WebKitGTK+ Security Advisory WSA-2016-0005

Several vulnerabilities were discovered in WebKitGTK+.

  • CVE-2016-4583
    • Versions affected: WebKitGTK+ before 2.12.2.
    • Credit to Roeland Krak.
    • WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to bypass the Same Origin Policy and obtain image date from an unintended web site via a timing attack involving an SVG document.
  • CVE-2016-4585
    • Versions affected: WebKitGTK+ before 2.12.1.
    • Credit to Takeshi Terada of Mitsui Bussan Secure Directions, Inc. (www.mbsd.jp).
    • Cross-site scripting (XSS) vulnerability in the WebKit Page Loading implementation in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to inject arbitrary web script or HTML via an HTTP response specifying redirection that is mishandled by Safari.
  • CVE-2016-4586
    • Versions affected: WebKitGTK+ before 2.12.1.
    • Credit to Apple.
    • WebKit in Apple Safari before 9.1.2 and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
  • CVE-2016-4587
    • Versions affected: WebKitGTK+ before 2.10.1.
    • Credit to Apple.
    • WebKit in Apple iOS before 9.3.3 and tvOS before 9.2.2 allows remote attackers to obtain sensitive information from uninitialized process memory via a crafted web site.
  • CVE-2016-4588
    • Versions affected: WebKitGTK+ before 2.12.3.
    • Credit to Apple.
    • WebKit in Apple tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
  • CVE-2016-4589
    • Versions affected: WebKitGTK+ before 2.12.3.
    • Credit to Tongbo Luo and Bo Qu of Palo Alto Networks.
    • WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4622, CVE-2016-4623, and CVE-2016-4624.
  • CVE-2016-4590
    • Versions affected: WebKitGTK+ before 2.12.4.
    • Credit to xisigr of Tencent’s Xuanwu Lab (www.tencent.com).
    • WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles about: URLs, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
  • CVE-2016-4591
    • Versions affected: WebKitGTK+ before 2.12.4.
    • Credit to ma.la of LINE Corporation.
    • WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 mishandles the location variable, which allows remote attackers to access the local filesystem via unspecified vectors.
  • CVE-2016-4592
    • Versions affected: WebKitGTK+ before 2.10.5.
    • Credit to Mikhail.
    • WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted web site.
  • CVE-2016-4622
    • Versions affected: WebKitGTK+ before 2.12.4.
    • Credit to Samuel Gross working with Trend Micro’s Zero Day Initiative.
    • WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4623, and CVE-2016-4624.
  • CVE-2016-4623
    • Versions affected: WebKitGTK+ before 2.12.0.
    • Credit to Apple.
    • WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4622, and CVE-2016-4624.
  • CVE-2016-4624
    • Versions affected: WebKitGTK+ before 2.12.4.
    • Credit to Apple.
    • WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4622, and CVE-2016-4623.
  • CVE-2016-4651
    • Versions affected: WebKitGTK+ before 2.12.0.
    • Credit to Obscure.
    • Cross-site scripting (XSS) vulnerability in the WebKit JavaScript bindings in Apple iOS before 9.3.3 and Safari before 9.1.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTTP/0.9 response, related to a “cross-protocol cross-site scripting (XPXSS)” vulnerability.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html