Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1849
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0003
23 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebKitGTK
WPE WebKit
Publisher: WebKit
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-8623 CVE-2019-8622 CVE-2019-8619
CVE-2019-8615 CVE-2019-8611 CVE-2019-8610
CVE-2019-8609 CVE-2019-8608 CVE-2019-8607
CVE-2019-8601 CVE-2019-8597 CVE-2019-8596
CVE-2019-8595 CVE-2019-8594 CVE-2019-8587
CVE-2019-8586 CVE-2019-8584 CVE-2019-8583
CVE-2019-8571 CVE-2019-6237
Reference: ESB-2019.1836
ESB-2019.1698
Original Bulletin:
https://webkitgtk.org/security/WSA-2019-0003.html
https://wpewebkit.org/security/WSA-2019-0003.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- ------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0003
- ------------------------------------------------------------------------
Date reported : May 20, 2019
Advisory ID : WSA-2019-0003
WebKitGTK Advisory URL :=20
https://webkitgtk.org/security/WSA-2019-0003.html
WPE WebKit Advisory URL :=20
https://wpewebkit.org/security/WSA-2019-0003.html
CVE identifiers : CVE-2019-6237, CVE-2019-8571, CVE-2019-8583,
CVE-2019-8584, CVE-2019-8586, CVE-2019-8587,
CVE-2019-8594, CVE-2019-8595, CVE-2019-8596,
CVE-2019-8597, CVE-2019-8601, CVE-2019-8607,
CVE-2019-8608, CVE-2019-8609, CVE-2019-8610,
CVE-2019-8615, CVE-2019-8611, CVE-2019-8619,
CVE-2019-8622, CVE-2019-8623.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
CVE-2019-6237
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Credit to G. Geshev working with Trend Micro Zero Day Initiative,
Liu Long of Qihoo 360 Vulcan Team.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8571
Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
Credit to 01 working with Trend Micro's Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8583
Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
Credit to sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of
Tencent Keen Lab, and dwfault working at ADLab of Venustech.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8584
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Credit to G. Geshev of MWR Labs working with Trend Micro Zero Day
Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8586
Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
Credit to an anonymous researcher.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8587
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Credit to G. Geshev working with Trend Micro Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8594
Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
Credit to Suyoung Lee and Sooel Son of KAIST Web Security & Privacy
Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8595
Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
Credit to G. Geshev from MWR Labs working with Trend Micro Zero Day
Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8596
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Credit to Wen Xu of SSLab at Georgia Tech.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8597
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Credit to 01 working with Trend Micro Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8601
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Credit to Fluoroacetate working with Trend Micro's Zero Day
Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8607
Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
Credit to Junho Jang and Hanul Choi of LINE Security Team.
Processing maliciously crafted web content may result in the
disclosure of process memory. An out-of-bounds read was addressed
with improved input validation.
CVE-2019-8608
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Credit to G. Geshev working with Trend Micro Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8609
Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
Credit to Wen Xu of SSLab, Georgia Tech.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8610
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Credit to Anonymous working with Trend Micro Zero Day Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8615
Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
Credit to G. Geshev from MWR Labs working with Trend Micro's Zero
Day Initiative.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8611
Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
Credit to Samuel Gro=DF of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8619
Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
Credit to Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of
Chaitin Security Research Lab.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8622
Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
Credit to Samuel Gro=DF of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
CVE-2019-8623
Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
Credit to Samuel Gro=DF of Google Project Zero.
Processing maliciously crafted web content may lead to arbitrary
code execution. Multiple memory corruption issues were addressed
with improved memory handling.
We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.
Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.
The WebKitGTK and WPE WebKit team,
May 20, 2019
=
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXOY3/WaOgq3Tt24GAQjF6g//UtBYB1SzQ9Kytsouk+GD1QJplHRCzB6D
i5NNIMdLgOECgmjmxaj6H5CXjtMG47kBpJ5yGfQqadEnSEKkHKJ/DArRWrF+qj98
T2Gvpr3FClHkvnJvV1kLw37DKUFK0+32iduGdtXl2fDHP6rupLJC69wlcxCa1rdi
BVqI2Ky1CuylZ/TS0ahoMjiAqh4JpHc4igGjyzv1i/izp2oyMWn0Vgnx278P5XoQ
/HFAyzi/NhuuG0UvbAFT0IUcUoJ/bcFrMDtt5nhlYtD+YW8iOVfHfqginN+3PgBr
Khr2IfjHk902s3yZ16yw8RYLN7v5UbTgyX0MvaISPp41UCaOc6B3vF4bdfRSbxBj
pbvcegqUTtYBS1XU6hQuGks6MsnlUpukFN2YbFBOW3T79AB3f4YYgmCOcIBn4lzt
v68iTxgMN5OZGmBbmpyCgIIcvM+/0TrKXjEe3wmjCVs8pDt4NSURKCIR+tmMTGDn
8xzEzRXb7FqgREuiyOGxSow5N7K5Owsrd7sIaLMh33gwj5puOq4d1z5XXStgOl2c
O6mtiCER7E3fnwAE4Zg+Cu4AxlyCS4LznzH6fW1P8Qi1v10k9Xu08ef46i6ugPnM
+YpZyo7AlcBBx0v/5R6E0LHJWfrJTAq0ffVWHoFaRNgFfxlxiybZcoddqp/amkt0
Fb5QXNc6ZAA=
=vKVN
-----END PGP SIGNATURE-----