Bug 2302066 (CVE-2024-40794)

Summary: CVE-2024-40794 webkitgtk: webkit2gtk: Private Browsing tabs may be accessed without authentication
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mcatanza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-08-16 14:07:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2302099, 2302106, 2302107    
Bug Blocks:    

Description Patrick Del Bello 2024-07-31 15:43:20 UTC 
This issue was addressed through improved state management.
Comment 1 Michael Catanzaro 2024-07-31 17:11:30 UTC 
Fixed by "Resign Now Playing status when WKWebView suspends all media playback" which I still need to backport and make public
Comment 2 Michael Catanzaro 2024-07-31 18:42:44 UTC 
The bug "Private Browsing tabs may be accessed without authentication" is that other applications can view what media is playing via MPRIS.
Comment 3 Michael Catanzaro 2024-07-31 18:57:40 UTC 
The affected code was added in https://commits.webkit.org/275558@main which doesn't yet exist on WebKitGTK 2.44, so there is nothing to do here.

Normally I would say the CVE does not affect us, except in this case, we actually do have the same "bug" on Linux, it's just not fixed. Doesn't seem important enough to spend any time on, though.
Comment 4 Michael Catanzaro 2024-07-31 18:59:18 UTC 
(In reply to Michael Catanzaro from comment #3)
> Normally I would say the CVE does not affect us, except in this case, we
> actually do have the same "bug" on Linux, it's just not fixed. Doesn't seem
> important enough to spend any time on, though.

Actually no, sorry. In ephemeral mode we the MPRIS interface only allows playback control and doesn't indicate what media is actually playing. We're really not affected.
Comment 5 Michael Catanzaro 2024-08-16 14:07:25 UTC 
Closing as NOTABUG because this bug doesn't affect Linux.