WebKitGTK+ Security Advisory WSA-2018-0004

• Date Reported: May 07, 2018

• Advisory ID: WSA-2018-0004

• CVE identifiers: CVE-2018-4121, CVE-2018-4200, CVE-2018-4204.

Several vulnerabilities were discovered in WebKitGTK+.

• CVE-2018-4121
  • Versions affected: WebKitGTK+ before 2.20.0.
  • Credit to Natalie Silvanovich of Google Project Zero.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
• CVE-2018-4200
  • Versions affected: WebKitGTK+ before 2.20.2.
  • Credit to Ivan Fratric of Google Project Zero.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management.
• CVE-2018-4204
  • Versions affected: WebKitGTK+ before 2.20.1.
  • Credit to Richard Zhu (fluorescence) working with Trend Micro’s Zero Day Initiative, found by OSS-Fuzz.
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved memory handling.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html