exploit the possibilities

WebKitGTK+ Memory Corruption / Spoofing / Code Execution

WebKitGTK+ Memory Corruption / Spoofing / Code Execution
Posted Jan 26, 2018
Authored by WebKitGTK+ Team

WebKitGTK+ versions 2.18.x suffer from various memory corruption, user interface spoofing, and code execution vulnerabilities.

tags | advisory, spoof, vulnerability, code execution
advisories | CVE-2017-13884, CVE-2017-13885, CVE-2017-7153, CVE-2017-7160, CVE-2017-7161, CVE-2017-7165, CVE-2018-4088, CVE-2018-4089, CVE-2018-4096
MD5 | 56c7ac8a62544bdad2da9c56c5aff379

WebKitGTK+ Memory Corruption / Spoofing / Code Execution

Change Mirror Download
------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2018-0002
------------------------------------------------------------------------

Date reported : January 24, 2018
Advisory ID : WSA-2018-0002
Advisory URL : https://webkitgtk.org/security/WSA-2018-0002.html
CVE identifiers : CVE-2018-4088, CVE-2018-4089, CVE-2018-4096,
CVE-2017-7153, CVE-2017-7160, CVE-2017-7161,
CVE-2017-7165, CVE-2017-13884, CVE-2017-13885.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2018-4088
Versions affected: WebKitGTK+ before 2.18.6.
Credit to Jeonghoon Shin of Theori.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2018-4089
Versions affected: WebKitGTK+ before 2.18.4.
Credit to Ivan Fratric of Google Project Zero.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2018-4096
Versions affected: WebKitGTK+ before 2.18.6.
Credit to OSS-Fuzz.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7153
Versions affected: WebKitGTK+ before 2.18.6.
Credit to Jerry Decime.
Impact: Visiting a malicious website may lead to user interface
spoofing. Description: Redirect responses to 401 Unauthorized may
allow a malicious website to incorrectly display the lock icon on
mixed content. This issue was addressed through improved URL display
logic.

CVE-2017-7160
Versions affected: WebKitGTK+ before 2.18.6.
Credit to Richard Zhu (fluorescence) working with Trend Micro's Zero
Day Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-7161
Versions affected: WebKitGTK+ before 2.18.6.
Credit to Mitin Svyat.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: A command injection issue
existed in Web Inspector. This issue was addressed through improved
escaping of special characters.

CVE-2017-7165
Versions affected: WebKitGTK+ before 2.18.6.
Credit to 360 Security working with Trend Micro's Zero Day
Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-13884
Versions affected: WebKitGTK+ before 2.18.6.
Credit to 360 Security working with Trend Micro's Zero Day
Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.

CVE-2017-13885
Versions affected: WebKitGTK+ before 2.18.6.
Credit to 360 Security working with Trend Micro's Zero Day
Initiative.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
January 24, 2018

Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    29 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close