ArchLinux: 201701-27: webkit2gtk: multiple issues
Summary
- CVE-2016-7586 (information disclosure)
A validation issue was found in WebKitGTK+ < 2.14.3, leading to the
potential disclosure of user information while processing maliciously
crafted web content. The issue was fixed through improved state
management.
- CVE-2016-7589 (arbitrary code execution)
A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to
potential arbitrary code execution while processing maliciously crafted
web content. The issue was fixed through improved state management.
- CVE-2016-7592 (information disclosure)
An issue in the handling of JavaScript prompts was found in WebKitGTK+
< 2.14.3, leading to potential compromise of user information while
processing maliciously crafted web content. The issue was fixed through
improved state management.
- CVE-2016-7599 (information disclosure)
An issue in the handling of HTTP redirects was found in WebKitGTK+ <
2.14.3, leading to potential disclosure of user information while
processing maliciously crafted web content. This issue was addressed
through improved cross origin validation.
- CVE-2016-7623 (information disclosure)
An issue in the handling of blob URLs was found in WebKitGTK+ < 2.14.3,
leading to potential compromise of user information while processing
maliciously crafted web content. This issue was addressed through
improved URL handling.
- CVE-2016-7632 (arbitrary code execution)
A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to
denial of service or arbitrary code execution while processing
maliciously crafted web content. This issue was addressed through
improved state management.
- CVE-2016-7635 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved memory
handling.
- CVE-2016-7639 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved state
management.
- CVE-2016-7641 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved state
management.
- CVE-2016-7645 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved state
management.
- CVE-2016-7652 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved memory
handling.
- CVE-2016-7654 (arbitrary code execution)
Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3,
leading to arbitrary code execution while processing maliciously
crafted web content. This issues were addressed through improved state
management.
- CVE-2016-7656 (arbitrary code execution)
A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to
arbitrary code execution while processing maliciously crafted web
content. This issue was addressed through improved state management.
Resolution
Upgrade to 2.14.3-1.
# pacman -Syu "webkit2gtk>=2.14.3-1"
The problems have been fixed upstream in version 2.14.3.
References
https://webkitgtk.org/security/WSA-2017-0001.html https://security.archlinux.org/CVE-2016-7586 https://security.archlinux.org/CVE-2016-7589 https://security.archlinux.org/CVE-2016-7592 https://security.archlinux.org/CVE-2016-7599 https://security.archlinux.org/CVE-2016-7623 https://security.archlinux.org/CVE-2016-7632 https://security.archlinux.org/CVE-2016-7635 https://security.archlinux.org/CVE-2016-7639 https://security.archlinux.org/CVE-2016-7641 https://security.archlinux.org/CVE-2016-7645 https://security.archlinux.org/CVE-2016-7652 https://security.archlinux.org/CVE-2016-7654 https://security.archlinux.org/CVE-2016-7656
Workaround
None.