Operating System:

[Debian]

Published:

05 September 2019

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2019.3357 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3357
                        webkit2gtk security update
                             5 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           webkit2gtk
Publisher:         Debian
Operating System:  Debian GNU/Linux 10
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-8690 CVE-2019-8689 CVE-2019-8688
                   CVE-2019-8687 CVE-2019-8686 CVE-2019-8684
                   CVE-2019-8683 CVE-2019-8681 CVE-2019-8680
                   CVE-2019-8679 CVE-2019-8678 CVE-2019-8677
                   CVE-2019-8676 CVE-2019-8673 CVE-2019-8672
                   CVE-2019-8671 CVE-2019-8669 CVE-2019-8666
                   CVE-2019-8658 CVE-2019-8649 CVE-2019-8644

Reference:         ESB-2019.3294
                   ESB-2019.2762
                   ESB-2019.2761
                   ESB-2019.2746.2
                   ESB-2019.2745.2

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4515

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4515-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
September 04, 2019                    https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2019-8644 CVE-2019-8649 CVE-2019-8658 CVE-2019-8666
                 CVE-2019-8669 CVE-2019-8671 CVE-2019-8672 CVE-2019-8673
                 CVE-2019-8676 CVE-2019-8677 CVE-2019-8678 CVE-2019-8679
                 CVE-2019-8680 CVE-2019-8681 CVE-2019-8683 CVE-2019-8684
                 CVE-2019-8686 CVE-2019-8687 CVE-2019-8688 CVE-2019-8689
                 CVE-2019-8690

Several vulnerabilities have been discovered in the webkit2gtk web
engine:

CVE-2019-8644

    G. Geshev discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8649

    Sergei Glazunov discovered an issue that may lead to universal
    cross site scripting.

CVE-2019-8658

    akayn discovered an issue that may lead to universal cross site
    scripting.

CVE-2019-8666

    Zongming Wang and Zhe Jin discovered memory corruption issues that
    can lead to arbitrary code execution.

CVE-2019-8669

    akayn discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8671

    Apple discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8672

    Samuel Gross discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8673

    Soyeon Park and Wen Xu discovered memory corruption issues that
    can lead to arbitrary code execution.

CVE-2019-8676

    Soyeon Park and Wen Xu discovered memory corruption issues that
    can lead to arbitrary code execution.

CVE-2019-8677

    Jihui Lu discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8678

    An anonymous researcher, Anthony Lai, Ken Wong, Jeonghoon Shin,
    Johnny Yu, Chris Chan, Phil Mok, Alan Ho, and Byron Wai discovered
    memory corruption issues that can lead to arbitrary code
    execution.

CVE-2019-8679

    Jihui Lu discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8680

    Jihui Lu discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8681

    G. Geshev discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8683

    lokihardt discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8684

    lokihardt discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8686

    G. Geshev discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8687

    Apple discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8688

    Insu Yun discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8689

    lokihardt discovered memory corruption issues that can lead to
    arbitrary code execution.

CVE-2019-8690

    Sergei Glazunov discovered an issue that may lead to universal
    cross site scripting.

You can see more details on the WebKitGTK and WPE WebKit Security
Advisory WSA-2019-0004.

For the stable distribution (buster), these problems have been fixed in
version 2.24.4-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl1wJHoACgkQEMKTtsN8
TjaQlw//fmWHtAwh8WO+GqE/mAHWu7Ph2aDRr/WtZ636WZXBFKc5uO1ja+FMzSAx
0UE5bQXK/mNk68HzdmwMZzkwz7rZGaiEHVQffAapxvjKCfPzgd7p70Ea49yLVuoH
mEAJ2PRd7jSI0CnLrOxFsiCkTHI3rZjPtZ04pePDOmNA3TS9u4sMNcfz0LbKaFvq
0/VNDCZ7MsBZq2c1Feg3pdwtRd6qJ0tXPIme6Q5OGWnIzCaa72bl/pdWWmvQzelh
Ljs7FCQm/DInrOHeAqMW14f18j10Is/d2p27hroOK4F4fnUvsxvU6gOoKTl3dyrA
drQJ1EIFg5Qt6AsVCdHogbrFjn9sStcaa0Yue2UhogJjh+tCugqcWpvad+Dzd61t
Ptl+NmIWYBeJG+LYw2c5MBrrmBrt2ajZBeDUaLR+v/FuvGuPgGr7jNZybl3n8lkQ
jbH2FrC/TIDZjeT84bnPuxbGG9ITyE7f8kB+isXZPvRqMccebRpyM8mnq+z1ywTf
UxC9M3aIaq/CYuqo9xcdUVjTcUotIQgUSw+JyKjc38Ksa32PrMj84mmwp4UvOVHt
g0OandgtSGjx+skzJOevttJ5baX6qSgtuZvxFmvPGMn2BSRpRHrSXX2OHqK5ux36
8xQAXsSZtm8E5q3MtzvOmW2lkdprocmdWfwxrvA/QoaFyJzQMVM=
=x0Ii
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXXBSiWaOgq3Tt24GAQgYwQ//dElbaUSVG7Yk06nyFGagM/9/zpoZFBtg
qrHECK4eZ4GqWC9foQRcP8ll8RwM0zDmspwFdMJ6kHmR1d3AiDfFxHYsyTJJ8llr
rNB4ejW+oBRmonKdRwS6q3ZIC+K58lklmW3z9nfr7II+5N9PvA7hFU1hvJpv+G5+
vHnM++i36YZhdF3c4m87fWcu/NFlvH+zs0sIAhBWVddgA5n6Vl0cSffV2Q7N8i8G
ygQ7EUYaw8MxPONYi0fQ9ZEwFs6LnZB2oRMuv/6lWmj8d5kg0TPVFR5ItulNNOmI
dvo2g9dBG7kN16p8rYe1jNJStdou6sJ40LDeggcGCiy4V5wim+P6h3QFQsbT812v
wK84OiMQ8GdUHsTHwTK6D2lq63hZ+6vD+7cf+I3KZkRjNttYqIzhqBPsmJYBASod
TYCHjrNuYA9j6xt7MKieUTBkFlRmD7wab6yrXsBLDGKs5tJOG3suqPs+j4EFFFqH
kOYKUu9psn/mt6LD9Ttc6kfUxKhpz57AYQu5UKIB8zp9dGvPHTnbDVg7lqJLxEYD
32yOydVz6OGwLZptDYooIuXWUJLaQXuMMdfOyUMHub9Q8DMA6/TedPwzhatuntBK
LUk75+eqVc0prSgDr4fFVla2cICpVRoo2ImfX23GAZ7g6QJ9DceR/rJ7V0mO1Pg5
WgfHmdMcA14=
=5a55
-----END PGP SIGNATURE-----