Lucene search

K
amazonAmazonALAS-2024-2623
HistoryAug 14, 2024 - 7:06 p.m.

Important: webkitgtk4

2024-08-1419:06:00
alas.aws.amazon.com
7
use-after-free
out-of-bounds
webkitgtk4
security
patched

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

49.8%

Issue Overview:

A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash. (CVE-2024-40776)

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash. (CVE-2024-40779)

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash. (CVE-2024-40780)

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash. (CVE-2024-40789)

Affected Packages:

webkitgtk4

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update webkitgtk4 to update your system.

New Packages:

aarch64:  
    webkitgtk4-2.42.5-1.amzn2.0.5.aarch64  
    webkitgtk4-devel-2.42.5-1.amzn2.0.5.aarch64  
    webkitgtk4-jsc-2.42.5-1.amzn2.0.5.aarch64  
    webkitgtk4-jsc-devel-2.42.5-1.amzn2.0.5.aarch64  
    webkitgtk4-debuginfo-2.42.5-1.amzn2.0.5.aarch64  
  
i686:  
    webkitgtk4-2.42.5-1.amzn2.0.5.i686  
    webkitgtk4-devel-2.42.5-1.amzn2.0.5.i686  
    webkitgtk4-jsc-2.42.5-1.amzn2.0.5.i686  
    webkitgtk4-jsc-devel-2.42.5-1.amzn2.0.5.i686  
    webkitgtk4-debuginfo-2.42.5-1.amzn2.0.5.i686  
  
src:  
    webkitgtk4-2.42.5-1.amzn2.0.5.src  
  
x86_64:  
    webkitgtk4-2.42.5-1.amzn2.0.5.x86_64  
    webkitgtk4-devel-2.42.5-1.amzn2.0.5.x86_64  
    webkitgtk4-jsc-2.42.5-1.amzn2.0.5.x86_64  
    webkitgtk4-jsc-devel-2.42.5-1.amzn2.0.5.x86_64  
    webkitgtk4-debuginfo-2.42.5-1.amzn2.0.5.x86_64  

Additional References

Red Hat: CVE-2024-40776, CVE-2024-40779, CVE-2024-40780, CVE-2024-40789

Mitre: CVE-2024-40776, CVE-2024-40779, CVE-2024-40780, CVE-2024-40789

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

49.8%