Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <27cedcfc-2c7d-ac58-d2e0-f7e2c92beeb7@igalia.com>
Date: Thu, 6 Apr 2017 21:26:56 +0200
From: Carlos Alberto Lopez Perez <clopez@...lia.com>
To: "webkit-gtk@...ts.webkit.org" <webkit-gtk@...ts.webkit.org>
Cc: security@...kit.org, distributor-list@...me.org,
 oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: WebKitGTK+ Security Advisory WSA-2017-0003

------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               WSA-2017-0003
------------------------------------------------------------------------

Date reported      : April 06, 2017
Advisory ID        : WSA-2017-0003
Advisory URL       : https://webkitgtk.org/security/WSA-2017-0003.html
CVE identifiers    : CVE-2016-9642, CVE-2016-9643, CVE-2017-2364,
                     CVE-2017-2367, CVE-2017-2376, CVE-2017-2377,
                     CVE-2017-2386, CVE-2017-2392, CVE-2017-2394,
                     CVE-2017-2395, CVE-2017-2396, CVE-2017-2405,
                     CVE-2017-2415, CVE-2017-2419, CVE-2017-2433,
                     CVE-2017-2442, CVE-2017-2445, CVE-2017-2446,
                     CVE-2017-2447, CVE-2017-2454, CVE-2017-2455,
                     CVE-2017-2457, CVE-2017-2459, CVE-2017-2460,
                     CVE-2017-2464, CVE-2017-2465, CVE-2017-2466,
                     CVE-2017-2468, CVE-2017-2469, CVE-2017-2470,
                     CVE-2017-2471, CVE-2017-2475, CVE-2017-2476,
                     CVE-2017-2481.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2016-9642
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to Gustavo Grieco.
    JavaScriptCore in WebKit allows attackers to cause a denial of
    service (out-of-bounds heap read) via a crafted Javascript file.

CVE-2016-9643
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Gustavo Grieco.
    The regex code in WebKit allows remote attackers to cause a denial
    of service (memory consumption) as demonstrated in a large number of
    ($ (open parenthesis and dollar) followed by {-2,16} and a large
    number of +) (plus close parenthesis).

CVE-2017-2364
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to lokihardt of Google Project Zero.
    This issue allows remote attackers to bypass the Same Origin Policy
    and obtain sensitive information via a crafted web site.

CVE-2017-2367
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to lokihardt of Google Project Zero.
    This issue allows remote attackers to bypass the Same Origin Policy
    and obtain sensitive information via a crafted web site.

CVE-2017-2376
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to an anonymous researcher, Chris Hlady of Google Inc, Yuyang
    Zhou of Tencent Security Platform Department (security.tencent.com),
    Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd.,
    Michal Zalewski of Google Inc, an anonymous researcher.
    This issue allows remote attackers to spoof the address bar by
    leveraging text input during the loading of a page.

CVE-2017-2377
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Vicki Pfau.
    This issue involves the "WebKit Web Inspector" component. It allows
    attackers to cause a denial of service (memory corruption and
    application crash) by leveraging a window-close action during a
    debugger-pause state.

CVE-2017-2386
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to André Bargull.
    This issue allows remote attackers to bypass the Same Origin Policy
    and obtain sensitive information via a crafted web site.

CVE-2017-2392
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Max Bazaliy of Lookout.
    This issue allows attackers to execute arbitrary code or cause a
    denial of service (memory corruption) via a crafted app.

CVE-2017-2394
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Apple.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2395
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to Apple.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2396
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to Apple.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2405
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to Apple.
    This issue involves the "WebKit Web Inspector" component. It allows
    remote attackers to execute arbitrary code or cause a denial of
    service (memory corruption and application crash) via a crafted web
    site.

CVE-2017-2415
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Kai Kang of Tencent's Xuanwu Lab (tentcent.com).
    This issue allows remote attackers to execute arbitrary code by
    leveraging an unspecified "type confusion.".

CVE-2017-2419
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Nicolai Grødum of Cisco Systems.
    This issue allows remote attackers to bypass a Content Security
    Policy protection mechanism via unspecified vectors.

CVE-2017-2433
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to Apple.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2442
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to lokihardt of Google Project Zero.
    This issue involves the "WebKit JavaScript Bindings" component. It
    allows remote attackers to bypass the Same Origin Policy and obtain
    sensitive information via a crafted web site.

CVE-2017-2445
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to lokihardt of Google Project Zero.
    This issue allows remote attackers to conduct Universal XSS (UXSS)
    attacks via crafted frame objects.

CVE-2017-2446
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Natalie Silvanovich of Google Project Zero.
    This issue allows remote attackers to execute arbitrary code via a
    crafted web site that leverages the mishandling of strict mode
    functions.

CVE-2017-2447
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to Natalie Silvanovich of Google Project Zero.
    This issue allows remote attackers to obtain sensitive information
    or cause a denial of service (memory corruption) via a crafted web
    site.

CVE-2017-2454
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Ivan Fratric of Google Project Zero.
    This issue allows allows remote attackers to execute arbitrary code
    or cause a denial of service (memory corruption and application
    crash) via a crafted web site.

CVE-2017-2455
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to Ivan Fratric of Google Project Zero.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2457
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to lokihardt of Google Project Zero.
    This issue allows allows remote attackers to execute arbitrary code
    or cause a denial of service (memory corruption and application
    crash) via a crafted web site.

CVE-2017-2459
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Ivan Fratric of Google Project Zero.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2460
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Ivan Fratric of Google Project Zero.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2464
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to Jeonghoon Shin, Natalie Silvanovich of Google Project
    Zero.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2465
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Zheng Huang and Wei Yuan of Baidu Security Lab.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2466
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Ivan Fratric of Google Project Zero.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2468
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to lokihardt of Google Project Zero.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2469
    Versions affected: WebKitGTK+ before 2.16.0.
    Credit to lokihardt of Google Project Zero.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2470
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to lokihardt of Google Project Zero.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2471
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Ivan Fratric of Google Project Zero.
    A use-after-free vulnerability allows remote attackers to execute
    arbitrary code via a crafted web site.

CVE-2017-2475
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to lokihardt of Google Project Zero.
    This issue allows remote attackers to conduct Universal XSS (UXSS)
    attacks via crafted use of frames on a web site.

CVE-2017-2476
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to Ivan Fratric of Google Project Zero.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.

CVE-2017-2481
    Versions affected: WebKitGTK+ before 2.14.6.
    Credit to 0011 working with Trend Micro's Zero Day Initiative.
    This issue allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption and application crash)
    via a crafted web site.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
April 06, 2017


Download attachment "signature.asc" of type "application/pgp-signature" (884 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.