WebKitGTK+ Security Advisory WSA-2017-0003

• Date Reported: April 06, 2017

• Advisory ID: WSA-2017-0003

• CVE identifiers: CVE-2016-9642, CVE-2016-9643, CVE-2017-2364, CVE-2017-2367, CVE-2017-2376, CVE-2017-2377, CVE-2017-2386, CVE-2017-2392, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2433, CVE-2017-2442, CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455, CVE-2017-2457, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471, CVE-2017-2475, CVE-2017-2476, CVE-2017-2481.

Several vulnerabilities were discovered in WebKitGTK+.

• CVE-2016-9642
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to Gustavo Grieco.
  • JavaScriptCore in WebKit allows attackers to cause a denial of service (out-of-bounds heap read) via a crafted Javascript file.
• CVE-2016-9643
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Gustavo Grieco.
  • The regex code in WebKit allows remote attackers to cause a denial of service (memory consumption) as demonstrated in a large number of ($ (open parenthesis and dollar) followed by {-2,16} and a large number of +) (plus close parenthesis).
• CVE-2017-2364
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to lokihardt of Google Project Zero.
  • This issue allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
• CVE-2017-2367
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to lokihardt of Google Project Zero.
  • This issue allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
• CVE-2017-2376
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to an anonymous researcher, Chris Hlady of Google Inc, Yuyang Zhou of Tencent Security Platform Department (security.tencent.com), Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd., Michal Zalewski of Google Inc, an anonymous researcher.
  • This issue allows remote attackers to spoof the address bar by leveraging text input during the loading of a page.
• CVE-2017-2377
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Vicki Pfau.
  • This issue involves the “WebKit Web Inspector” component. It allows attackers to cause a denial of service (memory corruption and application crash) by leveraging a window-close action during a debugger-pause state.
• CVE-2017-2386
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to André Bargull.
  • This issue allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
• CVE-2017-2392
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Max Bazaliy of Lookout.
  • This issue allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted app.
• CVE-2017-2394
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Apple.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2395
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to Apple.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2396
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to Apple.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2405
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to Apple.
  • This issue involves the “WebKit Web Inspector” component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2415
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Kai Kang of Tencent’s Xuanwu Lab (tentcent.com).
  • This issue allows remote attackers to execute arbitrary code by leveraging an unspecified “type confusion.”.
• CVE-2017-2419
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Nicolai Grødum of Cisco Systems.
  • This issue allows remote attackers to bypass a Content Security Policy protection mechanism via unspecified vectors.
• CVE-2017-2433
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to Apple.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2442
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to lokihardt of Google Project Zero.
  • This issue involves the “WebKit JavaScript Bindings” component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
• CVE-2017-2445
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to lokihardt of Google Project Zero.
  • This issue allows remote attackers to conduct Universal XSS (UXSS) attacks via crafted frame objects.
• CVE-2017-2446
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Natalie Silvanovich of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.
• CVE-2017-2447
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to Natalie Silvanovich of Google Project Zero.
  • This issue allows remote attackers to obtain sensitive information or cause a denial of service (memory corruption) via a crafted web site.
• CVE-2017-2454
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Ivan Fratric of Google Project Zero.
  • This issue allows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2455
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to Ivan Fratric of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2457
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to lokihardt of Google Project Zero.
  • This issue allows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2459
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Ivan Fratric of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2460
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Ivan Fratric of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2464
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to Jeonghoon Shin, Natalie Silvanovich of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2465
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Zheng Huang and Wei Yuan of Baidu Security Lab.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2466
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Ivan Fratric of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2468
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to lokihardt of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2469
  • Versions affected: WebKitGTK+ before 2.16.0.
  • Credit to lokihardt of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2470
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to lokihardt of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2471
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Ivan Fratric of Google Project Zero.
  • A use-after-free vulnerability allows remote attackers to execute arbitrary code via a crafted web site.
• CVE-2017-2475
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to lokihardt of Google Project Zero.
  • This issue allows remote attackers to conduct Universal XSS (UXSS) attacks via crafted use of frames on a web site.
• CVE-2017-2476
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to Ivan Fratric of Google Project Zero.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2017-2481
  • Versions affected: WebKitGTK+ before 2.14.6.
  • Credit to 0011 working with Trend Micro’s Zero Day Initiative.
  • This issue allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html