WebKitGTK+ Security Advisory WSA-2016-0006

• Date Reported: November 04, 2016

• Advisory ID: WSA-2016-0006

• CVE identifiers: CVE-2016-4611, CVE-2016-4613, CVE-2016-4657, CVE-2016-4666, CVE-2016-4707, CVE-2016-4728, CVE-2016-4729, CVE-2016-4730, CVE-2016-4731, CVE-2016-4733, CVE-2016-4734, CVE-2016-4735, CVE-2016-4758, CVE-2016-4759, CVE-2016-4760, CVE-2016-4761, CVE-2016-4762, CVE-2016-4764, CVE-2016-4765, CVE-2016-4766, CVE-2016-4767, CVE-2016-4768, CVE-2016-4769, CVE-2016-7578.

Several vulnerabilities were discovered in WebKitGTK+.

• CVE-2016-4611
  • Versions affected: WebKitGTK+ before 2.12.0.
  • Credit to Apple.
  • WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4730, CVE-2016-4733, CVE-2016-4734, and CVE-2016-4735.
• CVE-2016-4613
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Chris Palmer.
  • Impact: Processing maliciously crafted web content may result in the disclosure of user information. Description: An input validation issue was addressed through improved state management.
• CVE-2016-4657
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Citizen Lab and Lookout.
  • WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
• CVE-2016-4666
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Apple.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.
• CVE-2016-4707
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Anonymous Researcher.
  • CFNetwork in Apple iOS before 10 and OS X before 10.12 mishandles Local Storage deletion, which allows local users to discover the visited web sites of arbitrary users via unspecified vectors.
• CVE-2016-4728
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Daniel Divricean.
  • WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 mishandles error prototypes, which allows remote attackers to execute arbitrary code via a crafted web site.
• CVE-2016-4729
  • Versions affected: WebKitGTK+ before 2.12.0.
  • Credit to Apple.
  • WebKit in Apple iOS before 10 and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4731.
• CVE-2016-4730
  • Versions affected: WebKitGTK+ before 2.12.0.
  • Credit to Apple.
  • WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4733, CVE-2016-4734, and CVE-2016-4735.
• CVE-2016-4731
  • Versions affected: WebKitGTK+ before 2.12.0.
  • Credit to Apple.
  • WebKit in Apple iOS before 10 and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4729.
• CVE-2016-4733
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Natalie Silvanovich of Google Project Zero.
  • WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4734, and CVE-2016-4735.
• CVE-2016-4734
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Natalie Silvanovich of Google Project Zero.
  • WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4733, and CVE-2016-4735.
• CVE-2016-4735
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to André Bargull.
  • WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4733, and CVE-2016-4734.
• CVE-2016-4758
  • Versions affected: WebKitGTK+ before 2.12.1.
  • Credit to Masato Kinugawa of Cure53.
  • WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 does not properly restrict access to the location variable, which allows remote attackers to obtain sensitive information via a crafted web site.
• CVE-2016-4759
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Tongbo Luo of Palo Alto Networks.
  • WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4765, CVE-2016-4766, CVE-2016-4767, and CVE-2016-4768.
• CVE-2016-4760
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Jordan Milne.
  • WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to conduct DNS rebinding attacks against non-HTTP Safari sessions by leveraging HTTP/0.9 support.
• CVE-2016-4761
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Apple.
  • An use-after-free vulnerability allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
• CVE-2016-4762
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Zheng Huang of Baidu Security Lab.
  • WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, iCloud before 6.0 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
• CVE-2016-4764
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Apple.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved state management.
• CVE-2016-4765
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Apple.
  • WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4766, CVE-2016-4767, and CVE-2016-4768.
• CVE-2016-4766
  • Versions affected: WebKitGTK+ before 2.12.4.
  • Credit to Apple.
  • WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4765, CVE-2016-4767, and CVE-2016-4768.
• CVE-2016-4767
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Apple.
  • WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4765, CVE-2016-4766, and CVE-2016-4768.
• CVE-2016-4768
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Anonymous working with Trend Micro’s Zero Day Initiative.
  • WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4759, CVE-2016-4765, CVE-2016-4766, and CVE-2016-4767.
• CVE-2016-4769
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Tongbo Luo of Palo Alto Networks.
  • WebKit in Apple iTunes before 12.5.1 on Windows and Safari before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
• CVE-2016-7578
  • Versions affected: WebKitGTK+ before 2.14.0.
  • Credit to Apple.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html