<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Samuel Groß <saelo () google com>
Date: Wed, 27 Oct 2021 16:40:55 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi!
I don't know what happened to CVE-2021-30851 as these CVEs are allocated by
Apple usually. I think the CVE would correspond to this issue though:
https://bugs.webkit.org/show_bug.cgi?id=227988
Best!
Samuel
On Wed, Oct 27, 2021 at 3:02 PM Francis Perron <francis.perron () shopify com>
wrote:
On Wed, Oct 27, 2021 at 12:09 AM Salvatore Bonaccorso <carnil () debian org>
wrote:
Hi,
[dropping most other recipients]
On Tue, Oct 26, 2021 at 08:05:36PM +0100, Carlos Alberto Lopez Perez
wrote:
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory
WSA-2021-0006
------------------------------------------------------------------------
Date reported : October 26, 2021
Advisory ID : WSA-2021-0006
WebKitGTK Advisory URL :
https://webkitgtk.org/security/WSA-2021-0006.html
WPE WebKit Advisory URL :
https://wpewebkit.org/security/WSA-2021-0006.html
CVE identifiers : CVE-2021-30846, CVE-2021-30848,
CVE-2021-30849, CVE-2021-30851,
CVE-2021-30858, CVE-2021-42762.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
[...]
CVE-2021-30851
Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
Credit to Samuel Groß of Google Project Zero.
Impact: Processing maliciously crafted web content may lead to code
execution. Description: A memory corruption vulnerability was
addressed with improved locking.
CVE-2021-30851 seems to be REJECTED (cf.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30851). Is
there a typo in the CVE id for this one or did the CVE got rejected
later on?
BCC'ing Samuel Groß
Salvatore -
I think 30851 was not issued, and it may have been a mistake here.
There was no other CVE issued as part of WSA-2021-0006 according to
the GitHub repo for the CVE program:
https://github.com/CVEProject/cvelist/search?q=wsa-2021-0006
if you need a CVE for this, Samuel may be able to sort this out with
the WebKit folks, who also seem to advertise 30851 on their security
advisory site: https://webkitgtk.org/security/WSA-2021-0006.html
Have a good Wednesday,
--
Francis Perron
Engineering Program Manager | Security Incident Response
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Carlos Alberto Lopez Perez (Oct 26)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Salvatore Bonaccorso (Oct 26)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Francis Perron (Oct 27)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Alberto Garcia (Oct 27)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Samuel Groß (Oct 27)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Salvatore Bonaccorso (Oct 27)
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Salvatore Bonaccorso (Oct 31)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->