Overview

File _patchinfo of Package patchinfo.41904

<patchinfo incident="41904">
  <issue tracker="bnc" id="1254177">VUL-0: CVE-2025-43440: webkit2gtk3,webkitgtk3: webkitgtk: maliciously crafted web content may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254167">VUL-0: CVE-2025-43421: webkit2gtk3: processing maliciously crafted web content may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254171">VUL-0: CVE-2025-43432: webkit2gtk3,webkitgtk3: webkitgtk: maliciously crafted web content may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254170">VUL-0: CVE-2025-43431: webkit2gtk3,webkitgtk3: webkitgtk: maliciously crafted web content may lead to memory corruption</issue>
  <issue tracker="bnc" id="1254176">VUL-0: CVE-2025-43443: webkit2gtk3,webkitgtk3: webkitgtk: maliciously crafted web content may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254179">VUL-0: CVE-2025-43434: webkit2gtk3,webkitgtk3: webkitgtk: use-after-free may lead to an unexpected crash</issue>
  <issue tracker="bnc" id="1254165">VUL-0: CVE-2025-43392: webkit2gtk3: websites may exfiltrate image data cross-origin</issue>
  <issue tracker="bnc" id="1254169">VUL-0: CVE-2025-43427: webkit2gtk3: processing maliciously crafted web content may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254174">VUL-0: CVE-2025-43429: webkit2gtk3,webkitgtk3: webkitgtk: a buffer overflow may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254208">VUL-0: CVE-2025-13502: webkit2gtk3: webkit: out-of-bounds read and integer underflow vulnerability can lead to a crash</issue>
  <issue tracker="bnc" id="1254498">VUL-0: CVE-2025-43458: webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254509">VUL-0: CVE-2025-66287: webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254168">VUL-0: CVE-2025-43425: webkit2gtk3: processing maliciously crafted web content may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254473">VUL-0: CVE-2025-13947: WebKitGTK: Remote user-assisted information disclosure via file drag-and-drop</issue>
  <issue tracker="bnc" id="1254172">VUL-0: CVE-2025-43430: webkit2gtk3,webkitgtk3: webkitgtk: maliciously crafted web content may lead to an unexpected process crash</issue>
  <issue tracker="bnc" id="1254166">VUL-0: CVE-2025-43419: webkit2gtk3: processing maliciously crafted web content may lead to memory corruption</issue>
  <issue tracker="bnc" id="1254175">VUL-0: CVE-2025-43480: webkit2gtk3: webkitgtk: a malicious website may exfiltrate data cross-origin</issue>
  <issue tracker="bnc" id="1254164">VUL-0: CVE-2023-43000: webkit2gtk3: processing maliciously crafted web content may lead to memory corruption</issue>
  <issue tracker="cve" id="2025-13947"/>
  <issue tracker="cve" id="2025-43431"/>
  <issue tracker="cve" id="2025-43480"/>
  <issue tracker="cve" id="2025-43434"/>
  <issue tracker="cve" id="2025-43421"/>
  <issue tracker="cve" id="2025-43440"/>
  <issue tracker="cve" id="2023-43000"/>
  <issue tracker="cve" id="2025-43429"/>
  <issue tracker="cve" id="2025-43458"/>
  <issue tracker="cve" id="2025-13502"/>
  <issue tracker="cve" id="2025-43392"/>
  <issue tracker="cve" id="2025-43430"/>
  <issue tracker="cve" id="2025-43425"/>
  <issue tracker="cve" id="2025-43427"/>
  <issue tracker="cve" id="2025-43419"/>
  <issue tracker="cve" id="2025-43432"/>
  <issue tracker="cve" id="2025-66287"/>
  <issue tracker="cve" id="2025-43443"/>
  <packager>mgorse</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for webkit2gtk3</summary>
  <description>This update for webkit2gtk3 fixes the following issues:

Update to version 2.50.3.

Security issues fixed:

- CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead to a
  UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208).
- CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to a lack of
  verification of the origins of drag operations (bsc#1254473).
- CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling (bsc#1254165).
- CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due to enabled
  array allocation sinking (bsc#1254167).
- CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due to improper
  memory handling (bsc#1254168).
- CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due to issues with
  state management (bsc#1254169).
- CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer
  overflow issue (bsc#1254174).
- CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due to issues with
  state management (bsc#1254172).
- CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper memory
  handling (bsc#1254170).
- CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due to a
  use-after-free issue (bsc#1254171).
- CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due to a
  use-after-free issue (bsc#1254179).
- CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due to missing
  checks (bsc#1254177). 
- CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due to missing
  checks (bsc#1254176).
- CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due to issues with
  state management (bsc#1254498).
- CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due to improper
  memory handling (bsc#1254509).

Other issues fixed and changes:

- Version 2.50.3:  
  * Fix seeking and looping of media elements that set the "loop" property.
  * Fix several crashes and rendering issues.
- Version 2.50.2:
  * Prevent unsafe URI schemes from participating in media playback.
  * Make jsc_value_array_buffer_get_data() function introspectable.
  * Fix logging in to Google accounts that have a WebAuthn second factor configured.
  * Fix loading webkit://gpu when there are no threads configured for GPU rendering.
  * Fix rendering gradiants that use the CSS hue interpolation method.
  * Fix pasting image data from the clipboard.
  * Fix font-family selection when the font name contains spaces.
  * Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc.
  * Fix capturing canvas snapshots in the Web Inspector.
  * Fix several crashes and rendering issues.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places