Arch Linux Security Advisory ASA-201909-1

Severity: Critical
Date : 2019-09-04
CVE-ID : CVE-2019-8644 CVE-2019-8649 CVE-2019-8658 CVE-2019-8669
CVE-2019-8678 CVE-2019-8680 CVE-2019-8683 CVE-2019-8684
CVE-2019-8688
Package : webkit2gtk
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1033

Summary

The package webkit2gtk before version 2.24.4-1 is vulnerable to
multiple issues including arbitrary code execution and cross-site
scripting.

Resolution

Upgrade to 2.24.4-1.

pacman -Syu “webkit2gtk>=2.24.4-1”

The problems have been fixed upstream in version 2.24.4.

Workaround

None.

Description

• CVE-2019-8644 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

• CVE-2019-8649 (cross-site scripting)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to universal cross site
scripting.

• CVE-2019-8658 (cross-site scripting)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to universal cross site
scripting.

• CVE-2019-8669 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

• CVE-2019-8678 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

• CVE-2019-8680 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

• CVE-2019-8683 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

• CVE-2019-8684 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

• CVE-2019-8688 (arbitrary code execution)

An issue has been found in WebKitGTK before 2.24.4 where processing
maliciously crafted web content may lead to arbitrary code execution.

Impact

A remote attacker can bypass security restrictions via universal cross-
site scripting or execute arbitrary code via crafted web content.

References

https://webkitgtk.org/security/WSA-2019-0004.html
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8644
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8649
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8658
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8669
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8678
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8680
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8683
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8684
https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8688
https://security.archlinux.org/CVE-2019-8644
https://security.archlinux.org/CVE-2019-8649
https://security.archlinux.org/CVE-2019-8658
https://security.archlinux.org/CVE-2019-8669
https://security.archlinux.org/CVE-2019-8678
https://security.archlinux.org/CVE-2019-8680
https://security.archlinux.org/CVE-2019-8683
https://security.archlinux.org/CVE-2019-8684
https://security.archlinux.org/CVE-2019-8688