Ubuntu
epiphany-browser package

CVE-2022-29536 epiphany

Bug #1969851 reported by Jeremy Bícha
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
epiphany-browser (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

Impact
-----
In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered.

Testing Done
------------
I completed a build and install test.

After installing, I was able to watch a video on YouTube (I needed to install gstreamer1.0-plugins-bad first).

I was able to use Reader Mode on a blog site.

And I was able to load https://ubuntu.com/ normally.

I was unable to trigger a crash using a webpage with a long title set, but that doesn't mean the bug still couldn't be exploitable under the right conditions.

Sponsoring
----------
I am attaching a debdiff. Alternatively you could build from our VCS:

gbp clone https://salsa.debian.org/gnome-team/epiphany-browser
git checkout ubuntu/jammy
gbp buildpackage --git-builder="debuild -S -nc"
That will create the source package you can upload to your PPA

Please upload the fix for 20.04 LTS at the same time. For simplicity, I only attached that debdiff at LP: #1955362 (which has other security fixes already fixed for 22.04 LTS).

The Ubuntu Release Team requests coordination before making any jammy-security releases this week while Ubuntu 22.04.1 LTS is prepared. However, epiphany-browser is not seeded in any Ubuntu flavor.
https://lists.ubuntu.com/archives/ubuntu-devel/2022-July/042227.html

See original description
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package epiphany-browser - 42.2-1

---------------
epiphany-browser (42.2-1) unstable; urgency=high

  * New upstream release
    - Includes fix for CVE-2022-29536 (Closes: #1009959) (LP: #1969851)

 -- Jeremy Bicha <email address hidden> Thu, 21 Apr 2022 17:01:00 -0400

Changed in epiphany-browser (Ubuntu):
status: Confirmed → Fix Released
Jeremy Bícha (jbicha)
no longer affects: epiphany-browser (Ubuntu Impish)
Revision history for this message
Jeremy Bícha (jbicha) wrote :
description: updated
Changed in epiphany-browser (Ubuntu Focal):
status: New → Confirmed
Changed in epiphany-browser (Ubuntu Jammy):
status: New → Confirmed
Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #2. It is building in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once it has finished building, please test it and detail the testing performed in this bug, and we will release it as a security update. Thanks!

Revision history for this message
Jeremy Bícha (jbicha) wrote :

I installed epiphany-browser 42.1-1ubuntu1 from the proposed PPA on to Ubuntu 22.04.1 LTS (release candidate).

After installing, I was able to watch a video on YouTube (I needed to install gstreamer1.0-plugins-bad first).

I was able to use Reader Mode on a blog site.

And I was able to load https://ubuntu.com/ normally.

I was also able to view pages with long page titles without crashing (but I could do that before this update too.)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package epiphany-browser - 3.36.4-0ubuntu2

---------------
epiphany-browser (3.36.4-0ubuntu2) focal-security; urgency=medium

  * SECURITY UPDATE: Fix memory corruption in ephy_string_shorten()
    - CVE-2022-29536 (LP: #1969851)
  * SECURITY UPDATE: Multiple XSS issues (LP: #1955362)
    - CVE-2021-45085 XSS exploit possible from the Most Visited page
    - CVE-2021-45086 XSS exploit possible with a PDF's suggested filename
    - CVE-2021-45087 XSS exploit possible in View Source or Reader Mode
    - CVE-2021-45087 XSS exploit possible via error pages

 -- Jeremy Bicha <email address hidden> Sun, 31 Jul 2022 16:32:14 -0400

Changed in epiphany-browser (Ubuntu Focal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package epiphany-browser - 42.1-1ubuntu1

---------------
epiphany-browser (42.1-1ubuntu1) jammy-security; urgency=medium

  * SECURITY UPDATE: Fix memory corruption in ephy_string_shorten()
    - CVE-2022-29536 (LP: #1969851)

 -- Jeremy Bicha <email address hidden> Sun, 31 Jul 2022 15:53:30 -0400

Changed in epiphany-browser (Ubuntu Jammy):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.