------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               WSA-2016-0005
------------------------------------------------------------------------

Date reported      : August 25, 2016
Advisory ID        : WSA-2016-0005
Advisory URL       : https://webkitgtk.org/security/WSA-2016-0005.html
CVE identifiers    : CVE-2016-4583, CVE-2016-4585, CVE-2016-4586,
                     CVE-2016-4587, CVE-2016-4588, CVE-2016-4589,
                     CVE-2016-4590, CVE-2016-4591, CVE-2016-4592,
                     CVE-2016-4622, CVE-2016-4623, CVE-2016-4624,
                     CVE-2016-4651.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2016-4583
    Versions affected: WebKitGTK+ before 2.12.2.
    Credit to Roeland Krak.
    WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS
    before 9.2.2 allows remote attackers to bypass the Same Origin
    Policy and obtain image date from an unintended web site via a
    timing attack involving an SVG document.

CVE-2016-4585
    Versions affected: WebKitGTK+ before 2.12.1.
    Credit to Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
    (www.mbsd.jp).
    Cross-site scripting (XSS) vulnerability in the WebKit Page Loading
    implementation in Apple iOS before 9.3.3, Safari before 9.1.2, and
    tvOS before 9.2.2 allows remote attackers to inject arbitrary web
    script or HTML via an HTTP response specifying redirection that is
    mishandled by Safari.

CVE-2016-4586
    Versions affected: WebKitGTK+ before 2.12.1.
    Credit to Apple.
    WebKit in Apple Safari before 9.1.2 and tvOS before 9.2.2 allows
    remote attackers to execute arbitrary code or cause a denial of
    service (memory corruption) via a crafted web site.

CVE-2016-4587
    Versions affected: WebKitGTK+ before 2.10.1.
    Credit to Apple.
    WebKit in Apple iOS before 9.3.3 and tvOS before 9.2.2 allows remote
    attackers to obtain sensitive information from uninitialized process
    memory via a crafted web site.

CVE-2016-4588
    Versions affected: WebKitGTK+ before 2.12.3.
    Credit to Apple.
    WebKit in Apple tvOS before 9.2.2 allows remote attackers to execute
    arbitrary code or cause a denial of service (memory corruption) via
    a crafted web site.

CVE-2016-4589
    Versions affected: WebKitGTK+ before 2.12.3.
    Credit to Tongbo Luo and Bo Qu of Palo Alto Networks.
    WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS
    before 9.2.2 allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption) via a crafted web
    site, a different vulnerability than CVE-2016-4622, CVE-2016-4623,
    and CVE-2016-4624.

CVE-2016-4590
    Versions affected: WebKitGTK+ before 2.12.4.
    Credit to xisigr of Tencent's Xuanwu Lab (www.tencent.com).
    WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles
    about: URLs, which allows remote attackers to bypass the Same Origin
    Policy via a crafted web site.

CVE-2016-4591
    Versions affected: WebKitGTK+ before 2.12.4.
    Credit to ma.la of LINE Corporation.
    WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS
    before 9.2.2 mishandles the location variable, which allows remote
    attackers to access the local filesystem via unspecified vectors.

CVE-2016-4592
    Versions affected: WebKitGTK+ before 2.10.5.
    Credit to Mikhail.
    WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS
    before 9.2.2 allows remote attackers to cause a denial of service
    (memory consumption) via a crafted web site.

CVE-2016-4622
    Versions affected: WebKitGTK+ before 2.12.4.
    Credit to Samuel Gross working with Trend Micro's Zero Day
    Initiative.
    WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS
    before 9.2.2 allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption) via a crafted web
    site, a different vulnerability than CVE-2016-4589, CVE-2016-4623,
    and CVE-2016-4624.

CVE-2016-4623
    Versions affected: WebKitGTK+ before 2.12.0.
    Credit to Apple.
    WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS
    before 9.2.2 allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption) via a crafted web
    site, a different vulnerability than CVE-2016-4589, CVE-2016-4622,
    and CVE-2016-4624.

CVE-2016-4624
    Versions affected: WebKitGTK+ before 2.12.4.
    Credit to Apple.
    WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS
    before 9.2.2 allows remote attackers to execute arbitrary code or
    cause a denial of service (memory corruption) via a crafted web
    site, a different vulnerability than CVE-2016-4589, CVE-2016-4622,
    and CVE-2016-4623.

CVE-2016-4651
    Versions affected: WebKitGTK+ before 2.12.0.
    Credit to Obscure.
    Cross-site scripting (XSS) vulnerability in the WebKit JavaScript
    bindings in Apple iOS before 9.3.3 and Safari before 9.1.2 allows
    remote attackers to inject arbitrary web script or HTML via a
    crafted HTTP/0.9 response, related to a "cross-protocol cross-site
    scripting (XPXSS)" vulnerability.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
August 25, 2016