WebKitGTK+ Security Advisory WSA-2017-0009

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: webkit-gtk@lists.webkit.org <webkit-gtk@lists.webkit.org>
Cc: security@webkit.org,distributor-list@gnome.org,oss-security@lists.openwall.com,bugtraq@securityfocus.com
Subject: WebKitGTK+ Security Advisory WSA-2017-0009
Date:


------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               WSA-2017-0009
------------------------------------------------------------------------

Date reported      : November 10, 2017
Advisory ID        : WSA-2017-0009
Advisory URL       : https://webkitgtk.org/security/WSA-2017-0009.html
CVE identifiers    : CVE-2017-13783, CVE-2017-13784, CVE-2017-13785,
                     CVE-2017-13788, CVE-2017-13791, CVE-2017-13792,
                     CVE-2017-13793, CVE-2017-13794, CVE-2017-13795,
                     CVE-2017-13796, CVE-2017-13798, CVE-2017-13802,
                     CVE-2017-13803.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2017-13783
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13784
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13785
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13788
    Versions affected: WebKitGTK+ before 2.18.3.
    Credit to xisigr of Tencent's Xuanwu Lab (tencent.com).
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13791
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13792
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13793
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Hanul Choi working with Trend Micro's Zero Day Initiative.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13794
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13795
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13796
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13798
    Versions affected: WebKitGTK+ before 2.18.3.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13802
    Versions affected: WebKitGTK+ before 2.18.1.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-13803
    Versions affected: WebKitGTK+ before 2.18.3.
    Credit to chenqin (陈钦) of Ant-financial Light-Year Security.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
November 10, 2017





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.