WebKitGTK+ Security Advisory WSA-2016-0003

• Date Reported: March 31, 2016

• Advisory ID: WSA-2016-0003

• CVE identifiers: CVE-2016-1778, CVE-2016-1779, CVE-2016-1781, CVE-2016-1782, CVE-2016-1783, CVE-2016-1785, CVE-2016-1786.

Several vulnerabilities were discovered in WebKitGTK+.

• CVE-2016-1778
  • Versions affected: WebKitGTK+ before 2.10.5.
  • Credit to 0x1byte working with Trend Micro’s Zero Day Initiative (ZDI).
  • WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
• CVE-2016-1779
  • Versions affected: WebKitGTK+ before 2.10.5.
  • Credit to xisigr of Tencent’s Xuanwu Lab (http://www.tencent.com).
  • WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote attackers to bypass the Same Origin Policy and obtain physical- location data via a crafted geolocation request.
• CVE-2016-1781
  • Versions affected: WebKitGTK+ before 2.10.5.
  • Credit to Devdatta Akhawe of Dropbox, Inc.
  • WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles attachment URLs, which makes it easier for remote web servers to track users via unspecified vectors.
• CVE-2016-1782
  • Versions affected: WebKitGTK+ before 2.10.5.
  • Credit to Muneaki Nishimura (nishimunea) of Recruit Technologies Co.,Ltd.
  • WebKit in Apple iOS before 9.3 and Safari before 9.1 does not properly restrict redirects that specify a TCP port number, which allows remote attackers to bypass intended port restrictions via a crafted web site.
• CVE-2016-1783
  • Versions affected: WebKitGTK+ before 2.10.5.
  • Credit to Mihai Parparita of Google.
  • WebKit in Apple iOS before 9.3, Safari before 9.1, and tvOS before 9.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
• CVE-2016-1785
  • Versions affected: WebKitGTK+ before 2.10.5.
  • Credit to an anonymous researcher.
  • The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles character encoding during access to cached data, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
• CVE-2016-1786
  • Versions affected: WebKitGTK+ before 2.10.5.
  • Credit to ma.la of LINE Corporation.
  • The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles HTTP responses with a 3xx (aka redirection) status code, which allows remote attackers to spoof the displayed URL, bypass the Same Origin Policy, and obtain sensitive cached information via a crafted web site.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html