oss-sec mailing list archives
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001
From: Adrian Perez de Castro <aperez () igalia com>
Date: Tue, 6 Feb 2024 01:11:55 +0200
------------------------------------------------------------------------ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 ------------------------------------------------------------------------ Date reported : February 05, 2024 Advisory ID : WSA-2024-0001 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2024-0001.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2024-0001.html CVE identifiers : CVE-2024-23222, CVE-2024-23206, CVE-2024-23213, CVE-2023-40414, CVE-2023-42833, CVE-2014-1745. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2024-23222 Versions affected: WebKitGTK and WPE WebKit before 2.42.5. Credit to Apple. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited. Description: A type confusion issue was addressed with improved checks. WebKit Bugzilla: 267134 CVE-2024-23206 Versions affected: WebKitGTK and WPE WebKit before 2.42.5. Credit to An anonymous researcher. Impact: A maliciously crafted webpage may be able to fingerprint the user. Description: An access issue was addressed with improved access restrictions. WebKit Bugzilla: 262699 CVE-2024-23213 Versions affected: WebKitGTK and WPE WebKit before 2.42.5. Credit to Wangtaiyu of Zhongfu info. Impact: Processing web content may lead to arbitrary code execution. Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 266619 CVE-2023-40414 Versions affected: WebKitGTK and WPE WebKit before 2.42.1. Credit to Francisco Alonso (@revskills). Impact: Processing web content may lead to arbitrary code execution. Description: A use-after-free issue was addressed with improved memory management. WebKit Bugzilla: 258992 CVE-2023-42833 Versions affected: WebKitGTK and WPE WebKit before 2.38.0. Credit to Dong Jun Kim (@smlijun) and Jong Seong Kim (@nevul37) of AbyssLab. Impact: Processing web content may lead to arbitrary code execution. Description: A correctness issue was addressed with improved checks. WebKit Bugzilla: 258592 CVE-2014-1745 Versions affected: WebKitGTK and WPE WebKit before 2.42.0. Credit to An anonymous researcher. Impact: Processing a file may lead to a denial-of-service or potentially disclose memory contents. Description: The issue was addressed with improved checks. WebKit Bugzilla: 249434 We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK and WPE WebKit team, February 05, 2024
Attachment:
signature.asc
Description:
Current thread:
- WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 Adrian Perez de Castro (Feb 05)