2302066 – (CVE-2024-40794) CVE-2024-40794 webkitgtk: webkit2gtk: Private Browsing tabs may be accessed without authentication

Bug 2302066 (CVE-2024-40794) - CVE-2024-40794 webkitgtk: webkit2gtk: Private Browsing tabs may be accessed without authentication

Summary: CVE-2024-40794 webkitgtk: webkit2gtk: Private Browsing tabs may be accessed w...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2024-40794
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2302099 2302106 2302107
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-31 15:43 UTC by Patrick Del Bello
Modified:	2024-08-16 14:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-08-16 14:07:25 UTC
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2024-07-31 15:43:20 UTC

This issue was addressed through improved state management.

Comment 1 Michael Catanzaro 2024-07-31 17:11:30 UTC

Fixed by "Resign Now Playing status when WKWebView suspends all media playback" which I still need to backport and make public

Comment 2 Michael Catanzaro 2024-07-31 18:42:44 UTC

The bug "Private Browsing tabs may be accessed without authentication" is that other applications can view what media is playing via MPRIS.

Comment 3 Michael Catanzaro 2024-07-31 18:57:40 UTC

The affected code was added in https://commits.webkit.org/275558@main which doesn't yet exist on WebKitGTK 2.44, so there is nothing to do here.

Normally I would say the CVE does not affect us, except in this case, we actually do have the same "bug" on Linux, it's just not fixed. Doesn't seem important enough to spend any time on, though.

Comment 4 Michael Catanzaro 2024-07-31 18:59:18 UTC

(In reply to Michael Catanzaro from comment #3)
> Normally I would say the CVE does not affect us, except in this case, we
> actually do have the same "bug" on Linux, it's just not fixed. Doesn't seem
> important enough to spend any time on, though.

Actually no, sorry. In ephemeral mode we the MPRIS interface only allows playback control and doesn't indicate what media is actually playing. We're really not affected.

Comment 5 Michael Catanzaro 2024-08-16 14:07:25 UTC

Closing as NOTABUG because this bug doesn't affect Linux.

Note You need to log in before you can comment on or make changes to this bug.