oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 27 Oct 2021 06:07:39 +0200
Hi,

[dropping most other recipients]

On Tue, Oct 26, 2021 at 08:05:36PM +0100, Carlos Alberto Lopez Perez wrote:

------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory                 WSA-2021-0006
------------------------------------------------------------------------

Date reported           : October 26, 2021
Advisory ID             : WSA-2021-0006
WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2021-0006.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2021-0006.html
CVE identifiers         : CVE-2021-30846, CVE-2021-30848,
                          CVE-2021-30849, CVE-2021-30851,
                          CVE-2021-30858, CVE-2021-42762.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

[...]

CVE-2021-30851
    Versions affected: WebKitGTK and WPE WebKit before 2.34.0.
    Credit to Samuel Groß of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to code
    execution. Description: A memory corruption vulnerability was
    addressed with improved locking.


CVE-2021-30851 seems to be REJECTED (cf.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30851). Is
there a typo in the CVE id for this one or did the CVE got rejected
later on? The CVE entry only states "Reason: This candidate was
withdrawn by the CVE program." so might give a light indication
towards that the CVE used has a typo and should be another one?

Can you clarify or have any insights here?

Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: