Bug 236492

Summary: Information request for CVE-2022-22620
Product: WebKit Reporter: Gianluca Gabrielli <tuxmealux+wekbitbz>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: bfulgham, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   

Description Gianluca Gabrielli 2022-02-11 01:10:16 PST 
I saw that Apple released an update to fix a wildly exploited 0day, I'm talking about CVE-2022-22620. Do you have any extra information to share? I mainly interested if other projects might be affected as well, like Chromium, gtk, qt, etc.
Comment 1 Radar WebKit Bug Importer 2022-02-11 01:10:27 PST 
<rdar://problem/88804116>
Comment 2 John Wilander 2022-02-14 18:29:13 PST 
Apple's information is disclosed in security advisories:
· https://support.apple.com/en-us/HT213092
· https://support.apple.com/en-us/HT213093

I assume you already know about those.

Other WebKit ports such as GTK disclose their own information, such as:
· https://webkitgtk.org/security.html
· https://wpewebkit.org/security/

Chromium (really Blink) forked WebKit (really WebCore) in 2014. I do not have any info on whether they are affected or not.
Comment 3 Brent Fulgham 2022-02-14 19:20:35 PST 
All members of the WebKit Security Team are aware of the details of that CVE, and the changeset that resolved it.

If you feel that you need to have access to this information (e.g., you represent a project that distributes WebKit in some fashion, or are a web engine developer) you should seek to be nominated to join the WebKit Security Team as a 'Vendor Contact' so that you will receive those same updates.