Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

webkit2gtk: security update to 2.24.2 #1853

Closed
5 tasks
l2dy opened this issue May 27, 2019 · 1 comment
Closed
5 tasks

webkit2gtk: security update to 2.24.2 #1853

l2dy opened this issue May 27, 2019 · 1 comment
Assignees
@MingcongBai
Labels
security Topic/issue involves a security issue/fixed upgrade Topic/issue involves a package upgrade

Comments

@l2dy
Copy link
Member

l2dy commented May 27, 2019
edited by MingcongBai
Loading

CVE IDs: CVE-2019-8595, CVE-2019-8607, CVE-2019-8615

Other security advisory IDs: WSA-2019-0003, USN-3992-1

Descriptions:

  • CVE-2019-6237
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
    • Credit to G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8571
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
    • Credit to 01 working with Trend Micro's Zero Day Initiative.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8583
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
    • Credit to sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8584
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
    • Credit to G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8586
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
    • Credit to an anonymous researcher.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8587
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
    • Credit to G. Geshev working with Trend Micro Zero Day Initiative.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8594
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
    • Credit to Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8595
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
    • Credit to G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8596
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
    • Credit to Wen Xu of SSLab at Georgia Tech.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8597
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
    • Credit to 01 working with Trend Micro Zero Day Initiative.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8601
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
    • Credit to Fluoroacetate working with Trend Micro's Zero Day Initiative.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8607
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
    • Credit to Junho Jang and Hanul Choi of LINE Security Team.
    • Processing maliciously crafted web content may result in the disclosure of process memory. An out-of-bounds read was addressed with improved input validation.
  • CVE-2019-8608
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
    • Credit to G. Geshev working with Trend Micro Zero Day Initiative.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8609
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
    • Credit to Wen Xu of SSLab, Georgia Tech.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8610
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
    • Credit to Anonymous working with Trend Micro Zero Day Initiative.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8615
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
    • Credit to G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8611
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
    • Credit to Samuel Groß of Google Project Zero.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8619
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
    • Credit to Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8622
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
    • Credit to Samuel Groß of Google Project Zero.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2019-8623
    • Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
    • Credit to Samuel Groß of Google Project Zero.
    • Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

Architectural progress:

  • AMD64 amd64
  • AArch64 arm64
  • ARMv7 armel
  • PowerPC 64-bit BE ppc64
  • PowerPC 32-bit BE powerpc
@l2dy l2dy added upgrade Topic/issue involves a package upgrade security Topic/issue involves a security issue/fixed to-testing labels May 27, 2019
@KexyBiscuit KexyBiscuit self-assigned this May 28, 2019
@KexyBiscuit KexyBiscuit added this to the Winter 2018 milestone May 28, 2019
This was referenced Jul 8, 2019
Closed
Closed
@KexyBiscuit KexyBiscuit mentioned this issue Sep 11, 2019
Closed
@KexyBiscuit KexyBiscuit modified the milestones: Winter 2018, Summer 2019 Sep 11, 2019
@MingcongBai
Copy link
Member

Superseded by #2134 and #2135. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MingcongBai MingcongBai

Labels
security Topic/issue involves a security issue/fixed upgrade Topic/issue involves a package upgrade
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MingcongBai @KexyBiscuit @l2dy