------------------------------------------------------------------------ WebKitGTK and WPE WebKit Security Advisory WSA-2020-0002 ------------------------------------------------------------------------ Date reported : February 14, 2020 Advisory ID : WSA-2020-0002 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2020-0002.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2020-0002.html CVE identifiers : CVE-2020-3862, CVE-2020-3864, CVE-2020-3865, CVE-2020-3867, CVE-2020-3868. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2020-3862 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to Srikanth Gatta of Google Chrome. Impact: A malicious website may be able to cause a denial of service. Description: A denial of service issue was addressed with improved memory handling. CVE-2020-3864 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to Ryan Pickren (ryanpickren.com). Impact: A DOM object context may not have had a unique security origin. Description: A logic issue was addressed with improved validation. CVE-2020-3865 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to Ryan Pickren (ryanpickren.com). Impact: A top-level DOM object context may have incorrectly been considered secure. Description: A logic issue was addressed with improved validation. CVE-2020-3867 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to an anonymous researcher. Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management. CVE-2020-3868 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to Marcin Towalski of Cisco Talos. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK and WPE WebKit team, February 14, 2020