Bug 2016673 (CVE-2021-42762)

Summary: CVE-2021-42762 webkitgtk: limited sandbox escape via VFS syscalls
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gnome-sig, mcatanza, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 13:45:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2016674, 2017709    
Bug Blocks: 2016675    

Description Guilherme de Almeida Suckevicz 2021-10-22 16:15:53 UTC 
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.

References:
https://bugs.webkit.org/show_bug.cgi?id=231479
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
Comment 1 Guilherme de Almeida Suckevicz 2021-10-22 16:16:23 UTC 
Created webkit2gtk3 tracking bugs for this issue:

Affects: fedora-all [bug 2016674]
Comment 5 Product Security DevOps Team 2022-05-17 13:45:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-42762