Описание
Security update for webkit2gtk3
This update for webkit2gtk3 fixes the following issues:
Updated to version 2.48.5:
- CVE-2025-31273: Fixed a vulnerability where processing maliciously crafted web content could lead to memory corruption. (bsc#1247564)
- CVE-2025-31278: Fixed a vulnerability where processing maliciously crafted web content may lead to memory corruption. (bsc#1247563)
- CVE-2025-43211: Fixed a vulnerability where processing web content may lead to a denial-of-service. (bsc#1247562)
- CVE-2025-43212: Fixed a vulnerability where processing maliciously crafted web content may lead to an unexpected Safari crash. (bsc#1247595)
- CVE-2025-43216: Fixed a vulnerability where processing maliciously crafted web content may lead to an unexpected Safari crash. (bsc#1247596)
- CVE-2025-43227: Fixed a vulnerability where processing maliciously crafted web content may disclose sensitive user information. (bsc#1247597)
- CVE-2025-43228: Fixed a vulnerability where visiting a malicious website may lead to address bar spoofing. (bsc#1247598)
- CVE-2025-43240: Fixed a vulnerability where a download's origin may be incorrectly associated. (bsc#1247599)
- CVE-2025-43265: Fixed a vulnerability where processing maliciously crafted web content may disclose internal states of the app. (bsc#1247600)
- CVE-2025-6558: Fixed a vulnerability where processing maliciously crafted web content may lead to an unexpected Safari crash. (bsc#1247742)
Other fixes:
- Improve emoji font selection with USE_SKIA=ON.
- Improve playback of multimedia streams from blob URLs.
- Fix the build with USE_SKIA_OPENTYPE_SVG=ON and USE_SYSPROF_CAPTURE=ON.
- Fix crash when using a WebKitWebView widget in an offscreen window.
- Fix several crashes and rendering issues.
- Fix a crash introduced by the new threaded rendering implementation using Skia API.
- Improve rendering performance by recording layers once and replaying every dirty region in different worker threads.
- Fix a crash when setting WEBKIT_SKIA_GPU_PAINTING_THREADS=0.
- Fix a reference cycle in webkitmediastreamsrc preventing its disposal.
- Increase mem_per_process again to avoid running out of memory.
Список пакетов
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP3
Ссылки
- Link for SUSE-SU-2025:02766-1
- E-Mail link for SUSE-SU-2025:02766-1
- SUSE Security Ratings
- SUSE Bug 1247562
- SUSE Bug 1247563
- SUSE Bug 1247564
- SUSE Bug 1247595
- SUSE Bug 1247596
- SUSE Bug 1247597
- SUSE Bug 1247598
- SUSE Bug 1247599
- SUSE Bug 1247600
- SUSE Bug 1247742
- SUSE CVE CVE-2024-44192 page
- SUSE CVE CVE-2024-54467 page
- SUSE CVE CVE-2025-24189 page
- SUSE CVE CVE-2025-24201 page
- SUSE CVE CVE-2025-31273 page
- SUSE CVE CVE-2025-31278 page
- SUSE CVE CVE-2025-43211 page
Описание
The issue was addressed with improved checks. This issue is fixed in watchOS 11, macOS Sequoia 15, Safari 18, visionOS 2, iOS 18 and iPadOS 18, tvOS 18. Processing maliciously crafted web content may lead to an unexpected process crash.
Затронутые продукты
Ссылки
- CVE-2024-44192
- SUSE Bug 1239863
Описание
A cookie management issue was addressed with improved state management. This issue is fixed in watchOS 11, macOS Sequoia 15, Safari 18, visionOS 2, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin.
Затронутые продукты
Ссылки
- CVE-2024-54467
- SUSE Bug 1239864
Описание
The issue was addressed with improved checks. This issue is fixed in Safari 18.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing maliciously crafted web content may lead to memory corruption.
Затронутые продукты
Ссылки
- CVE-2025-24189
- SUSE Bug 1247565
Описание
An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1, watchOS 11.4, iPadOS 17.7.6, iOS 16.7.11 and iPadOS 16.7.11, iOS 15.8.4 and iPadOS 15.8.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).
Затронутые продукты
Ссылки
- CVE-2025-24201
- SUSE Bug 1239547
Описание
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may lead to memory corruption.
Затронутые продукты
Ссылки
- CVE-2025-31273
- SUSE Bug 1247564
Описание
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iPadOS 17.7.9, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may lead to memory corruption.
Затронутые продукты
Ссылки
- CVE-2025-31278
- SUSE Bug 1247563
Описание
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing web content may lead to a denial-of-service.
Затронутые продукты
Ссылки
- CVE-2025-43211
- SUSE Bug 1247562
Описание
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Затронутые продукты
Ссылки
- CVE-2025-43212
- SUSE Bug 1247595
Описание
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.6, watchOS 11.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, tvOS 18.6, macOS Sequoia 15.6, visionOS 2.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Затронутые продукты
Ссылки
- CVE-2025-43216
- SUSE Bug 1247596
Описание
This issue was addressed through improved state management. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may disclose sensitive user information.
Затронутые продукты
Ссылки
- CVE-2025-43227
- SUSE Bug 1247597
Описание
The issue was addressed with improved UI. This issue is fixed in iOS 18.6 and iPadOS 18.6, Safari 18. 6. Visiting a malicious website may lead to address bar spoofing.
Затронутые продукты
Ссылки
- CVE-2025-43228
- SUSE Bug 1247598
Описание
A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. A download's origin may be incorrectly associated.
Затронутые продукты
Ссылки
- CVE-2025-43240
- SUSE Bug 1247599
Описание
An out-of-bounds read was addressed with improved input validation. This issue is fixed in Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may disclose internal states of the app.
Затронутые продукты
Ссылки
- CVE-2025-43265
- SUSE Bug 1247600
Описание
Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Затронутые продукты
Ссылки
- CVE-2025-6558
- SUSE Bug 1246558
- SUSE Bug 1247742