Bug 2223000 (CVE-2023-37450)

Summary: CVE-2023-37450 webkitgtk: arbitrary code execution
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, desktop-qa-list, jwest, mcatanza, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in webkitgtk. This issue occurs when processing web content, which may lead to arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-22 01:57:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2218789, 2218792, 2223001, 2223002, 2223003, 2223004, 2223005, 2223006, 2223007    
Bug Blocks: 2222999    

Description Marco Benatto 2023-07-14 20:06:56 UTC 
Processing web content may lead to arbitrary code execution
Comment 1 Marco Benatto 2023-07-14 20:08:35 UTC 
Created webkitgtk tracking bugs for this issue:

Affects: fedora-all [bug 2223001]
Comment 5 Salvatore Bonaccorso 2023-07-21 04:46:49 UTC 
Hi

While triaging new CVEs w found this entry, but the details are very light. Can you share
if this is something known upstream, if there is an upstream issue an fix, and wihch versions
are affected by the issue?

Regards,
Salvatore
Comment 6 Michael Catanzaro 2023-07-21 12:48:53 UTC 
This is fixed in WebKitGTK 2.40.3 by https://github.com/WebKit/WebKit/commit/4f99c0670d2d91dbc51725a7af6909e186db1b07. That's all I know.
Comment 7 Michael Catanzaro 2023-07-21 12:49:51 UTC 
Um, sorry. It's fixed in 2.40.4. I'm off by one.
Comment 8 Marco Benatto 2023-07-21 21:15:51 UTC 
This flaw is currently fixed by the advisory:
https://access.redhat.com/errata/RHSA-2023:4201 [rhel-9.2.z]
https://access.redhat.com/errata/RHSA-2023:4202 [rhel-8.8.z]
Comment 9 Product Security DevOps Team 2023-08-01 06:58:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-37450