[ASA-201909-1] webkit2gtk: multiple issues
Jelle van der Waa
jelle at archlinux.org
Wed Sep 11 18:37:48 UTC 2019
Arch Linux Security Advisory ASA-201909-1
=========================================
Severity: Critical
Date : 2019-09-04
CVE-ID : CVE-2019-8644 CVE-2019-8649 CVE-2019-8658 CVE-2019-8669
CVE-2019-8678 CVE-2019-8680 CVE-2019-8683 CVE-2019-8684
CVE-2019-8688
Package : webkit2gtk
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1033
Summary
=======
The package webkit2gtk before version 2.24.4-1 is vulnerable to
multiple issues including arbitrary code execution and cross-site
scripting.
Resolution
==========
Upgrade to 2.24.4-1.
# pacman -Syu "webkit2gtk>=2.24.4-1"
The problems have been fixed upstream in version 2.24.4.
Workaround
==========
None.
Description
===========
- CVE-2019-8644 (arbitrary code execution)
An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.
- CVE-2019-8649 (cross-site scripting)
An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to universal cross site
scripting.
- CVE-2019-8658 (cross-site scripting)
An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to universal cross site
scripting.
- CVE-2019-8669 (arbitrary code execution)
An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.
- CVE-2019-8678 (arbitrary code execution)
An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.
- CVE-2019-8680 (arbitrary code execution)
An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.
- CVE-2019-8683 (arbitrary code execution)
An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.
- CVE-2019-8684 (arbitrary code execution)
An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.
- CVE-2019-8688 (arbitrary code execution)
An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.
Impact
======
A remote attacker can bypass security restrictions via universal cross-
site scripting or execute arbitrary code via crafted web content.
References
==========
https://webkitgtk.org/security/WSA-2019-0004.html
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8644
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8649
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8658
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8669
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8678
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8680
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8683
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8684
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8688
https://security.archlinux.org/CVE-2019-8644
https://security.archlinux.org/CVE-2019-8649
https://security.archlinux.org/CVE-2019-8658
https://security.archlinux.org/CVE-2019-8669
https://security.archlinux.org/CVE-2019-8678
https://security.archlinux.org/CVE-2019-8680
https://security.archlinux.org/CVE-2019-8683
https://security.archlinux.org/CVE-2019-8684
https://security.archlinux.org/CVE-2019-8688
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190911/0c047863/attachment.sig>
More information about the arch-security
mailing list