WebKitGTK+ Security Advisory WSA-2017-0002

Several vulnerabilities were discovered in WebKitGTK+.

  • CVE-2017-2350
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to Gareth Heyes of Portswigger Web Security.
    • Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A prototype access issue was addressed through improved exception handling.
  • CVE-2017-2354
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to Neymar of Tencent’s Xuanwu Lab (tencent.com) working with Trend Micro’s Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2017-2355
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to Team Pangu and lokihardt at PwnFest 2016.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory initialization issue was addressed through improved memory handling.
  • CVE-2017-2356
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to Team Pangu and lokihardt at PwnFest 2016.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation.
  • CVE-2017-2362
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to Ivan Fratric of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.
  • CVE-2017-2363
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to lokihardt of Google Project Zero.
    • Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic.
  • CVE-2017-2364
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to lokihardt of Google Project Zero.
    • Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: Multiple validation issues existed in the handling of page loading. This issue was addressed through improved logic.
  • CVE-2017-2365
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to lokihardt of Google Project Zero.
    • Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A validation issue existed in variable handling. This issue was addressed through improved validation.
  • CVE-2017-2366
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation.
  • CVE-2017-2369
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to Ivan Fratric of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved input validation.
  • CVE-2017-2371
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to lokihardt of Google Project Zero.
    • Impact: A malicious website can open popups. Description: An issue existed in the handling of blocking popups. This was addressed through improved input validation.
  • CVE-2017-2373
    • Versions affected: WebKitGTK+ before 2.14.4.
    • Credit to Ivan Fratric of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed through improved memory handling.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html