ASA-201701-27 generated external raw

[ASA-201701-27] webkit2gtk: multiple issues
Arch Linux Security Advisory ASA-201701-27 ========================================== Severity: Critical Date : 2017-01-18 CVE-ID : CVE-2016-7586 CVE-2016-7589 CVE-2016-7592 CVE-2016-7599 CVE-2016-7623 CVE-2016-7632 CVE-2016-7635 CVE-2016-7639 CVE-2016-7641 CVE-2016-7645 CVE-2016-7652 CVE-2016-7654 CVE-2016-7656 Package : webkit2gtk Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-146 Summary ======= The package webkit2gtk before version 2.14.3-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 2.14.3-1. # pacman -Syu "webkit2gtk>=2.14.3-1" The problems have been fixed upstream in version 2.14.3. Workaround ========== None. Description =========== - CVE-2016-7586 (information disclosure) A validation issue was found in WebKitGTK+ < 2.14.3, leading to the potential disclosure of user information while processing maliciously crafted web content. The issue was fixed through improved state management. - CVE-2016-7589 (arbitrary code execution) A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to potential arbitrary code execution while processing maliciously crafted web content. The issue was fixed through improved state management. - CVE-2016-7592 (information disclosure) An issue in the handling of JavaScript prompts was found in WebKitGTK+ < 2.14.3, leading to potential compromise of user information while processing maliciously crafted web content. The issue was fixed through improved state management. - CVE-2016-7599 (information disclosure) An issue in the handling of HTTP redirects was found in WebKitGTK+ < 2.14.3, leading to potential disclosure of user information while processing maliciously crafted web content. This issue was addressed through improved cross origin validation. - CVE-2016-7623 (information disclosure) An issue in the handling of blob URLs was found in WebKitGTK+ < 2.14.3, leading to potential compromise of user information while processing maliciously crafted web content. This issue was addressed through improved URL handling. - CVE-2016-7632 (arbitrary code execution) A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to denial of service or arbitrary code execution while processing maliciously crafted web content. This issue was addressed through improved state management. - CVE-2016-7635 (arbitrary code execution) Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved memory handling. - CVE-2016-7639 (arbitrary code execution) Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved state management. - CVE-2016-7641 (arbitrary code execution) Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved state management. - CVE-2016-7645 (arbitrary code execution) Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved state management. - CVE-2016-7652 (arbitrary code execution) Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved memory handling. - CVE-2016-7654 (arbitrary code execution) Multiple memory corruption issues were found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issues were addressed through improved state management. - CVE-2016-7656 (arbitrary code execution) A memory corruption issue was found in WebKitGTK+ < 2.14.3, leading to arbitrary code execution while processing maliciously crafted web content. This issue was addressed through improved state management. Impact ====== A remote attacker can access sensitive information or execute arbitrary code on the affected host via a maliciously crafted web content. References ========== https://webkitgtk.org/security/WSA-2017-0001.html https://security.archlinux.org/CVE-2016-7586 https://security.archlinux.org/CVE-2016-7589 https://security.archlinux.org/CVE-2016-7592 https://security.archlinux.org/CVE-2016-7599 https://security.archlinux.org/CVE-2016-7623 https://security.archlinux.org/CVE-2016-7632 https://security.archlinux.org/CVE-2016-7635 https://security.archlinux.org/CVE-2016-7639 https://security.archlinux.org/CVE-2016-7641 https://security.archlinux.org/CVE-2016-7645 https://security.archlinux.org/CVE-2016-7652 https://security.archlinux.org/CVE-2016-7654 https://security.archlinux.org/CVE-2016-7656