WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0005

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

  • CVE-2018-4190

    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Jun Kokatsu (@shhnjk).
    • Impact: Visiting a maliciously crafted website may leak sensitive data. Description: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.

  • CVE-2018-4192

    • Versions affected: WebKitGTK+ before 2.20.1.
    • Credit to Markus Gaasedelen, Nick Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro’s Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A race condition was addressed with improved locking.

  • CVE-2018-4199

    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils of MWR Labs working with Trend Micro’s Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling.

  • CVE-2018-4201

    • Versions affected: WebKitGTK+ before 2.20.1.
    • Credit to an anonymous researcher.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.

  • CVE-2018-4214

    • Versions affected: WebKitGTK+ before 2.20.0.
    • Credit to OSS-Fuzz.
    • Impact: Processing maliciously crafted web content may lead to an unexpected application crash. Description: A memory corruption issue was addressed with improved input validation.

  • CVE-2018-4218

    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Natalie Silvanovich of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.

  • CVE-2018-4222

    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Natalie Silvanovich of Google Project Zero.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved input validation.

  • CVE-2018-4232

    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Aymeric Chaib.
    • Impact: Visiting a maliciously crafted website may lead to cookies being overwritten. Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.

  • CVE-2018-4233

    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Samuel Groß (@5aelo) working with Trend Micro’s Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.

  • CVE-2018-11646

    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to Mishra Dhiraj.
    • Maliciously crafted web content could trigger an application crash in WebKitFaviconDatabase, caused by mishandling unexpected input.

  • CVE-2018-11712

    • Versions affected: WebKitGTK+ 2.20.0 and 2.20.1.
    • Credit to Metrological Group B.V.
    • The libsoup network backend of WebKit failed to perform TLS certificate verification for WebSocket connections.

  • CVE-2018-11713

    • Versions affected: WebKitGTK+ before 2.20.0 or without libsoup 2.62.0.
    • Credit to Dirkjan Ochtman.
    • The libsoup network backend of WebKit unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection.

  • CVE-2018-12293

    • Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1.
    • Credit to ADlab of Venustech.
    • Maliciously crafted web content could achieve a heap buffer overflow in ImageBufferCairo by exploiting multiple integer overflow issues.

  • CVE-2018-12294

    • Versions affected: WebKitGTK+ before 2.20.2.
    • Credit to ADlab of Venustech.
    • Maliciously crafted web content could trigger a use-after-free of a TextureMapperLayer object.

We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running a safe version of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK+ and WPE WebKit security advisories can be found at https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

If you’re using WPE WebKit, or are considering doing so, please take our brief user survey. Your input will help us make WPE WebKit better for you!

If you’re using WPE WebKit, or are considering doing so, please take our brief user survey! Your input will help us make WPE WebKit better for you.