WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0005

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

  • CVE-2018-4190
    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Jun Kokatsu (@shhnjk).
    • Impact: Visiting a maliciously crafted website may leak sensitive data. Description: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.
  • CVE-2018-4192
    • Versions affected: WebKitGTK+ before 2.20.1.
    • Credit to Markus Gaasedelen, Nick Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro’s Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A race condition was addressed with improved locking.
  • CVE-2018-4199
    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils of MWR Labs working with Trend Micro’s Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.
  • CVE-2018-4201
    • Versions affected: WebKitGTK+ before 2.20.1.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2018-4214
    • Versions affected: WebKitGTK+ before 2.20.0.
    • Credit to OSS-Fuzz.
    • Impact: Processing maliciously crafted web content may lead to an unexpected application crash. Description: A memory corruption issue was addressed with improved input validation.
  • CVE-2018-4218
    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Natalie Silvanovich of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2018-4222
    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Natalie Silvanovich of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2018-4232
    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Aymeric Chaib.
    • Impact: Visiting a maliciously crafted website may lead to cookies being overwritten. Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.
  • CVE-2018-4233
    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Samuel Groß (@5aelo) working with Trend Micro’s Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2018-11646
    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Mishra Dhiraj.
    • Maliciously crafted web content could trigger an application crash in WebKitFaviconDatabase, caused by mishandling unexpected input.
  • CVE-2018-11712
    • Versions affected: WebKitGTK+ 2.20.0 and 2.20.1.
    • Credit to Metrological Group B.V.
    • The libsoup network backend of WebKit failed to perform TLS certificate verification for WebSocket connections.
  • CVE-2018-11713
    • Versions affected: WebKitGTK+ before 2.20.0 or without libsoup 2.62.0.
    • Credit to Dirkjan Ochtman.
    • The libsoup network backend of WebKit unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection.
  • CVE-2018-12293
    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to ADlab of Venustech.
    • Maliciously crafted web content could achieve a heap buffer overflow in ImageBufferCairo by exploiting multiple integer overflow issues.
  • CVE-2018-12294
    • Versions affected: WebKitGTK+ before 2.20.2.
    • Credit to ADlab of Venustech.
    • Maliciously crafted web content could trigger a use-after-free of a TextureMapperLayer object.

We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running a safe version of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK+ and WPE WebKit security advisories can be found at https://webkitgtk.org/security.html or https://wpewebkit.org/security/.