Discover Government News

Arch Linux Security Advisory ASA-201701-27
=========================================
Severity: Critical
Date    : 2017-01-18
CVE-ID  : CVE-2016-7586 CVE-2016-7589 CVE-2016-7592 CVE-2016-7599
          CVE-2016-7623 CVE-2016-7632 CVE-2016-7635 CVE-2016-7639
          CVE-2016-7641 CVE-2016-7645 CVE-2016-7652 CVE-2016-7654
          CVE-2016-7656
Package : webkit2gtk
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-146

Summary
======
The package webkit2gtk before version 2.14.3-1 is vulnerable to
multiple issues including arbitrary code execution and information
disclosure.

Resolution
=========
Upgrade to 2.14.3-1.

# pacman -Syu "webkit2gtk>=2.14.3-1"

The problems have been fixed upstream in version 2.14.3.

Workaround
=========
None.

Description
==========
- CVE-2016-7586 (information disclosure)

A validation issue was found in WebKitGTK+ < 2.14.3, leading to the
potential disclosure of user information while processing maliciously
crafted web content. The issue was fixed through improved state
management.

- CVE-2016-7589 (arbitrary code execution)

A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to
potential arbitrary code execution while processing maliciously crafted
web content. The issue was fixed through improved state management.

- CVE-2016-7592 (information disclosure)

An issue in the handling of JavaScript prompts was found in WebKitGTK+
< 2.14.3, leading to potential compromise of user information while
processing maliciously crafted web content. The issue was fixed through
improved state management.

- CVE-2016-7599 (information disclosure)

An issue in the handling of HTTP redirects was found in WebKitGTK+ <
2.14.3, leading to potential disclosure of user information while
processing maliciously crafted web content. This issue was addressed
through improved cross origin validation.

- CVE-2016-7623 (information disclosure)

An issue in the handling of blob URLs was found in WebKitGTK+ < 2.14.3,
leading to potential compromise of user information while processing
maliciously crafted web content. This issue was addressed through
improved URL handling.

- CVE-2016-7632 (arbitrary code execution)

A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to
denial of service or arbitrary code execution while processing
maliciously crafted web content. This issue was addressed through
improved state management.

- CVE-2016-7635 (arbitrary code execution)

Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved memory
handling.

- CVE-2016-7639 (arbitrary code execution)

Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved state
management.

- CVE-2016-7641 (arbitrary code execution)

Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved state
management.

- CVE-2016-7645 (arbitrary code execution)

Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved state
management.

- CVE-2016-7652 (arbitrary code execution)

Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved memory
handling.

- CVE-2016-7654 (arbitrary code execution)

Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved state
management.

- CVE-2016-7656 (arbitrary code execution)

A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to
arbitrary code execution while processing maliciously crafted web
content. This issue was addressed through improved state management.

Impact
=====
A remote attacker can access sensitive information or execute arbitrary
code on the affected host via a maliciously crafted web content.

References
=========
https://webkitgtk.org/security/WSA-2017-0001.html
https://security.archlinux.org/CVE-2016-7586
https://security.archlinux.org/CVE-2016-7589
https://security.archlinux.org/CVE-2016-7592
https://security.archlinux.org/CVE-2016-7599
https://security.archlinux.org/CVE-2016-7623
https://security.archlinux.org/CVE-2016-7632
https://security.archlinux.org/CVE-2016-7635
https://security.archlinux.org/CVE-2016-7639
https://security.archlinux.org/CVE-2016-7641
https://security.archlinux.org/CVE-2016-7645
https://security.archlinux.org/CVE-2016-7652
https://security.archlinux.org/CVE-2016-7654
https://security.archlinux.org/CVE-2016-7656

ArchLinux: 201701-27: webkit2gtk: multiple issues

January 18, 2017

Summary

- CVE-2016-7586 (information disclosure) A validation issue was found in WebKitGTK+ < 2.14.3, leading to the potential disclosure of user information while processing maliciously crafted web content. The issue was fixed through improved state management.
- CVE-2016-7589 (arbitrary code execution)
A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to potential arbitrary code execution while processing maliciously crafted web content. The issue was fixed through improved state management.
- CVE-2016-7592 (information disclosure)
An issue in the handling of JavaScript prompts was found in WebKitGTK+ < 2.14.3, leading to potential compromise of user information while processing maliciously crafted web content. The issue was fixed through improved state management.
- CVE-2016-7599 (information disclosure)
An issue in the handling of HTTP redirects was found in WebKitGTK+ < 2.14.3, leading to potential disclosure of user information while processing maliciously crafted web content. This issue was addressed through improved cross origin validation.
- CVE-2016-7623 (information disclosure)
An issue in the handling of blob URLs was found in WebKitGTK+ < 2.14.3, leading to potential compromise of user information while processing maliciously crafted web content. This issue was addressed through improved URL handling.
- CVE-2016-7632 (arbitrary code execution)
A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to denial of service or arbitrary code execution while processing maliciously crafted web content. This issue was addressed through improved state management.
- CVE-2016-7635 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved memory handling.
- CVE-2016-7639 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved state management.
- CVE-2016-7641 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved state management.
- CVE-2016-7645 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved state management.
- CVE-2016-7652 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved memory handling.
- CVE-2016-7654 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved state management.
- CVE-2016-7656 (arbitrary code execution)
A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issue was addressed through improved state management.

Resolution

Upgrade to 2.14.3-1. # pacman -Syu "webkit2gtk>=2.14.3-1"
The problems have been fixed upstream in version 2.14.3.

References

https://webkitgtk.org/security/WSA-2017-0001.html https://security.archlinux.org/CVE-2016-7586 https://security.archlinux.org/CVE-2016-7589 https://security.archlinux.org/CVE-2016-7592 https://security.archlinux.org/CVE-2016-7599 https://security.archlinux.org/CVE-2016-7623 https://security.archlinux.org/CVE-2016-7632 https://security.archlinux.org/CVE-2016-7635 https://security.archlinux.org/CVE-2016-7639 https://security.archlinux.org/CVE-2016-7641 https://security.archlinux.org/CVE-2016-7645 https://security.archlinux.org/CVE-2016-7652 https://security.archlinux.org/CVE-2016-7654 https://security.archlinux.org/CVE-2016-7656

Severity
CVE-2016-7623 CVE-2016-7632 CVE-2016-7635 CVE-2016-7639
CVE-2016-7641 CVE-2016-7645 CVE-2016-7652 CVE-2016-7654
CVE-2016-7656
Package : webkit2gtk
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-146

Workaround

None.

Related News