451 https://www.suse.com/security/cve/CVE-2020-13543/ SUSE CVE CVE-2020-13543 page https://www.suse.com/security/cve/CVE-2020-13584/ SUSE CVE CVE-2020-13584 page https://www.suse.com/security/cve/CVE-2020-9948/ SUSE CVE CVE-2020-9948 page https://www.suse.com/security/cve/CVE-2020-9951/ SUSE CVE CVE-2020-9951 page https://www.suse.com/security/cve/CVE-2020-9983/ SUSE CVE CVE-2020-9983 page openSUSE Leap 15.1 libjavascriptcoregtk-4_0-18-2.30.3-lp151.2.28.2 libjavascriptcoregtk-4_0-18-32bit-2.30.3-lp151.2.28.2 libwebkit2gtk-4_0-37-2.30.3-lp151.2.28.2 libwebkit2gtk-4_0-37-32bit-2.30.3-lp151.2.28.2 libwebkit2gtk3-lang-2.30.3-lp151.2.28.2 typelib-1_0-JavaScriptCore-4_0-2.30.3-lp151.2.28.2 typelib-1_0-WebKit2-4_0-2.30.3-lp151.2.28.2 typelib-1_0-WebKit2WebExtension-4_0-2.30.3-lp151.2.28.2 webkit-jsc-4-2.30.3-lp151.2.28.2 webkit2gtk-4_0-injected-bundles-2.30.3-lp151.2.28.2 webkit2gtk3-devel-2.30.3-lp151.2.28.2 webkit2gtk3-minibrowser-2.30.3-lp151.2.28.2 libjavascriptcoregtk-4_0-18-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 libjavascriptcoregtk-4_0-18-32bit-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 libwebkit2gtk-4_0-37-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 libwebkit2gtk-4_0-37-32bit-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 libwebkit2gtk3-lang-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 typelib-1_0-JavaScriptCore-4_0-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 typelib-1_0-WebKit2-4_0-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 typelib-1_0-WebKit2WebExtension-4_0-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 webkit-jsc-4-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 webkit2gtk-4_0-injected-bundles-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 webkit2gtk3-devel-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 webkit2gtk3-minibrowser-2.30.3-lp151.2.28.2 as a component of openSUSE Leap 15.1 A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability. CVE-2020-13543 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit-jsc-4-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-devel-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.30.3-lp151.2.28.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7IUIQR7TXEJAY36F5QQB7QCCGHWKYG7E/ https://www.suse.com/security/cve/CVE-2020-13543.html CVE-2020-13543 https://bugzilla.suse.com/1179451 SUSE Bug 1179451 An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability. CVE-2020-13584 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit-jsc-4-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-devel-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.30.3-lp151.2.28.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7IUIQR7TXEJAY36F5QQB7QCCGHWKYG7E/ https://www.suse.com/security/cve/CVE-2020-13584.html CVE-2020-13584 https://bugzilla.suse.com/1179122 SUSE Bug 1179122 https://bugzilla.suse.com/1179910 SUSE Bug 1179910 https://bugzilla.suse.com/1179911 SUSE Bug 1179911 https://bugzilla.suse.com/1179912 SUSE Bug 1179912 A type confusion issue was addressed with improved memory handling. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9948 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit-jsc-4-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-devel-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.30.3-lp151.2.28.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7IUIQR7TXEJAY36F5QQB7QCCGHWKYG7E/ https://www.suse.com/security/cve/CVE-2020-9948.html CVE-2020-9948 https://bugzilla.suse.com/1179122 SUSE Bug 1179122 https://bugzilla.suse.com/1179910 SUSE Bug 1179910 https://bugzilla.suse.com/1179911 SUSE Bug 1179911 https://bugzilla.suse.com/1179912 SUSE Bug 1179912 A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9951 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit-jsc-4-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-devel-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.30.3-lp151.2.28.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7IUIQR7TXEJAY36F5QQB7QCCGHWKYG7E/ https://www.suse.com/security/cve/CVE-2020-9951.html CVE-2020-9951 https://bugzilla.suse.com/1179122 SUSE Bug 1179122 https://bugzilla.suse.com/1179910 SUSE Bug 1179910 https://bugzilla.suse.com/1179911 SUSE Bug 1179911 https://bugzilla.suse.com/1179912 SUSE Bug 1179912 An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in Safari 14.0. Processing maliciously crafted web content may lead to code execution. CVE-2020-9983 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit-jsc-4-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-devel-2.30.3-lp151.2.28.2 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.30.3-lp151.2.28.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7IUIQR7TXEJAY36F5QQB7QCCGHWKYG7E/ https://www.suse.com/security/cve/CVE-2020-9983.html CVE-2020-9983 https://bugzilla.suse.com/1179122 SUSE Bug 1179122 https://bugzilla.suse.com/1179910 SUSE Bug 1179910 https://bugzilla.suse.com/1179911 SUSE Bug 1179911 https://bugzilla.suse.com/1179912 SUSE Bug 1179912