Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Arch Linux: Advisory ASA-201909-1 Critical: Webkit2gtk Security Flaws

Archlinux Large Esm H446
The package webkit2gtk before version 2.24.4-1 is vulnerable to multiple issues including arbitrary code execution and cross-site scripting.
Arch Linux Security Advisory ASA-201909-1
========================================
Severity: Critical
Date    : 2019-09-04
CVE-ID  : CVE-2019-8644 CVE-2019-8649 CVE-2019-8658 CVE-2019-8669
          CVE-2019-8678 CVE-2019-8680 CVE-2019-8683 CVE-2019-8684
          CVE-2019-8688
Package : webkit2gtk
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1033

Summary
======
The package webkit2gtk before version 2.24.4-1 is vulnerable to
multiple issues including arbitrary code execution and cross-site
scripting.

Resolution
=========
Upgrade to 2.24.4-1.

# pacman -Syu "webkit2gtk>=2.24.4-1"

The problems have been fixed upstream in version 2.24.4.

Workaround
=========
None.

Description
==========
- CVE-2019-8644 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

- CVE-2019-8649 (cross-site scripting)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to universal cross site
scripting.

- CVE-2019-8658 (cross-site scripting)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to universal cross site
scripting.

- CVE-2019-8669 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

- CVE-2019-8678 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

- CVE-2019-8680 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

- CVE-2019-8683 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

- CVE-2019-8684 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

- CVE-2019-8688 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

Impact
=====
A remote attacker can bypass security restrictions via universal cross-site scripting or execute arbitrary code via crafted web content.

References
=========
https://webkitgtk.org/security/WSA-2019-0004.html
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8644
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8649
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8658
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8669
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8678
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8680
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8683
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8684
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8688
https://security.archlinux.org/CVE-2019-8644
https://security.archlinux.org/CVE-2019-8649
https://security.archlinux.org/CVE-2019-8658
https://security.archlinux.org/CVE-2019-8669
https://security.archlinux.org/CVE-2019-8678
https://security.archlinux.org/CVE-2019-8680
https://security.archlinux.org/CVE-2019-8683
https://security.archlinux.org/CVE-2019-8684
https://security.archlinux.org/CVE-2019-8688
Your message here