|
Date: Wed, 04 Apr 2018 13:46:20 -0500 From: Michael Catanzaro <mcatanzaro@...lia.com> To: webkit-gtk@...ts.webkit.org Cc: security@...kit.org, distributor-list@...me.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: WebKitGTK+ Security Advisory WSA-2018-0003 ------------------------------------------------------------------------ WebKitGTK+ Security Advisory WSA-2018-0003 ------------------------------------------------------------------------ Date reported : April 04, 2018 Advisory ID : WSA-2018-0003 Advisory URL : https://webkitgtk.org/security/WSA-2018-0003.html CVE identifiers : CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4117, CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4122, CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129, CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162, CVE-2018-4163, CVE-2018-4165. Several vulnerabilities were discovered in WebKitGTK+. CVE-2018-4101 Versions affected: WebKitGTK+ before 2.20.0. Credit to Yuan Deng of Ant-financial Light-Year Security Lab. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4113 Versions affected: WebKitGTK+ before 2.20.0. Credit to OSS-Fuzz. Impact: Unexpected interaction with indexing types causing an ASSERT failure. Description: An array indexing issue existed in the handling of a function in JavaScriptCore. This issue was addressed through improved checks. CVE-2018-4114 Versions affected: WebKitGTK+ before 2.20.0. Credit to OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4117 Versions affected: WebKitGTK+ before 2.20.0. Credit to an anonymous researcher. Impact: A malicious website may exfiltrate data cross-origin. Description: A cross-origin issue existed with the fetch API. This was addressed through improved input validation. CVE-2018-4118 Versions affected: WebKitGTK+ before 2.18.1. Credit to Jun Kokatsu (@shhnjk). Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4119 Versions affected: WebKitGTK+ before 2.20.0. Credit to an anonymous researcher working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4120 Versions affected: WebKitGTK+ before 2.20.0. Credit to Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4122 Versions affected: WebKitGTK+ before 2.20.0. Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4125 Versions affected: WebKitGTK+ before 2.20.0. Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4127 Versions affected: WebKitGTK+ before 2.20.0. Credit to an anonymous researcher working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4128 Versions affected: WebKitGTK+ before 2.20.0. Credit to Zach Markley. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4129 Versions affected: WebKitGTK+ before 2.20.0. Credit to likemeng of Baidu Security Lab working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4133 Versions affected: WebKitGTK+ before 2.20.0. Credit to Anton Lopanitsyn of Wallarm, Linus Särud of Detectify (detectify.com), Yuji Tounai of NTT Communications Corporation. Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack. Description: A cross-site scripting issue existed in WebKit. This issue was addressed with improved URL validation. CVE-2018-4146 Versions affected: WebKitGTK+ before 2.20.0. Credit to OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to a denial of service. Description: A memory corruption issue was addressed through improved input validation. CVE-2018-4161 Versions affected: WebKitGTK+ before 2.20.0. Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4162 Versions affected: WebKitGTK+ before 2.20.0. Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4163 Versions affected: WebKitGTK+ before 2.20.0. Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4165 Versions affected: WebKitGTK+ before 2.20.0. Credit to Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html The WebKitGTK+ team, April 04, 2018
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.