exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WebKitGTK+ Code Execution / Cookie Handling / Memory Corruption

WebKitGTK+ Code Execution / Cookie Handling / Memory Corruption
Posted Oct 18, 2017
Authored by WebKitGTK+ Team

WebKitGTK+ has had numerous security vulnerabilities addressed including arbitrary code execution, memory corruption, cookie theft, and various other issues.

tags | advisory, arbitrary, vulnerability, code execution
advisories | CVE-2017-7081, CVE-2017-7087, CVE-2017-7089, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120, CVE-2017-7142
SHA-256 | 3a18e3f692c17224ea98fd036f7468cb2c7bfb6852fc969ed1c8f78cbe39dd1d

WebKitGTK+ Code Execution / Cookie Handling / Memory Corruption

Change Mirror Download
------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2017-0008
------------------------------------------------------------------------

Date reported : October 18, 2017
Advisory ID : WSA-2017-0008
Advisory URL : https://webkitgtk.org/security/WSA-2017-0008.html
CVE identifiers : CVE-2017-7081, CVE-2017-7087, CVE-2017-7089,
CVE-2017-7090, CVE-2017-7091, CVE-2017-7092,
CVE-2017-7093, CVE-2017-7094, CVE-2017-7095,
CVE-2017-7096, CVE-2017-7098, CVE-2017-7099,
CVE-2017-7100, CVE-2017-7102, CVE-2017-7104,
CVE-2017-7107, CVE-2017-7109, CVE-2017-7111,
CVE-2017-7117, CVE-2017-7120, CVE-2017-7142.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2017-7081
Versions affected: WebKitGTK+ before 2.16.1.
Credit to Apple.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: A memory corruption issue was
addressed through improved input validation.

CVE-2017-7087
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Apple.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7089
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Anton Lopanitsyn of ONSEC, Frans RosA(c)n of Detectify.
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting. Description: A logic issue existed
in the handling of the parent-tab. This issue was addressed with
improved state management.

CVE-2017-7090
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Apple.
Impact: Cookies belonging to one origin may be sent to another
origin. Description: A permissions issue existed in the handling of
web browser cookies. This issue was addressed by no longer returning
cookies for custom URL schemes.

CVE-2017-7091
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Wei Yuan of Baidu Security Lab working with Trend Microas
Zero Day Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7092
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team, Samuel
Gro and Niklas Baumstark working with Trend Micro's Zero Day
Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7093
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Samuel Gro and Niklas Baumstark working with Trend Microas
Zero Day Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7094
Versions affected: WebKitGTK+ before 2.16.3.
Credit to Tim Michaud (@TimGMichaud) of Leviathan Security Group.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7095
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Wang Junjie, Wei Lei, and Liu Yang of Nanyang
Technological University working with Trend Microas Zero Day
Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7096
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Wei Yuan of Baidu Security Lab.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7098
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Felipe Freitas of Instituto TecnolA3gico de AeronA!utica.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7099
Versions affected: WebKitGTK+ before 2.16.4.
Credit to Apple.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7100
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Masato Kinugawa and Mario Heiderich of Cure53.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7102
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Wang Junjie, Wei Lei, and Liu Yang of Nanyang
Technological University.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7104
Versions affected: WebKitGTK+ before 2.18.0.
Credit to likemeng of Baidu Secutity Lab.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7107
Versions affected: WebKitGTK+ before 2.18.0.
Credit to Wang Junjie, Wei Lei, and Liu Yang of Nanyang
Technological University.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7109
Versions affected: WebKitGTK+ before 2.18.0.
Credit to avlidienbrunn.
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack. Description: Application Cache policy
may be unexpectedly applied.

CVE-2017-7111
Versions affected: WebKitGTK+ before 2.18.0.
Credit to likemeng of Baidu Security Lab (xlab.baidu.com) working
with Trend Micro's Zero Day Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7117
Versions affected: WebKitGTK+ before 2.18.0.
Credit to lokihardt of Google Project Zero.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7120
Versions affected: WebKitGTK+ before 2.18.0.
Credit to chenqin (ee|) of Ant-financial Light-Year Security Lab.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7142
Versions affected: WebKitGTK+ before 2.16.1.
Credit to an anonymous researcher.
Impact: Website data may persist after a Safari Private browsing
session. Description: An information leakage issue existed in the
handling of website data in Safari Private windows. This issue was
addressed with improved data handling.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
October 18, 2017

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close