[webkit-gtk] WebKitGTK+ Security Advisory WSA-2015-0001

Carlos Alberto Lopez Perez clopez at igalia.com
Mon Jan 26 10:34:07 PST 2015


------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               WSA-2015-0001
------------------------------------------------------------------------

Date reported      : January 26, 2015
Advisory ID        : WSA-2015-0001
Advisory URL       : http://webkitgtk.org/security/WSA-2015-0001.html
Affected versions  : 2.4 series before 2.4.1, 2.4.2 and 2.4.8.
CVE identifiers    : CVE-2013-2871, CVE-2014-1292, CVE-2014-1298,
                     CVE-2014-1299, CVE-2014-1300, CVE-2014-1303,
                     CVE-2014-1304, CVE-2014-1305, CVE-2014-1307,
                     CVE-2014-1308, CVE-2014-1309, CVE-2014-1311,
                     CVE-2014-1313, CVE-2014-1713, CVE-2014-1297,
                     CVE-2013-2875, CVE-2013-2927, CVE-2014-1323,
                     CVE-2014-1326, CVE-2014-1329, CVE-2014-1330,
                     CVE-2014-1331, CVE-2014-1333, CVE-2014-1334,
                     CVE-2014-1335, CVE-2014-1336, CVE-2014-1337,
                     CVE-2014-1338, CVE-2014-1339, CVE-2014-1341,
                     CVE-2014-1342, CVE-2014-1343, CVE-2014-1731,
                     CVE-2014-1346, CVE-2014-1344, CVE-2014-1384,
                     CVE-2014-1385, CVE-2014-1387, CVE-2014-1388,
                     CVE-2014-1389, CVE-2014-1390.

Several vulnerabilities were discovered on the 2.4 stable series of
WebKitGTK+.

CVE-2013-2871
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to miaubiz.
    Use-after-free vulnerability in Google Chrome before 28.0.1500.71
    allows remote attackers to cause a denial of service or possibly
    have unspecified other impact via vectors related to the handling of
    input.

CVE-2014-1292
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than CVE-2014-1289,
    CVE-2014-1290, CVE-2014-1291, CVE-2014-1293, and CVE-2014-1294.

CVE-2014-1298
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-04-01-1.

CVE-2014-1299
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Google Chrome Security Team, Apple, Renata Hodovan of
    University of Szeged / Samsung Electronics.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-04-01-1.

CVE-2014-1300
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Ian Beer of Google Project Zero working with HP's Zero Day
    Initiative.
    Unspecified vulnerability in Apple Safari 7.0.2 on OS X allows
    remote attackers to execute arbitrary code with root privileges via
    unknown vectors, as demonstrated by Google during a Pwn4Fun
    competition at CanSecWest 2014.

CVE-2014-1303
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to KeenTeam working with HP's Zero Day Initiative.
    Heap-based buffer overflow in Apple Safari 7.0.2 allows remote
    attackers to execute arbitrary code and bypass a sandbox protection
    mechanism via unspecified vectors, as demonstrated by Liang Chen
    during a Pwn2Own competition at CanSecWest 2014.

CVE-2014-1304
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-04-01-1.

CVE-2014-1305
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-04-01-1.

CVE-2014-1307
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-04-01-1.

CVE-2014-1308
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-04-01-1.

CVE-2014-1309
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to cloudfuzzer.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-04-01-1.

CVE-2014-1311
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-04-01-1.

CVE-2014-1313
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-04-01-1.

CVE-2014-1713
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to VUPEN working with HP's Zero Day Initiative.
    Use-after-free vulnerability in the AttributeSetter function in
    bindings/templates/attributes.cpp in the bindings in Blink, as used
    in Google Chrome before 33.0.1750.152 on OS X and Linux and before
    33.0.1750.154 on Windows, allows remote attackers to cause a denial
    of service or possibly have unspecified other impact via vectors
    involving the document.location value.

CVE-2014-1297
    Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
    Credit to Ian Beer of Google Project Zero.
    WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3,
    does not properly validate WebProcess IPC messages, which allows
    remote attackers to bypass a sandbox protection mechanism and read
    arbitrary files by leveraging WebProcess access.

CVE-2013-2875
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to miaubiz.
    core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in
    Blink, as used in Google Chrome before 28.0.1500.71, allows remote
    attackers to cause a denial of service (out-of-bounds read) via
    unspecified vectors.

CVE-2013-2927
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to cloudfuzzer.
    Use-after-free vulnerability in the
    HTMLFormElement::prepareForSubmission function in
    core/html/HTMLFormElement.cpp in Blink, as used in Google Chrome
    before 30.0.1599.101, allows remote attackers to cause a denial of
    service or possibly have unspecified other impact via vectors
    related to submission for FORM elements.

CVE-2014-1323
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to banty.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1326
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1329
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1330
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1331
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to cloudfuzzer.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1333
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1334
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1335
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1336
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1337
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1338
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1339
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Atte Kettunen of OUSPG.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1341
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1342
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1343
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1731
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to an anonymous member of the Blink development community.
    core/html/HTMLSelectElement.cpp in the DOM implementation in Blink,
    as used in Google Chrome before 34.0.1847.131 on Windows and OS X
    and before 34.0.1847.132 on Linux, does not properly check renderer
    state upon a focus event, which allows remote attackers to cause a
    denial of service or possibly have unspecified other impact via
    vectors that leverage "type confusion" for SELECT elements.

CVE-2014-1346
    Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
    Credit to Erling Ellingsen of Facebook.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    does not properly interpret Unicode encoding, which allows remote
    attackers to spoof a postMessage origin, and bypass intended
    restrictions on sending a message to a connected frame or window,
    via crafted characters in a URL.

CVE-2014-1344
    Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
    Credit to Ian Beer of Google Project Zero.
    WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    APPLE-SA-2014-05-21-1.

CVE-2014-1384
    Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    HT6367.

CVE-2014-1385
    Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    HT6367.

CVE-2014-1387
    Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
    Credit to Google Chrome Security Team.
    WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    HT6367.

CVE-2014-1388
    Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    HT6367.

CVE-2014-1389
    Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    HT6367.

CVE-2014-1390
    Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
    Credit to Apple.
    WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6,
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site, a different vulnerability than other WebKit CVEs listed in
    HT6367.


For the 2.4 series, these problems have been fixed in release 2.4.8.

Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html

The WebKitGTK+ team,
January 26, 2015

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 883 bytes
Desc: OpenPGP digital signature
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20150126/d80eab4b/attachment-0002.sig>


More information about the webkit-gtk mailing list