[webkit-gtk] Fix CVE-2023-32435 for webkitgtk 2.38.6
Michael Catanzaro
mcatanzaro at redhat.com
Wed Sep 6 06:45:50 PDT 2023
On Wed, Sep 6 2023 at 04:23:17 PM +0800, 不会弹吉他的KK
<kai.7.kang at gmail.com> wrote:
> My question is
> 1. Does webkitgtk 2.38.6 is vulnerable to CVE-2023-32435?
No clue, sorry.
> 2. If YES, how to deal the patches with the 2 new files? If just
> ignore and only patch file
> Source/JavaScriptCore/wasm/WasmSectionParser.cpp, could
> CVE-2023-32435 be fixed for 2.38.6, please?
Patching just that one file is what I would do if tasked with
backporting this fix. That said, keep in mind that only 10-20% of our
security vulnerabilities receive CVEs, so just patching CVEs is not
sufficient to provide a secure version of WebKitGTK. The 2.38 branch is
no longer secure and you should try upgrading to 2.42. (I would skip
2.40 at this point, since that branch will end next week when 2.42.0 is
released.)
Michael
More information about the webkit-gtk
mailing list