------------------------------------------------------------------------ WebKitGTK+ Security Advisory WSA-2018-0002 ------------------------------------------------------------------------ Date reported : January 24, 2018 Advisory ID : WSA-2018-0002 Advisory URL : https://webkitgtk.org/security/WSA-2018-0002.html CVE identifiers : CVE-2018-4088, CVE-2018-4089, CVE-2018-4096, CVE-2017-7153, CVE-2017-7160, CVE-2017-7161, CVE-2017-7165, CVE-2017-13884, CVE-2017-13885. Several vulnerabilities were discovered in WebKitGTK+. CVE-2018-4088 Versions affected: WebKitGTK+ before 2.18.6. Credit to Jeonghoon Shin of Theori. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4089 Versions affected: WebKitGTK+ before 2.18.4. Credit to Ivan Fratric of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4096 Versions affected: WebKitGTK+ before 2.18.6. Credit to OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7153 Versions affected: WebKitGTK+ before 2.18.6. Credit to Jerry Decime. Impact: Visiting a malicious website may lead to user interface spoofing. Description: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic. CVE-2017-7160 Versions affected: WebKitGTK+ before 2.18.6. Credit to Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7161 Versions affected: WebKitGTK+ before 2.18.6. Credit to Mitin Svyat. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A command injection issue existed in Web Inspector. This issue was addressed through improved escaping of special characters. CVE-2017-7165 Versions affected: WebKitGTK+ before 2.18.6. Credit to 360 Security working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-13884 Versions affected: WebKitGTK+ before 2.18.6. Credit to 360 Security working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-13885 Versions affected: WebKitGTK+ before 2.18.6. Credit to 360 Security working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html The WebKitGTK+ team, January 24, 2018