WebKitGTK 和 WPE WebKit 安全通报 WSA-2025-0002

WebKitGTK 和 WPE WebKit 安全通报 WSA-2025-0002
WebKitGTK和WPE WebKit发布安全公告WSA-2025-0002，披露三个漏洞： CVE-2024-44192可能导致进程崩溃；CVE-2024-54467可被用于跨站数据窃取；CVE-2025-24201可能突破Web内容沙盒。建议更新至最新稳定版本以修复问题。 2025-3-20 18:46:0 Author: seclists.org(查看原文) 阅读量:16 收藏

oss-sec mailing list archives

From: Adrian Perez de Castro <aperez () igalia com>
Date: Thu, 20 Mar 2025 14:25:59 +0200

------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory                 WSA-2025-0002
------------------------------------------------------------------------

Date reported           : March 20, 2025
Advisory ID             : WSA-2025-0002
WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2025-0002.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2025-0002.html
CVE identifiers         : CVE-2024-44192, CVE-2024-54467,
                          CVE-2025-24201.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2024-44192
    Versions affected: WebKitGTK and WPE WebKit before 2.48.0.
    Credit to Tashita Software Security.
    Impact: Processing maliciously crafted web content may lead to an
    unexpected process crash. Description: The issue was addressed with
    improved checks.
    WebKit Bugzilla: 268770

CVE-2024-54467
    Versions affected: WebKitGTK and WPE WebKit before 2.48.0.
    Credit to Narendra Bhati, Manager of Cyber Security At Suma Soft Pvt. Ltd,
    Pune (India).
    Impact: A malicious website may exfiltrate data cross-origin.
    Description: A cookie management issue was addressed with improved
    state management.
    WebKit Bugzilla: 287874

CVE-2025-24201
    Versions affected: WebKitGTK before 2.48.0 and WPE WebKit before
    2.46.7.
    Credit to Apple.
    Impact: Maliciously crafted web content may be able to break out of
    Web Content sandbox. This is a supplementary fix for an attack that
    was blocked in iOS 17.2. (Apple is aware of a report that this issue
    may have been exploited in an extremely sophisticated attack against
    specific targeted individuals on versions of iOS before iOS 17.2.).
    Description: An out-of-bounds write issue was addressed with
    improved checks to prevent unauthorized actions.
    WebKit Bugzilla: 285858

We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.

Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security.

The WebKitGTK and WPE WebKit team,

Attachment: signature.asc
Description:

Current thread:

WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 Adrian Perez de Castro (Mar 20)

文章来源: https://seclists.org/oss-sec/2025/q1/233
如有侵权请联系:admin#unsafe.sh