Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1849 WebKitGTK and WPE WebKit Security Advisory WSA-2019-0003 23 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WebKitGTK WPE WebKit Publisher: WebKit Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-8623 CVE-2019-8622 CVE-2019-8619 CVE-2019-8615 CVE-2019-8611 CVE-2019-8610 CVE-2019-8609 CVE-2019-8608 CVE-2019-8607 CVE-2019-8601 CVE-2019-8597 CVE-2019-8596 CVE-2019-8595 CVE-2019-8594 CVE-2019-8587 CVE-2019-8586 CVE-2019-8584 CVE-2019-8583 CVE-2019-8571 CVE-2019-6237 Reference: ESB-2019.1836 ESB-2019.1698 Original Bulletin: https://webkitgtk.org/security/WSA-2019-0003.html https://wpewebkit.org/security/WSA-2019-0003.html - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0003 - ------------------------------------------------------------------------ Date reported : May 20, 2019 Advisory ID : WSA-2019-0003 WebKitGTK Advisory URL :=20 https://webkitgtk.org/security/WSA-2019-0003.html WPE WebKit Advisory URL :=20 https://wpewebkit.org/security/WSA-2019-0003.html CVE identifiers : CVE-2019-6237, CVE-2019-8571, CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, CVE-2019-8597, CVE-2019-8601, CVE-2019-8607, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8615, CVE-2019-8611, CVE-2019-8619, CVE-2019-8622, CVE-2019-8623. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-6237 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8571 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to 01 working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8583 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8584 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8586 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to an anonymous researcher. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8587 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8594 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8595 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8596 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Wen Xu of SSLab at Georgia Tech. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8597 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to 01 working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8601 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Fluoroacetate working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8607 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to Junho Jang and Hanul Choi of LINE Security Team. Processing maliciously crafted web content may result in the disclosure of process memory. An out-of-bounds read was addressed with improved input validation. CVE-2019-8608 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8609 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Wen Xu of SSLab, Georgia Tech. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8610 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Anonymous working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8615 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8611 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Samuel Gro=DF of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8619 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8622 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Samuel Gro=DF of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8623 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Samuel Gro=DF of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK and WPE WebKit team, May 20, 2019 = - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXOY3/WaOgq3Tt24GAQjF6g//UtBYB1SzQ9Kytsouk+GD1QJplHRCzB6D i5NNIMdLgOECgmjmxaj6H5CXjtMG47kBpJ5yGfQqadEnSEKkHKJ/DArRWrF+qj98 T2Gvpr3FClHkvnJvV1kLw37DKUFK0+32iduGdtXl2fDHP6rupLJC69wlcxCa1rdi BVqI2Ky1CuylZ/TS0ahoMjiAqh4JpHc4igGjyzv1i/izp2oyMWn0Vgnx278P5XoQ /HFAyzi/NhuuG0UvbAFT0IUcUoJ/bcFrMDtt5nhlYtD+YW8iOVfHfqginN+3PgBr Khr2IfjHk902s3yZ16yw8RYLN7v5UbTgyX0MvaISPp41UCaOc6B3vF4bdfRSbxBj pbvcegqUTtYBS1XU6hQuGks6MsnlUpukFN2YbFBOW3T79AB3f4YYgmCOcIBn4lzt v68iTxgMN5OZGmBbmpyCgIIcvM+/0TrKXjEe3wmjCVs8pDt4NSURKCIR+tmMTGDn 8xzEzRXb7FqgREuiyOGxSow5N7K5Owsrd7sIaLMh33gwj5puOq4d1z5XXStgOl2c O6mtiCER7E3fnwAE4Zg+Cu4AxlyCS4LznzH6fW1P8Qi1v10k9Xu08ef46i6ugPnM +YpZyo7AlcBBx0v/5R6E0LHJWfrJTAq0ffVWHoFaRNgFfxlxiybZcoddqp/amkt0 Fb5QXNc6ZAA= =vKVN -----END PGP SIGNATURE-----