Security update for webkit2gtk3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:4978-1 Final 1 1 2023-12-27T13:33:40Z current 2023-12-27T13:33:40Z 2023-12-27T13:33:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for webkit2gtk3 This update for webkit2gtk3 fixes the following issues: - CVE-2023-42890: Fixed processing malicious web content may lead to arbitrary code execution (bsc#1218033). - CVE-2023-42883: Fixed processing a malicious image may lead to a denial-of-service (bsc#1218032). - CVE-2023-41074: Fixed use-after-free in the MediaRecorder API of the WebKit GStreamer-based ports (bsc#1215870). - CVE-2023-39928: Fixed use-after-free in the MediaRecorder API of the WebKit GStreamer-based ports (bsc#1215868). - CVE-2023-40451: Update to version 2.42.4 (bsc#1215869). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-4978,SUSE-SLE-SDK-12-SP5-2023-4978,SUSE-SLE-SERVER-12-SP5-2023-4978,SUSE-SLE-WE-12-SP5-2023-4978 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20234978-1/ Link for SUSE-SU-2023:4978-1 https://lists.suse.com/pipermail/sle-security-updates/2023-December/017565.html E-Mail link for SUSE-SU-2023:4978-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1215868 SUSE Bug 1215868 https://bugzilla.suse.com/1215869 SUSE Bug 1215869 https://bugzilla.suse.com/1215870 SUSE Bug 1215870 https://bugzilla.suse.com/1218032 SUSE Bug 1218032 https://bugzilla.suse.com/1218033 SUSE Bug 1218033 https://www.suse.com/security/cve/CVE-2023-39928/ SUSE CVE CVE-2023-39928 page https://www.suse.com/security/cve/CVE-2023-40451/ SUSE CVE CVE-2023-40451 page https://www.suse.com/security/cve/CVE-2023-41074/ SUSE CVE CVE-2023-41074 page https://www.suse.com/security/cve/CVE-2023-42883/ SUSE CVE CVE-2023-42883 page https://www.suse.com/security/cve/CVE-2023-42890/ SUSE CVE CVE-2023-42890 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE Linux Enterprise Workstation Extension 12 SP5 libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 libjavascriptcoregtk-4_0-18-32bit-2.42.4-2.164.1 libjavascriptcoregtk-4_0-18-64bit-2.42.4-2.164.1 libwebkit2gtk-4_0-37-2.42.4-2.164.1 libwebkit2gtk-4_0-37-32bit-2.42.4-2.164.1 libwebkit2gtk-4_0-37-64bit-2.42.4-2.164.1 libwebkit2gtk3-lang-2.42.4-2.164.1 typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 webkit-jsc-4-2.42.4-2.164.1 webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 webkit2gtk3-devel-2.42.4-2.164.1 webkit2gtk3-minibrowser-2.42.4-2.164.1 libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server 12 SP5 libwebkit2gtk-4_0-37-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server 12 SP5 libwebkit2gtk3-lang-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server 12 SP5 typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server 12 SP5 typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server 12 SP5 typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server 12 SP5 webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server 12 SP5 libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libwebkit2gtk-4_0-37-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libwebkit2gtk3-lang-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 webkit2gtk3-devel-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 libjavascriptcoregtk-4_0-18-32bit-2.42.4-2.164.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP5 A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability. CVE-2023-39928 SUSE Linux Enterprise Server 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:webkit2gtk3-devel-2.42.4-2.164.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libjavascriptcoregtk-4_0-18-32bit-2.42.4-2.164.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234978-1/ https://www.suse.com/security/cve/CVE-2023-39928.html CVE-2023-39928 https://bugzilla.suse.com/1215868 SUSE Bug 1215868 https://bugzilla.suse.com/1217568 SUSE Bug 1217568 This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 17. An attacker with JavaScript execution may be able to execute arbitrary code. CVE-2023-40451 SUSE Linux Enterprise Server 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:webkit2gtk3-devel-2.42.4-2.164.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libjavascriptcoregtk-4_0-18-32bit-2.42.4-2.164.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234978-1/ https://www.suse.com/security/cve/CVE-2023-40451.html CVE-2023-40451 https://bugzilla.suse.com/1215869 SUSE Bug 1215869 https://bugzilla.suse.com/1217568 SUSE Bug 1217568 The issue was addressed with improved checks. This issue is fixed in tvOS 17, Safari 17, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may lead to arbitrary code execution. CVE-2023-41074 SUSE Linux Enterprise Server 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:webkit2gtk3-devel-2.42.4-2.164.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libjavascriptcoregtk-4_0-18-32bit-2.42.4-2.164.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234978-1/ https://www.suse.com/security/cve/CVE-2023-41074.html CVE-2023-41074 https://bugzilla.suse.com/1215870 SUSE Bug 1215870 https://bugzilla.suse.com/1217568 SUSE Bug 1217568 The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2, tvOS 17.2, iOS 16.7.3 and iPadOS 16.7.3. Processing an image may lead to a denial-of-service. CVE-2023-42883 SUSE Linux Enterprise Server 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:webkit2gtk3-devel-2.42.4-2.164.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libjavascriptcoregtk-4_0-18-32bit-2.42.4-2.164.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234978-1/ https://www.suse.com/security/cve/CVE-2023-42883.html CVE-2023-42883 https://bugzilla.suse.com/1218032 SUSE Bug 1218032 The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, watchOS 10.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2. Processing web content may lead to arbitrary code execution. CVE-2023-42890 SUSE Linux Enterprise Server 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libjavascriptcoregtk-4_0-18-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk-4_0-37-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libwebkit2gtk3-lang-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-JavaScriptCore-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:webkit2gtk-4_0-injected-bundles-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:typelib-1_0-WebKit2WebExtension-4_0-2.42.4-2.164.1 SUSE Linux Enterprise Software Development Kit 12 SP5:webkit2gtk3-devel-2.42.4-2.164.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libjavascriptcoregtk-4_0-18-32bit-2.42.4-2.164.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234978-1/ https://www.suse.com/security/cve/CVE-2023-42890.html CVE-2023-42890 https://bugzilla.suse.com/1218033 SUSE Bug 1218033 https://bugzilla.suse.com/1218407 SUSE Bug 1218407