SUSE-SU-2025:4416-1

Описание

This update for webkit2gtk3 fixes the following issues:

Update to version 2.50.3.

Security issues fixed:

• CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead to a UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208).
• CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to a lack of verification of the origins of drag operations (bsc#1254473).
• CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling (bsc#1254165).
• CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due to enabled array allocation sinking (bsc#1254167).
• CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254168).
• CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254169).
• CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1254174).
• CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254172).
• CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper memory handling (bsc#1254170).
• CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254171).
• CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254179).
• CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254177).
• CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254176).
• CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254498).
• CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254509).

Other issues fixed and changes:

• Version 2.50.3:
  • Fix seeking and looping of media elements that set the 'loop' property.
  • Fix several crashes and rendering issues.
• Version 2.50.2:
  • Prevent unsafe URI schemes from participating in media playback.
  • Make jsc_value_array_buffer_get_data() function introspectable.
  • Fix logging in to Google accounts that have a WebAuthn second factor configured.
  • Fix loading webkit://gpu when there are no threads configured for GPU rendering.
  • Fix rendering gradiants that use the CSS hue interpolation method.
  • Fix pasting image data from the clipboard.
  • Fix font-family selection when the font name contains spaces.
  • Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc.
  • Fix capturing canvas snapshots in the Web Inspector.
  • Fix several crashes and rendering issues.