epiphany December 2021 XSS issues

Bug #1955362 reported by Jeremy Bicha
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
epiphany-browser (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Impish
Won't Fix
Undecided
Unassigned

Bug Description

Impact
------
Multiple cross-site scripting (XSS) vulnerabilities were fixed in December 2021. (Sorry for the delay.)

https://discourse.gnome.org/t/epiphany-cve-2021-45085-cve-2021-45086-cve-2021-45087-cve-2021-45088/8367

Testing Done
------------
I completed a build and install test.

After installing, I was able to watch a video on YouTube (I needed to install gstreamer1.0-plugins-bad first).

I was able to use Reader Mode on a blog site.

And I was able to load https://ubuntu.com/ normally.

I was unable to get the POC at https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612
to work for me on Ubuntu 20.04 LTS.

Other Info
----------
I cherry-picked the December 2021 commits from
https://gitlab.gnome.org/GNOME/epiphany/-/commits/gnome-3-36

I skipped the "Disable Reader Mode" and "Revert Disable Reader Mode" commits since they cancel each other out.

There are some interesting translation and bugfix commits after 3.36.4 before the December commits. I didn't initially include them since they aren't needed for this security fix. But I can include them if you want.

I also cherry-picked the (required) February 2022 build fix commit.

Official backports were not provided for anything older than Epiphany 3.36 so I was unable to prepare a fix for Ubuntu 18.04 LTS ("Bionic"). That release isn't getting webkit2gtk security fixes either.

I'm also including the fix for LP: #1969851

Sponsoring
----------
I am attaching a debdiff. Alternatively you could build from our VCS:

gbp clone https://salsa.debian.org/gnome-team/epiphany-browser
git checkout ubuntu/focal
gbp buildpackage --git-builder="debuild -S -nc"
That will create the source package you can upload to your PPA

Jeremy Bicha (jbicha)
Changed in epiphany-browser (Ubuntu):
status: New → Confirmed
Changed in epiphany-browser (Ubuntu Bionic):
status: New → Confirmed
Changed in epiphany-browser (Ubuntu Focal):
status: New → Confirmed
Changed in epiphany-browser (Ubuntu Hirsute):
status: New → Confirmed
Changed in epiphany-browser (Ubuntu Impish):
status: New → Confirmed
information type: Public → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package epiphany-browser - 41.2-1

---------------
epiphany-browser (41.2-1) unstable; urgency=high

  * New upstream release
    - Includes fixes for CVE-2021-45085, CVE-2021-45086, CVE-2021-45087,
      CVE-2021-4508 (LP: #1955362)
  * debian/copyright: minor update

 -- Jeremy Bicha <email address hidden> Sun, 19 Dec 2021 20:27:53 -0500

Changed in epiphany-browser (Ubuntu):
status: Confirmed → Fix Released
Jeremy Bicha (jbicha)
no longer affects: epiphany-browser (Ubuntu Jammy)
Changed in epiphany-browser (Ubuntu):
status: Fix Released → Confirmed
Jeremy Bicha (jbicha)
no longer affects: epiphany-browser (Ubuntu Hirsute)
Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.

Changed in epiphany-browser (Ubuntu Impish):
status: Confirmed → Won't Fix
Jeremy Bicha (jbicha)
no longer affects: epiphany-browser (Ubuntu Bionic)
Revision history for this message
Jeremy Bicha (jbicha) wrote :
description: updated
Changed in epiphany-browser (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #3. It is building in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once it has finished building, please test it and detail the testing performed in this bug, and we will release it as a security update. Thanks!

Revision history for this message
Jeremy Bicha (jbicha) wrote (last edit ):

I installed epiphany-browser 3.36.4-0ubuntu2 from the proposed PPA on to Ubuntu 20.04.4 LTS.

After installing, I was able to watch a video on YouTube (I needed to install gstreamer1.0-plugins-bad first).

I was able to use Reader Mode on a blog site.

And I was able to load https://ubuntu.com/ normally.

I was unable to get the POC at https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612 to cause a problem. I was also able to view pages with long page titles without crashing (but I could do that before this update too.)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package epiphany-browser - 3.36.4-0ubuntu2

---------------
epiphany-browser (3.36.4-0ubuntu2) focal-security; urgency=medium

  * SECURITY UPDATE: Fix memory corruption in ephy_string_shorten()
    - CVE-2022-29536 (LP: #1969851)
  * SECURITY UPDATE: Multiple XSS issues (LP: #1955362)
    - CVE-2021-45085 XSS exploit possible from the Most Visited page
    - CVE-2021-45086 XSS exploit possible with a PDF's suggested filename
    - CVE-2021-45087 XSS exploit possible in View Source or Reader Mode
    - CVE-2021-45087 XSS exploit possible via error pages

 -- Jeremy Bicha <email address hidden> Sun, 31 Jul 2022 16:32:14 -0400

Changed in epiphany-browser (Ubuntu Focal):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.