Bug 236492 - Information request for CVE-2022-22620
Summary: Information request for CVE-2022-22620
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-02-11 01:10 PST by Gianluca Gabrielli
Modified: 2022-02-14 19:20 PST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2022-02-11 01:10:16 PST 
I saw that Apple released an update to fix a wildly exploited 0day, I'm talking about CVE-2022-22620. Do you have any extra information to share? I mainly interested if other projects might be affected as well, like Chromium, gtk, qt, etc.
Comment 1 Radar WebKit Bug Importer 2022-02-11 01:10:27 PST 
<rdar://problem/88804116>
Comment 2 John Wilander 2022-02-14 18:29:13 PST 
Apple's information is disclosed in security advisories:
· https://support.apple.com/en-us/HT213092
· https://support.apple.com/en-us/HT213093

I assume you already know about those.

Other WebKit ports such as GTK disclose their own information, such as:
· https://webkitgtk.org/security.html
· https://wpewebkit.org/security/

Chromium (really Blink) forked WebKit (really WebCore) in 2014. I do not have any info on whether they are affected or not.
Comment 3 Brent Fulgham 2022-02-14 19:20:35 PST 
All members of the WebKit Security Team are aware of the details of that CVE, and the changeset that resolved it.

If you feel that you need to have access to this information (e.g., you represent a project that distributes WebKit in some fashion, or are a web engine developer) you should seek to be nominated to join the WebKit Security Team as a 'Vendor Contact' so that you will receive those same updates.