WebKitGTK+ Security Advisory WSA-2016-0004

Several vulnerabilities were discovered in WebKitGTK+.

  • CVE-2016-1854
    • Versions affected: WebKitGTK+ before 2.12.1.
    • Credit to Anonymous working with Trend Micro’s Zero Day Initiative.
    • WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1855, CVE-2016-1856, and CVE-2016-1857.
  • CVE-2016-1856
    • Versions affected: WebKitGTK+ before 2.12.1.
    • Credit to lokihardt working with Trend Micro’s Zero Day Initiative.
    • WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1857.
  • CVE-2016-1857
    • Versions affected: WebKitGTK+ before 2.12.3.
    • Credit to Jeonghoon Shin@A.D.D and Liang Chen, Zhen Feng, wushi of KeenLab, Tencent working with Trend Micro’s Zero Day Initiative.
    • WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1856.
  • CVE-2016-1858
    • Versions affected: WebKitGTK+ before 2.12.0.
    • Credit to Anonymous.
    • WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, improperly tracks taint attributes, which allows remote attackers to obtain sensitive information via a crafted web site.
  • CVE-2016-1859
    • Versions affected: WebKitGTK+ before 2.12.1.
    • Credit to Liang Chen, wushi of KeenLab, Tencent working with Trend Micro’s Zero Day Initiative.
    • The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html