This update for webkit2gtk3 fixes the following issues:
Update to version 2.50.3.
Security issues fixed:
- CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead to a
UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208).
- CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to a lack of
verification of the origins of drag operations (bsc#1254473).
- CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling (bsc#1254165).
- CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due to enabled
array allocation sinking (bsc#1254167).
- CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due to improper
memory handling (bsc#1254168).
- CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due to issues with
state management (bsc#1254169).
- CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer
overflow issue (bsc#1254174).
- CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due to issues with
state management (bsc#1254172).
- CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper memory
handling (bsc#1254170).
- CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due to a
use-after-free issue (bsc#1254171).
- CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due to a
use-after-free issue (bsc#1254179).
- CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due to missing
checks (bsc#1254177).
- CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due to missing
checks (bsc#1254176).
- CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due to issues with
state management (bsc#1254498).
- CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due to improper
memory handling (bsc#1254509).
Other issues fixed and changes:
-
Version 2.50.3:
- Fix seeking and looping of media elements that set the 'loop' property.
- Fix several crashes and rendering issues.
-
Version 2.50.2:
- Prevent unsafe URI schemes from participating in media playback.
- Make jsc_value_array_buffer_get_data() function introspectable.
- Fix logging in to Google accounts that have a WebAuthn second factor configured.
- Fix loading webkit://gpu when there are no threads configured for GPU rendering.
- Fix rendering gradiants that use the CSS hue interpolation method.
- Fix pasting image data from the clipboard.
- Fix font-family selection when the font name contains spaces.
- Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc.
- Fix capturing canvas snapshots in the Web Inspector.
- Fix several crashes and rendering issues.