FortiClient VulnerabilitySecurity Vulnerabilities fixed in LibRaw RHSA-2021:4381
Description
GNOME is the default desktop environment of Red Hat Enterprise Linux. The following packages have been upgraded to a later upstream version: gdm (40.0), webkit2gtk3 (2.32.3). (BZ#1909300) Security Fix(es): webkitgtk: Use-after-free in AudioSourceProviderGStreamer leading to arbitrary code execution (CVE-2020-13558) LibRaw: Stack buffer overflow in LibRaw::identify_process_dng_fields() in identify.cpp (CVE-2020-24870) webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2020-27918) webkitgtk: IFrame sandboxing policy violation (CVE-2021-1765) webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-1788) webkitgtk: Type confusion issue leading to arbitrary code execution (CVE-2021-1789) webkitgtk: Access to restricted ports on arbitrary servers via port redirection (CVE-2021-1799) webkitgtk: IFrame sandboxing policy violation (CVE-2021-1801) webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-1844) webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1870) webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1871) webkitgtk: Use-after-free in ImageLoader dispatchPendingErrorEvent leading to information leak and possibly code execution (CVE-2021-21775) webkitgtk: Use-after-free in WebCore::GraphicsContext leading to information leak and possibly code execution (CVE-2021-21779) webkitgtk: Use-after-free in fireEventListeners leading to arbitrary code execution (CVE-2021-21806) webkitgtk: Integer overflow leading to arbitrary code execution (CVE-2021-30663) webkitgtk: Memory corruption leading to arbitrary code execution (CVE-2021-30665) webkitgtk: Logic issue leading to leak of sensitive user information (CVE-2021-30682) webkitgtk: Logic issue leading to universal cross site scripting attack (CVE-2021-30689) webkitgtk: Logic issue allowing access to restricted ports on arbitrary servers (CVE-2021-30720) webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30734) webkitgtk: Cross-origin issue with iframe elements leading to universal cross site scripting attack (CVE-2021-30744) webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30749) webkitgtk: Type confusion leading to arbitrary code execution (CVE-2021-30758) webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30795) webkitgtk: Insufficient checks leading to arbitrary code execution (CVE-2021-30797) webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30799) webkitgtk: User may be unable to fully delete browsing history (CVE-2020-29623) gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (CVE-2020-36241) gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (incomplete CVE-2020-36241 fix) (CVE-2021-28650) webkitgtk: Use-after-free in AudioSourceProviderGStreamer leading to arbitrary code execution (CVE-2020-13558) LibRaw: Stack buffer overflow in LibRaw::identify_process_dng_fields() in identify.cpp (CVE-2020-24870) webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2020-27918) webkitgtk: IFrame sandboxing policy violation (CVE-2021-1765) webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-1788) webkitgtk: Type confusion issue leading to arbitrary code execution (CVE-2021-1789) webkitgtk: Access to restricted ports on arbitrary servers via port redirection (CVE-2021-1799) webkitgtk: IFrame sandboxing policy violation (CVE-2021-1801) webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-1844) webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1870) webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1871) webkitgtk: Use-after-free in ImageLoader dispatchPendingErrorEvent leading to information leak and possibly code execution (CVE-2021-21775) webkitgtk: Use-after-free in WebCore::GraphicsContext leading to information leak and possibly code execution (CVE-2021-21779) webkitgtk: Use-after-free in fireEventListeners leading to arbitrary code execution (CVE-2021-21806) webkitgtk: Integer overflow leading to arbitrary code execution (CVE-2021-30663) webkitgtk: Memory corruption leading to arbitrary code execution (CVE-2021-30665) webkitgtk: Logic issue leading to leak of sensitive user information (CVE-2021-30682) webkitgtk: Logic issue leading to universal cross site scripting attack (CVE-2021-30689) webkitgtk: Logic issue allowing access to restricted ports on arbitrary servers (CVE-2021-30720) webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30734) webkitgtk: Cross-origin issue with iframe elements leading to universal cross site scripting attack (CVE-2021-30744) webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30749) webkitgtk: Type confusion leading to arbitrary code execution (CVE-2021-30758) webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30795) webkitgtk: Insufficient checks leading to arbitrary code execution (CVE-2021-30797) webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30799) webkitgtk: User may be unable to fully delete browsing history (CVE-2020-29623) gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (CVE-2020-36241) gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (incomplete CVE-2020-36241 fix) (CVE-2021-28650) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. SolutionFor details on how to apply this update, which includes the changes described in this advisory, refer to:https://access.redhat.com/articles/11258 GDM must be restarted for this update to take effect. The GNOME session must be restarted (log out, then log back in) for this update to take effect.
Affected Applications
LibRaw
CVE References
CVE-2021-1844 CVE-2021-21806 CVE-2021-30682 CVE-2021-30689 CVE-2021-30720 CVE-2021-30663 CVE-2020-24870 CVE-2021-1788 CVE-2021-1789 CVE-2021-30665 CVE-2021-30744 CVE-2021-30799 CVE-2020-13558 CVE-2021-1765 CVE-2021-1870 CVE-2021-1871 CVE-2021-30797 CVE-2021-28650 CVE-2021-30795 CVE-2020-29623 CVE-2021-30734 CVE-2021-30749 CVE-2021-30758 CVE-2021-1801 CVE-2020-36241 CVE-2021-21775 CVE-2021-1799 CVE-2021-21779 CVE-2020-27918Other References
https://access.redhat.com/errata/RHSA-2021:4381| ID | 69665 |
| Created | Nov 13, 2021 |
| Description Updated |
Dec 20, 2023 |
| Risk |
|
| Coverage | FortiClient |
| OS | Linux |
| Vendor | RedHat |
| Patch | auto |
| Application | LibRaw |