Bug 31609

Summary: epiphany new security issue CVE-2023-26081
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: epiphany-3.38.2-1.2.mga8.src.rpm CVE: CVE-2023-26081
Status comment:

Description David Walser 2023-02-27 16:42:08 CET 
Fedora has issued an advisory today (February 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SADQCSQKTJKTTIJMEPY7GII6IVQSKEKV/

The issue is fixed upstream in 43.1.

Mageia 8 is also affected.
David Walser 2023-02-27 16:42:25 CET

Status comment: (none) => Fixed upstream in 43.1
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2023-03-13 14:37:13 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts. (CVE-2023-26081)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26081
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SADQCSQKTJKTTIJMEPY7GII6IVQSKEKV/
========================

Updated package in core/updates_testing:
========================
epiphany-3.38.2-1.3.mga8

from SRPM:
epiphany-3.38.2-1.3.mga8.src.rpm

Source RPM: epiphany-43.0-1.mga9.src.rpm => epiphany-3.38.2-1.2.mga8.src.rpm
Version: Cauldron => 8
Status comment: Fixed upstream in 43.1 => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2023-26081
Whiteboard: MGA8TOO => (none)
Assignee: gnome => qa-bugs
CC: (none) => nicolas.salguero

Comment 2 Thomas Andrews 2023-03-16 18:23:01 CET 
I don't normally use Gnome, but I do have a VirtualBox guest for just this purpose.

No installation issues. Looked at a few web pages, played a Youtube video, no issues.

This looks OK to me. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2023-03-17 23:15:36 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 3 Mageia Robot 2023-03-18 23:18:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0099.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED