Bug 1008728 (WSA-2016-0006)

Summary: VUL-0: [TRACKERBUG] WebKitGTK+ Security Advisory WSA-2016-0006
Product: [Novell Products] SUSE Security Incidents Reporter: Bjørn Lie <zaitor>
Component: IncidentsAssignee: E-mail List <gnome-bugs>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, dimstar, fcrozat, gnome-bugs, jsegitz, mgorse, sreeves
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:NVD:CVE-2016-7578:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-7578:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1020950    
Bug Blocks:    

Description Bjørn Lie 2016-11-05 09:32:36 UTC
Affects all released versions of openSUSE (and SLE) apart from Tumbleweed.

------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               WSA-2016-0006
------------------------------------------------------------------------

Date reported      : November 04, 2016
Advisory ID        : WSA-2016-0006
Advisory URL       : https://webkitgtk.org/security/WSA-2016-0006.html
CVE identifiers    : CVE-2016-4611, CVE-2016-4613, CVE-2016-4657,
                     CVE-2016-4666, CVE-2016-4707, CVE-2016-4728,
                     CVE-2016-4729, CVE-2016-4730, CVE-2016-4731,
                     CVE-2016-4733, CVE-2016-4734, CVE-2016-4735,
                     CVE-2016-4758, CVE-2016-4759, CVE-2016-4760,
                     CVE-2016-4761, CVE-2016-4762, CVE-2016-4764,
                     CVE-2016-4765, CVE-2016-4766, CVE-2016-4767,
                     CVE-2016-4768, CVE-2016-4769, CVE-2016-7578.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2016-4611
    Versions affected: WebKitGTK+ before 2.12.0.
    Credit to Apple.
    WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption) via a crafted web site, a different
    vulnerability than CVE-2016-4730, CVE-2016-4733, CVE-2016-4734, and
    CVE-2016-4735.

CVE-2016-4613
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Chris Palmer.
    Impact: Processing maliciously crafted web content may result in the
    disclosure of user information. Description: An input validation
    issue was addressed through improved state management.

CVE-2016-4657
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Citizen Lab and Lookout.
    WebKit in Apple iOS before 9.3.5 allows remote attackers to execute
    arbitrary code or cause a denial of service (memory corruption) via
    a crafted web site.

CVE-2016-4666
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Apple.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed through improved memory handling.

CVE-2016-4707
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Anonymous Researcher.
    CFNetwork in Apple iOS before 10 and OS X before 10.12 mishandles
    Local Storage deletion, which allows local users to discover the
    visited web sites of arbitrary users via unspecified vectors.

CVE-2016-4728
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Daniel Divricean.
    WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1
    on Windows, and Safari before 10 mishandles error prototypes, which
    allows remote attackers to execute arbitrary code via a crafted web
    site.

CVE-2016-4729
    Versions affected: WebKitGTK+ before 2.12.0.
    Credit to Apple.
    WebKit in Apple iOS before 10 and Safari before 10 allows remote
    attackers to execute arbitrary code or cause a denial of service
    (memory corruption) via a crafted web site, a different
    vulnerability than CVE-2016-4731.

CVE-2016-4730
    Versions affected: WebKitGTK+ before 2.12.0.
    Credit to Apple.
    WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption) via a crafted web site, a different
    vulnerability than CVE-2016-4611, CVE-2016-4733, CVE-2016-4734, and
    CVE-2016-4735.

CVE-2016-4731
    Versions affected: WebKitGTK+ before 2.12.0.
    Credit to Apple.
    WebKit in Apple iOS before 10 and Safari before 10 allows remote
    attackers to execute arbitrary code or cause a denial of service
    (memory corruption) via a crafted web site, a different
    vulnerability than CVE-2016-4729.

CVE-2016-4733
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Natalie Silvanovich of Google Project Zero.
    WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption) via a crafted web site, a different
    vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4734, and
    CVE-2016-4735.

CVE-2016-4734
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Natalie Silvanovich of Google Project Zero.
    WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption) via a crafted web site, a different
    vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4733, and
    CVE-2016-4735.

CVE-2016-4735
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to André Bargull.
    WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption) via a crafted web site, a different
    vulnerability than CVE-2016-4611, CVE-2016-4730, CVE-2016-4733, and
    CVE-2016-4734.

CVE-2016-4758
    Versions affected: WebKitGTK+ before 2.12.1.
    Credit to Masato Kinugawa of Cure53.
    WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and
    Safari before 10 does not properly restrict access to the location
    variable, which allows remote attackers to obtain sensitive
    information via a crafted web site.

CVE-2016-4759
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Tongbo Luo of Palo Alto Networks.
    WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1
    on Windows, and Safari before 10 allows remote attackers to execute
    arbitrary code or cause a denial of service (memory corruption) via
    a crafted web site, a different vulnerability than CVE-2016-4765,
    CVE-2016-4766, CVE-2016-4767, and CVE-2016-4768.

CVE-2016-4760
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Jordan Milne.
    WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and
    Safari before 10 allows remote attackers to conduct DNS rebinding
    attacks against non-HTTP Safari sessions by leveraging HTTP/0.9
    support.

CVE-2016-4761
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Apple.
    An use-after-free vulnerability allows remote attackers to cause a
    denial of service or possibly have unspecified other impact via
    unknown vectors.

CVE-2016-4762
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Zheng Huang of Baidu Security Lab.
    WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows,
    iCloud before 6.0 on Windows, and Safari before 10 allows remote
    attackers to execute arbitrary code or cause a denial of service
    (memory corruption) via a crafted web site.

CVE-2016-4764
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Apple.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed through improved state management.

CVE-2016-4765
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Apple.
    WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1
    on Windows, and Safari before 10 allows remote attackers to execute
    arbitrary code or cause a denial of service (memory corruption) via
    a crafted web site, a different vulnerability than CVE-2016-4759,
    CVE-2016-4766, CVE-2016-4767, and CVE-2016-4768.

CVE-2016-4766
    Versions affected: WebKitGTK+ before 2.12.4.
    Credit to Apple.
    WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1
    on Windows, and Safari before 10 allows remote attackers to execute
    arbitrary code or cause a denial of service (memory corruption) via
    a crafted web site, a different vulnerability than CVE-2016-4759,
    CVE-2016-4765, CVE-2016-4767, and CVE-2016-4768.

CVE-2016-4767
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Apple.
    WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1
    on Windows, and Safari before 10 allows remote attackers to execute
    arbitrary code or cause a denial of service (memory corruption) via
    a crafted web site, a different vulnerability than CVE-2016-4759,
    CVE-2016-4765, CVE-2016-4766, and CVE-2016-4768.

CVE-2016-4768
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Anonymous working with Trend Micro's Zero Day Initiative.
    WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1
    on Windows, and Safari before 10 allows remote attackers to execute
    arbitrary code or cause a denial of service (memory corruption) via
    a crafted web site, a different vulnerability than CVE-2016-4759,
    CVE-2016-4765, CVE-2016-4766, and CVE-2016-4767.

CVE-2016-4769
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Tongbo Luo of Palo Alto Networks.
    WebKit in Apple iTunes before 12.5.1 on Windows and Safari before 10
    allows remote attackers to execute arbitrary code or cause a denial
    of service (memory corruption and application crash) via a crafted
    web site.

CVE-2016-7578
    Versions affected: WebKitGTK+ before 2.14.0.
    Credit to Apple.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed through improved memory handling.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
November 04, 2016
Comment 1 Andreas Stieger 2016-11-05 09:38:54 UTC
We already have this on our radar.
Comment 2 Swamp Workflow Management 2016-11-05 23:00:17 UTC
bugbot adjusting priority
Comment 3 Johannes Segitz 2018-04-17 08:43:46 UTC
we have a newer version that fixes these issues