WebKitGTK+ Security Advisory WSA-2015-0001

• Date Reported: January 26, 2015

• Advisory ID: WSA-2015-0001

• Affected versions:

  • 2.4 series before 2.4.1, 2.4.2 and 2.4.8.

• CVE identifiers: CVE-2013-2871, CVE-2014-1292, CVE-2014-1298, CVE-2014-1299, CVE-2014-1300, CVE-2014-1303, CVE-2014-1304, CVE-2014-1305, CVE-2014-1307, CVE-2014-1308, CVE-2014-1309, CVE-2014-1311, CVE-2014-1313, CVE-2014-1713, CVE-2014-1297, CVE-2013-2875, CVE-2013-2927, CVE-2014-1323, CVE-2014-1326, CVE-2014-1329, CVE-2014-1330, CVE-2014-1331, CVE-2014-1333, CVE-2014-1334, CVE-2014-1335, CVE-2014-1336, CVE-2014-1337, CVE-2014-1338, CVE-2014-1339, CVE-2014-1341, CVE-2014-1342, CVE-2014-1343, CVE-2014-1731, CVE-2014-1346, CVE-2014-1344, CVE-2014-1384, CVE-2014-1385, CVE-2014-1387, CVE-2014-1388, CVE-2014-1389, CVE-2014-1390.

Several vulnerabilities were discovered on the 2.4 stable series of WebKitGTK+.

• CVE-2013-2871
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to miaubiz.
  • Use-after-free vulnerability in Google Chrome before 28.0.1500.71 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of input.
• CVE-2014-1292
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1293, and CVE-2014-1294.
• CVE-2014-1298
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
• CVE-2014-1299
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
• CVE-2014-1300
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Ian Beer of Google Project Zero working with HP’s Zero Day Initiative.
  • Unspecified vulnerability in Apple Safari 7.0.2 on OS X allows remote attackers to execute arbitrary code with root privileges via unknown vectors, as demonstrated by Google during a Pwn4Fun competition at CanSecWest 2014.
• CVE-2014-1303
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to KeenTeam working with HP’s Zero Day Initiative.
  • Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by Liang Chen during a Pwn2Own competition at CanSecWest 2014.
• CVE-2014-1304
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
• CVE-2014-1305
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
• CVE-2014-1307
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
• CVE-2014-1308
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
• CVE-2014-1309
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to cloudfuzzer.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
• CVE-2014-1311
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
• CVE-2014-1313
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
• CVE-2014-1713
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to VUPEN working with HP’s Zero Day Initiative.
  • Use-after-free vulnerability in the AttributeSetter function in bindings/templates/attributes.cpp in the bindings in Blink, as used in Google Chrome before 33.0.1750.152 on OS X and Linux and before 33.0.1750.154 on Windows, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving the document.location value.
• CVE-2014-1297
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.1.
  • Credit to Ian Beer of Google Project Zero.
  • WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, does not properly validate WebProcess IPC messages, which allows remote attackers to bypass a sandbox protection mechanism and read arbitrary files by leveraging WebProcess access.
• CVE-2013-2875
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to miaubiz.
  • core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in Blink, as used in Google Chrome before 28.0.1500.71, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
• CVE-2013-2927
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to cloudfuzzer.
  • Use-after-free vulnerability in the HTMLFormElement::prepareForSubmission function in core/html/HTMLFormElement.cpp in Blink, as used in Google Chrome before 30.0.1599.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to submission for FORM elements.
• CVE-2014-1323
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to banty.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1326
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1329
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1330
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1331
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to cloudfuzzer.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1333
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1334
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1335
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1336
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1337
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1338
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1339
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Atte Kettunen of OUSPG.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1341
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1342
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1343
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1731
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to an anonymous member of the Blink development community.
  • core/html/HTMLSelectElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly check renderer state upon a focus event, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage “type confusion” for SELECT elements.
• CVE-2014-1346
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.2.
  • Credit to Erling Ellingsen of Facebook.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, does not properly interpret Unicode encoding, which allows remote attackers to spoof a postMessage origin, and bypass intended restrictions on sending a message to a connected frame or window, via crafted characters in a URL.
• CVE-2014-1344
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
  • Credit to Ian Beer of Google Project Zero.
  • WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-05-21-1.
• CVE-2014-1384
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367.
• CVE-2014-1385
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367.
• CVE-2014-1387
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
  • Credit to Google Chrome Security Team.
  • WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367.
• CVE-2014-1388
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367.
• CVE-2014-1389
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367.
• CVE-2014-1390
  • Versions affected: WebKitGTK+ 2.4.X before 2.4.8.
  • Credit to Apple.
  • WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in HT6367.

For the 2.4 series, these problems have been fixed in release 2.4.8.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html