BugTraq
WebKitGTK+ Security Advisory WSA-2017-0002 Feb 10 2017 01:36PM
Carlos Alberto Lopez Perez (clopez igalia com)
------------------------------------------------------------------------

WebKitGTK+ Security Advisory WSA-2017-0002
------------------------------------------------------------------------

Date reported : February 10, 2017
Advisory ID : WSA-2017-0002
Advisory URL : https://webkitgtk.org/security/WSA-2017-0002.html
CVE identifiers : CVE-2017-2350, CVE-2017-2354, CVE-2017-2355,
CVE-2017-2356, CVE-2017-2362, CVE-2017-2363,
CVE-2017-2364, CVE-2017-2365, CVE-2017-2366,
CVE-2017-2369, CVE-2017-2371, CVE-2017-2373.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2017-2350
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Gareth Heyes of Portswigger Web Security.
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin. Description: A prototype access issue was
addressed through improved exception handling.

CVE-2017-2354
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Neymar of Tencent's Xuanwu Lab (tencent.com) working with
Trend Micro's Zero Day Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed through improved memory handling.

CVE-2017-2355
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Team Pangu and lokihardt at PwnFest 2016.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: A memory initialization issue
was addressed through improved memory handling.

CVE-2017-2356
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Team Pangu and lokihardt at PwnFest 2016.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed through improved input validation.

CVE-2017-2362
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Ivan Fratric of Google Project Zero.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed through improved memory handling.

CVE-2017-2363
Versions affected: WebKitGTK+ before 2.14.4.
Credit to lokihardt of Google Project Zero.
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin. Description: Multiple validation issues existed
in the handling of page loading. This issue was addressed through
improved logic.

CVE-2017-2364
Versions affected: WebKitGTK+ before 2.14.4.
Credit to lokihardt of Google Project Zero.
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin. Description: Multiple validation issues existed
in the handling of page loading. This issue was addressed through
improved logic.

CVE-2017-2365
Versions affected: WebKitGTK+ before 2.14.4.
Credit to lokihardt of Google Project Zero.
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin. Description: A validation issue existed in
variable handling. This issue was addressed through improved
validation.

CVE-2017-2366
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Kai Kang of Tencent's Xuanwu Lab (tencent.com).
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed through improved input validation.

CVE-2017-2369
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Ivan Fratric of Google Project Zero.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed through improved input validation.

CVE-2017-2371
Versions affected: WebKitGTK+ before 2.14.4.
Credit to lokihardt of Google Project Zero.
Impact: A malicious website can open popups. Description: An issue
existed in the handling of blocking popups. This was addressed
through improved input validation.

CVE-2017-2373
Versions affected: WebKitGTK+ before 2.14.4.
Credit to Ivan Fratric of Google Project Zero.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed through improved memory handling.

We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
February 10, 2017

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: You can fetch my GnuPG key from http://key.neutrino.es

iQIcBAEBCgAGBQJYncH5AAoJEJZQic5rlfiCq/EQAKgDTHOrdlirAFn6LmVQEksA
vxVEjh18bC8hslDJdJ4HXBfFMdnbTkrGxozZ7jKfUzNaLr/EY7A4KvM+ijMRa6bo
Yulc/SkoC28E6nqfhR4jz7x0bzUWvzfYWMD3u84vHn1Kn3K6PCPsv5+MAzXUyIXu
4vX4lWSobyyYw9p5nqCALBi/ZcMAf/Mhl2kxBZk+kX0gjG/eHFyP61Fa52UPBkZM
E7SrUia8v4Mt6He4O/KS8359RzaBOZNttZVkJiaWhozxX2jYaaheEGodrXn++zNe
Oo4qSRzRUUhzV38BNccJb5IyE1a1EttkeJZuaAuESy6beEK57qZUnxO1zTZckgI2
XCOSiTUeHKABNinSAx/utOc6/eoS4bsB2915Zs92LnE6gAknBL/LYTdH/UY8IvTF
jflkwG1+1QE5pGnFteZTjr/Uy9epz+U3T6UELNg0fQLtqMFsSNQYaIETWKAro2Pn
Lo+iTiEhJ5i8df6W+WoK6umfB0U7Sf84Y9NKIzzsN7Q6sQ4m5dqYFVcxlMw4LWBw
e20kjCfi+jMN+3qdZb4rIvH/+ca5IVUrolsETbj2xnC0XhDigWgqoBBn7vh4DUyL
AsxFiIoUEkXbP2xJWwJ4zqvcm1d4q6QUCFUjD72I8LgNUcfbzozMRO0nu1dC7Rms
FKZc972Oo+99/hJbiWwf
=uWsp
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus