RLSA-2021:4381

Source
https://errata.rockylinux.org/RLSA-2021:4381
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2021:4381.json
JSON Data
https://api.osv.dev/v1/vulns/RLSA-2021:4381
Related
Published
2021-11-09T09:15:15Z
Modified
2023-02-02T12:52:00.453832Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Moderate: GNOME security, bug fix, and enhancement update
Details

GNOME is the default desktop environment of Rocky Linux.

The following packages have been upgraded to a later upstream version: gdm (40.0), webkit2gtk3 (2.32.3). (BZ#1909300)

Security Fix(es):

  • webkitgtk: Use-after-free in AudioSourceProviderGStreamer leading to arbitrary code execution (CVE-2020-13558)

  • LibRaw: Stack buffer overflow in LibRaw::identifyprocessdng_fields() in identify.cpp (CVE-2020-24870)

  • webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2020-27918)

  • webkitgtk: IFrame sandboxing policy violation (CVE-2021-1765)

  • webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-1788)

  • webkitgtk: Type confusion issue leading to arbitrary code execution (CVE-2021-1789)

  • webkitgtk: Access to restricted ports on arbitrary servers via port redirection (CVE-2021-1799)

  • webkitgtk: IFrame sandboxing policy violation (CVE-2021-1801)

  • webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-1844)

  • webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1870)

  • webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1871)

  • webkitgtk: Use-after-free in ImageLoader dispatchPendingErrorEvent leading to information leak and possibly code execution (CVE-2021-21775)

  • webkitgtk: Use-after-free in WebCore::GraphicsContext leading to information leak and possibly code execution (CVE-2021-21779)

  • webkitgtk: Use-after-free in fireEventListeners leading to arbitrary code execution (CVE-2021-21806)

  • webkitgtk: Integer overflow leading to arbitrary code execution (CVE-2021-30663)

  • webkitgtk: Memory corruption leading to arbitrary code execution (CVE-2021-30665)

  • webkitgtk: Logic issue leading to leak of sensitive user information (CVE-2021-30682)

  • webkitgtk: Logic issue leading to universal cross site scripting attack (CVE-2021-30689)

  • webkitgtk: Logic issue allowing access to restricted ports on arbitrary servers (CVE-2021-30720)

  • webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30734)

  • webkitgtk: Cross-origin issue with iframe elements leading to universal cross site scripting attack (CVE-2021-30744)

  • webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30749)

  • webkitgtk: Type confusion leading to arbitrary code execution (CVE-2021-30758)

  • webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30795)

  • webkitgtk: Insufficient checks leading to arbitrary code execution (CVE-2021-30797)

  • webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30799)

  • webkitgtk: User may be unable to fully delete browsing history (CVE-2020-29623)

  • gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (CVE-2020-36241)

  • gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (incomplete CVE-2020-36241 fix) (CVE-2021-28650)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Rocky Linux 8.5 Release Notes linked from the References section.

References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:8 / accountsservice

Package

Name
accountsservice
Purl
pkg:rpm/rocky-linux/accountsservice?distro=rocky-linux-8-5-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:0.6.55-2.el8

Rocky Linux:8 / gdm

Package

Name
gdm
Purl
pkg:rpm/rocky-linux/gdm?distro=rocky-linux-8-5-legacy&epoch=1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:40.0-15.el8

Rocky Linux:8 / gnome-autoar

Package

Name
gnome-autoar
Purl
pkg:rpm/rocky-linux/gnome-autoar?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:0.2.3-2.el8

Rocky Linux:8 / gnome-calculator

Package

Name
gnome-calculator
Purl
pkg:rpm/rocky-linux/gnome-calculator?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.28.2-2.el8

Rocky Linux:8 / gnome-control-center

Package

Name
gnome-control-center
Purl
pkg:rpm/rocky-linux/gnome-control-center?distro=rocky-linux-8-5-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.28.2-28.el8

Rocky Linux:8 / gnome-online-accounts

Package

Name
gnome-online-accounts
Purl
pkg:rpm/rocky-linux/gnome-online-accounts?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.28.2-3.el8

Rocky Linux:8 / gnome-session

Package

Name
gnome-session
Purl
pkg:rpm/rocky-linux/gnome-session?distro=rocky-linux-8-5-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.28.1-13.el8

Rocky Linux:8 / gnome-settings-daemon

Package

Name
gnome-settings-daemon
Purl
pkg:rpm/rocky-linux/gnome-settings-daemon?distro=rocky-linux-8-5-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.32.0-16.el8

Rocky Linux:8 / gnome-settings-daemon

Package

Name
gnome-settings-daemon
Purl
pkg:rpm/rocky-linux/gnome-settings-daemon?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.32.0-16.el8_6.1

Rocky Linux:8 / gnome-shell

Package

Name
gnome-shell
Purl
pkg:rpm/rocky-linux/gnome-shell?distro=rocky-linux-8-5-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.32.2-40.el8

Rocky Linux:8 / gnome-shell-extensions

Package

Name
gnome-shell-extensions
Purl
pkg:rpm/rocky-linux/gnome-shell-extensions?distro=rocky-linux-8-5-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.32.1-20.el8

Rocky Linux:8 / gnome-software

Package

Name
gnome-software
Purl
pkg:rpm/rocky-linux/gnome-software?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.36.1-10.el8

Rocky Linux:8 / gsettings-desktop-schemas

Package

Name
gsettings-desktop-schemas
Purl
pkg:rpm/rocky-linux/gsettings-desktop-schemas?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.32.0-6.el8

Rocky Linux:8 / gtk3

Package

Name
gtk3
Purl
pkg:rpm/rocky-linux/gtk3?distro=rocky-linux-8-5-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.22.30-8.el8

Rocky Linux:8 / LibRaw

Package

Name
LibRaw
Purl
pkg:rpm/rocky-linux/LibRaw?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:0.19.5-3.el8

Rocky Linux:8 / mutter

Package

Name
mutter
Purl
pkg:rpm/rocky-linux/mutter?distro=rocky-linux-8-5-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.32.2-60.el8

Rocky Linux:8 / vino

Package

Name
vino
Purl
pkg:rpm/rocky-linux/vino?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:3.22.0-11.el8

Rocky Linux:8 / webkit2gtk3

Package

Name
webkit2gtk3
Purl
pkg:rpm/rocky-linux/webkit2gtk3?distro=rocky-linux-8-5-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:2.32.3-2.el8