[SECURITY] [DLA 4218-1] webkit2gtk security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4218-1] webkit2gtk security update
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Mon, 16 Jun 2025 17:28:40 +0200
Message-id: <[🔎] 20250616152840.984112A1DDE@andromeda>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4218-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/               Emilio Pozuelo Monfort
June 16, 2025                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : webkit2gtk
Version        : 2.48.3-1~deb11u1
CVE ID         : CVE-2024-44192 CVE-2024-54467 CVE-2024-54551 CVE-2025-24201
                 CVE-2025-24208 CVE-2025-24209 CVE-2025-24213 CVE-2025-24216
                 CVE-2025-24223 CVE-2025-24264 CVE-2025-30427 CVE-2025-31204
                 CVE-2025-31205 CVE-2025-31206 CVE-2025-31215 CVE-2025-31257

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2024-44192

    Tashita Software Security discovered that processing maliciously
    crafted web content may lead to an unexpected process crash.

CVE-2024-54467

    Narendra Bhati discovered that a malicious website may exfiltrate
    data cross-origin.

CVE-2024-54551

    ajajfxhj discovered that processing web content may lead to a
    denial-of-service.

CVE-2025-24201

    Apple discovered that maliciously crafted web content may be able
    to break out of Web Content sandbox.

CVE-2025-24208

    Muhammad Zaid Ghifari and Kalimantan Utara discovered that loading
    a malicious iframe may lead to a cross-site scripting attack.

CVE-2025-24209

    Francisco Alonso and an anonymous researcher discovered that
    processing maliciously crafted web content may lead to an
    unexpected process crash.

CVE-2025-24213

    The Google V8 Security Team discovered that a type confusion issue
    could lead to memory corruption. Note that this CVE is fixed only
    on ARM architectures.  x86_64 is not vulnerable, x86 is not
    vulnerable when the SSE2 instruction set is enabled; but other
    architectures remain vulnerable.

CVE-2025-24216

    Paul Bakker discovered that processing maliciously crafted web
    content may lead to an unexpected Safari crash.

CVE-2025-24223

    rheza and an anonymous researcher discovered that processing
    maliciously crafted web content may lead to memory corruption.

CVE-2025-24264

    Gary Kwong and an anonymous researcher discovered that processing
    maliciously crafted web content may lead to an unexpected crash.

CVE-2025-30427

    rheza discovered that processing maliciously crafted web content
    may lead to an unexpected crash.

CVE-2025-31204

    Nan Wang discovered that processing maliciously crafted web
    content may lead to memory corruption.

CVE-2025-31205

    Ivan Fratric discovered that a malicious website may exfiltrate
    data cross-origin.

CVE-2025-31206

    An anonymous researcher discovered that processing maliciously
    crafted web content may lead to an unexpected process crash.

CVE-2025-31215

    Jiming Wang and Jikai Ren discovered that processing maliciously
    crafted web content may lead to an unexpected process crash.

CVE-2025-31257

    Juergen Schmied discovered that processing maliciously crafted web
    content may lead to an unexpected process crash.

For Debian 11 bullseye, these problems have been fixed in version
2.48.3-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmhQOCUACgkQnUbEiOQ2
gwIN4g//bix4q7Z5VZdafz5k3dP9ACfXhd6D0LD63FrbQkMsUCi8cXl/BAlbxdsV
EKasG+sS3Yh7A/1hKDtExu2xeGVUfLER7JtIe6wak0+kwLR1eDeMZoOUZ/X/IgxM
yvek3GqiMoXiM5VppW+kvFE8K19hDw6qHbAlgeCJr1TRCJQ6r66hO7ZV/IUasVeA
X+h0t/73uJs1ACmluefvXcs40uivrXbYoZInb0tkm/CQPKyYX17w5E3qmgN6Q6Il
Wak8ONnHGV5l3+gkgO9408oEu2dMpOy+/4g6zjotnlvHZnsq9YAvJWJMAue01S37
mEiHQ3VnX68FhUpGXGpYOS+yLAevh2+8CNf0gg0v/Qw+gUnbigRw8cU3nEVRLG9b
JD+bCj08LT6wM6m3kdt9LxG1yvpS5Rz3/G49DLPmScXRayrZliDFeZEX7WvXD4un
g+auJpCvxH54t5jTzRD3dRKW8+R5vU8oWoQZHnykWSD1fSeYnrD6ZnNM7cvyI9IE
C265624DRaYUd7gNruYkORgEEZue2WxhSlFNwk20wu0hrqCAoRDAcgvCfjfOqZZ7
5TusOFTYIQwfsKfzN2KWyXn3SULl+GpxXJCXC1KZVYMJdPqIVBRFdkL5M6oOxygD
uiTF6Rug1140cavAUNZ/csMulJr9PSckglJ3JcEtN2VshI83BIs=
=juyk
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4217-1] icu security update
Next by Date: [SECURITY] [DLA 4219-1] gst-plugins-bad1.0 security update
Previous by thread: [SECURITY] [DLA 4217-1] icu security update
Next by thread: [SECURITY] [DLA 4219-1] gst-plugins-bad1.0 security update
Index(es):
- Date
- Thread