WebKitGTK+ Code Execution / DoS / UXSS

  1. 6 weeks ago

    Men in Black

    May 6 Administrator + 72723 RP
    Edited 6 weeks ago by Men in Black

    h7.png

    WebKitGTK+ suffers from code execution, denial of service, memory corruption, and various other vulnerabilities.

    MD5 | b14cd9d7fa2fef7e690a45930f9d4746

    Download Here => WSA-2017-0004.txt

    ------------------------------------------------------------------------
    WebKitGTK+ Security Advisory                               WSA-2017-0004
    ------------------------------------------------------------------------
    
    Date reported      : May 25, 2017
    Advisory ID        : WSA-2017-0004
    Advisory URL       : https://webkitgtk.org/security/WSA-2017-0004.html
    CVE identifiers    : CVE-2017-2496, CVE-2017-2504, CVE-2017-2505,
                         CVE-2017-2506, CVE-2017-2508, CVE-2017-2510,
                         CVE-2017-2514, CVE-2017-2515, CVE-2017-2521,
                         CVE-2017-2525, CVE-2017-2526, CVE-2017-2528,
                         CVE-2017-2530, CVE-2017-2531, CVE-2017-2536,
                         CVE-2017-2539, CVE-2017-2544, CVE-2017-2547,
                         CVE-2017-2549, CVE-2017-6980, CVE-2017-6984.
    
    Several vulnerabilities were discovered in WebKitGTK+.
    
    CVE-2017-2496
        Versions affected: WebKitGTK+ before 2.16.3.
        Credit to Apple.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2504
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        universal cross site scripting (UXSS). Description: A logic issue
        existed in the handling of WebKit Editor commands. This issue was
        addressed with improved state management.
    
    CVE-2017-2505
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2506
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Zheng Huang of the Baidu Security Lab working with Trend
        Microas Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2508
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        universal cross site scripting (UXSS). Description: A logic issue
        existed in the handling of WebKit container nodes. This issue was
        addressed with improved state management.
    
    CVE-2017-2510
        Versions affected: WebKitGTK+ before 2.16.3.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        universal cross site scripting (UXSS). Description: A logic issue
        existed in the handling of pageshow events. This issue was addressed
        with improved state management.
    
    CVE-2017-2514
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2515
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2521
        Versions affected: WebKitGTK+ before 2.16.0.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2525
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Kai Kang (4B5F5F4B) of Tencentas Xuanwu Lab (tencent.com)
        working with Trend Microas Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2526
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Kai Kang (4B5F5F4B) of Tencentas Xuanwu Lab (tencent.com)
        working with Trend Microas Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2528
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        universal cross site scripting (UXSS). Description: A logic issue
        existed in the handling of WebKit cached frames. This issue was
        addressed with improved state management.
    
    CVE-2017-2530
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Wei Yuan of Baidu Security Lab.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2531
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2536
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to Samuel GroA and Niklas Baumstark working with Trend
        Micro's Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2539
        Versions affected: WebKitGTK+ before 2.16.3.
        Credit to Richard Zhu (fluorescence) working with Trend Micro's Zero
        Day Initiative.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2544
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to 360 Security (@mj0011sec) working with Trend Micro's Zero
        Day Initiative.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2547
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero, Team Sniper (Keen Lab
        and PC Mgr) working with Trend Micro's Zero Day Initiative.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-2549
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        universal cross site scripting (UXSS). Description: A logic issue
        existed in frame loading. This issue was addressed with improved
        state management.
    
    CVE-2017-6980
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    CVE-2017-6984
        Versions affected: WebKitGTK+ before 2.16.1.
        Credit to lokihardt of Google Project Zero.
        Impact: Processing maliciously crafted web content may lead to
        arbitrary code execution or cause a denial of service (memory
        corruption and application crash). Description: Multiple memory
        corruption issues were addressed with improved memory handling.
    
    
    We recommend updating to the last stable version of WebKitGTK+. It is
    the best way of ensuring that you are running a safe version of
    WebKitGTK+. Please check our website for information about the last
    stable releases.
    
    Further information about WebKitGTK+ Security Advisories can be found
    at: https://webkitgtk.org/security.html
    
    The WebKitGTK+ team,
    May 25, 2017
    
 

or Sign Up to reply!