Bug 2253058 (CVE-2023-42917)

Summary: CVE-2023-42917 webkitgtk: Arbitrary Remote Code Execution
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: gsuckevi, jwest, kyoshida
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: webkitgtk 2.42.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in WebKitGTK. Processing malicious web content may lead to remote code execution. This vulnerability is known to be actively exploited in the wild and was included in the CISA's KEV catalog.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2253059    
Bug Blocks: 2253040    

Description Marco Benatto 2023-12-05 19:46:58 UTC 
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. A memory corruption vulnerability was addressed with improved locking.

Reference:
https://webkitgtk.org/security/WSA-2023-0011.html
Comment 1 Marco Benatto 2023-12-05 19:47:11 UTC 
Created webkitgtk tracking bugs for this issue:

Affects: fedora-all [bug 2253059]
Comment 8 errata-xmlrpc 2023-12-11 09:39:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7715 https://access.redhat.com/errata/RHSA-2023:7715
Comment 9 errata-xmlrpc 2023-12-11 09:49:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7716 https://access.redhat.com/errata/RHSA-2023:7716