------------------------------------------------------------------------ WebKitGTK+ Security Advisory WSA-2017-0002 ------------------------------------------------------------------------ Date reported : February 10, 2017 Advisory ID : WSA-2017-0002 Advisory URL : https://webkitgtk.org/security/WSA-2017-0002.html CVE identifiers : CVE-2017-2350, CVE-2017-2354, CVE-2017-2355, CVE-2017-2356, CVE-2017-2362, CVE-2017-2363, CVE-2017-2364, CVE-2017-2365, CVE-2017-2366, CVE-2017-2369, CVE-2017-2371, CVE-2017-2373. Several vulnerabilities were discovered in WebKitGTK+. CVE-2017-2350 Versions affected: WebKitGTK+ before 2.14.4. Credit to Gareth Heyes of Portswigger Web Security. Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A prototype access issue was addressed through improved exception handling. CVE-2017-2354 Versions affected: WebKitGTK+ before 2.14.4. Credit to Neymar of Tencent's Xuanwu Lab (tencent.com) working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-2355 Versions affected: WebKitGTK+ before 2.14.4. Credit to Team Pangu and lokihardt at PwnFest 2016. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory initialization issue was addressed through improved memory handling. CVE-2017-2356 Versions affected: WebKitGTK+ before 2.14.4. Credit to Team Pangu and lokihardt at PwnFest 2016. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2362 Versions affected: WebKitGTK+ before 2.14.4. Credit to Ivan Fratric of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-2363 Versions affected: WebKitGTK+ before 2.14.4. Credit to lokihardt of Google Project Zero. Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic. CVE-2017-2364 Versions affected: WebKitGTK+ before 2.14.4. Credit to lokihardt of Google Project Zero. Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic. CVE-2017-2365 Versions affected: WebKitGTK+ before 2.14.4. Credit to lokihardt of Google Project Zero. Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A validation issue existed in variable handling. This issue was addressed through improved validation. CVE-2017-2366 Versions affected: WebKitGTK+ before 2.14.4. Credit to Kai Kang of Tencent's Xuanwu Lab (tencent.com). Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2369 Versions affected: WebKitGTK+ before 2.14.4. Credit to Ivan Fratric of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2371 Versions affected: WebKitGTK+ before 2.14.4. Credit to lokihardt of Google Project Zero. Impact: A malicious website can open popups. Description: An issue existed in the handling of blocking popups. This was addressed through improved input validation. CVE-2017-2373 Versions affected: WebKitGTK+ before 2.14.4. Credit to Ivan Fratric of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html The WebKitGTK+ team, February 10, 2017
Attachment:
signature.asc
Description: OpenPGP digital signature