Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <1528987730.4808.1@mail.igalia.com>
Date: Thu, 14 Jun 2018 09:48:50 -0500
From: Michael Catanzaro <mcatanzaro@...lia.com>
To: webkit-gtk@...ts.webkit.org, webkit-wpe@...ts.webkit.org
Cc: security@...kit.org, distributor-list@...me.org,
	oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0005

------------------------------------------------------------------------
WebKitGTK+ and WPE WebKit Security Advisory                WSA-2018-0005
------------------------------------------------------------------------

Date reported           : June 13, 2018
Advisory ID             : WSA-2018-0005
WebKitGTK+ Advisory URL : 
https://webkitgtk.org/security/WSA-2018-0005.html
WPE WebKit Advisory URL : 
https://wpewebkit.org/security/WSA-2018-0005.html
CVE identifiers         : CVE-2018-4190, CVE-2018-4192, CVE-2018-4199,
                          CVE-2018-4201, CVE-2018-4214, CVE-2018-4218,
                          CVE-2018-4222, CVE-2018-4232, CVE-2018-4233,
                          CVE-2018-11646, CVE-2018-11712,
                          CVE-2018-11713, CVE-2018-12293,
                          CVE-2018-12294.

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

CVE-2018-4190
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before
    2.20.1.
    Credit to Jun Kokatsu (@shhnjk).
    Impact: Visiting a maliciously crafted website may leak sensitive
    data. Description: Credentials were unexpectedly sent when fetching
    CSS mask images. This was addressed by using a CORS-enabled fetch
    method.

CVE-2018-4192
    Versions affected: WebKitGTK+ before 2.20.1.
    Credit to Markus Gaasedelen, Nick Burnett, and Patrick Biernat of
    Ret2 Systems, Inc working with Trend Micro's Zero Day Initiative.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A race condition was
    addressed with improved locking.

CVE-2018-4199
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before
    2.20.1.
    Credit to Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils of
    MWR Labs working with Trend Micro's Zero Day Initiative.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A buffer overflow issue was
    addressed with improved memory handling.

CVE-2018-4201
    Versions affected: WebKitGTK+ before 2.20.1.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2018-4214
    Versions affected: WebKitGTK+ before 2.20.0.
    Credit to OSS-Fuzz.
    Impact: Processing maliciously crafted web content may lead to an
    unexpected application crash. Description: A memory corruption issue
    was addressed with improved input validation.

CVE-2018-4218
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before
    2.20.1.
    Credit to Natalie Silvanovich of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2018-4222
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before
    2.20.1.
    Credit to Natalie Silvanovich of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: An out-of-bounds read was
    addressed with improved input validation.

CVE-2018-4232
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before
    2.20.1.
    Credit to Aymeric Chaib.
    Impact: Visiting a maliciously crafted website may lead to cookies
    being overwritten. Description: A permissions issue existed in the
    handling of web browser cookies. This issue was addressed with
    improved restrictions.

CVE-2018-4233
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before
    2.20.1.
    Credit to Samuel Groß (@5aelo) working with Trend Micro's Zero Day
    Initiative.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2018-11646
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before
    2.20.1.
    Credit to Mishra Dhiraj.
    Maliciously crafted web content could trigger an application crash
    in WebKitFaviconDatabase, caused by mishandling unexpected input.

CVE-2018-11712
    Versions affected: WebKitGTK+ 2.20.0 and 2.20.1.
    Credit to Metrological Group B.V.
    The libsoup network backend of WebKit failed to perform TLS
    certificate verification for WebSocket connections.

CVE-2018-11713
    Versions affected: WebKitGTK+ before 2.20.0 or without libsoup
    2.62.0.
    Credit to Dirkjan Ochtman.
    The libsoup network backend of WebKit unexpectedly failed to use
    system proxy settings for WebSocket connections. As a result, users
    could be deanonymized by crafted web sites via a WebSocket
    connection.

CVE-2018-12293
    Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before
    2.20.1.
    Credit to ADlab of Venustech.
    Maliciously crafted web content could achieve a heap buffer overflow
    in ImageBufferCairo by exploiting multiple integer overflow issues.

CVE-2018-12294
    Versions affected: WebKitGTK+ before 2.20.2.
    Credit to ADlab of Venustech.
    Maliciously crafted web content could trigger a use-after-free of a
    TextureMapperLayer object.


We recommend updating to the latest stable versions of WebKitGTK+ and
WPE WebKit. It is the best way to ensure that you are running a safe
version of WebKit. Please check our websites for information about the
latest stable releases.

Further information about WebKitGTK+ and WPE WebKit security advisories
can be found at https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.

The WebKitGTK+ and WPE WebKit team,
June 13, 2018

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.