webkitgtk-2.42.3

[Douglas R. Reno]

New point version

[Douglas R. Reno]

Release Notes

WebKitGTK 2.42.3 released!

This is a bug fix release in the stable 2.42 series.
What’s new in the WebKitGTK 2.42.3 release?

    Fix flickering while playing videos with DMA-BUF sink.
    Fix color picker being triggered in the inspector when typing “tan”.
    Do not special case the “sans” font family name.
    Fix build failure with libxml2 version 2.12.0 due to an API change.
    Fix several crashes and rendering issues.

Security Advisory:

WebKitGTK and WPE WebKit Security Advisory WSA-2023-0011

    Date Reported: December 05, 2023

    Advisory ID: WSA-2023-0011

    CVE identifiers: CVE-2023-42916, CVE-2023-42917.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

    CVE-2023-42916
        Versions affected: WebKitGTK and WPE WebKit before 2.42.3.
        Credit to Clément Lecigne of Google’s Threat Analysis Group.
        Impact: Processing web content may disclose sensitive information. Apple is 
aware of a report that this issue may have been actively exploited. Description: An out-
of-bounds read was addressed with improved input validation.
        WebKit Bugzilla: 265041
    CVE-2023-42917
        Versions affected: WebKitGTK and WPE WebKit before 2.42.3.
        Credit to Clément Lecigne of Google’s Threat Analysis Group.
        Impact: Processing web content may lead to arbitrary code execution. Apple is 
aware of a report that this issue may have been actively exploited. Description: A 
memory corruption vulnerability was addressed with improved locking.
        WebKit Bugzilla: 265067

Looks like a really nasty information disclosure and arbitrary code execution vulnerability that's under active exploitation. I'll get this in tonight.

[Douglas R. Reno]

The good news is that the patch won't be required anymore!

[Douglas R. Reno]

Fixed at 2186e70dd78e5b3ee0ceaf80c537606bd2459145

SA-12.0-052 issued