Subject: [ASA-201905-10] webkit2gtk: multiple issues Arch Linux Security Advisory ASA-201905-10 ========================================== Severity: Critical Date : 2019-05-28 CVE-ID : CVE-2019-8595 CVE-2019-8607 CVE-2019-8615 Package : webkit2gtk Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-967 Summary ======= The package webkit2gtk before version 2.24.2-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 2.24.2-1. # pacman -Syu "webkit2gtk>=2.24.2-1" The problems have been fixed upstream in version 2.24.2. Workaround ========== None. Description =========== - CVE-2019-8595 (arbitrary code execution) Multiple memory corruption issues have been found in WebKitGTK before 2.24.2, where processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8607 (information disclosure) An out-of-bounds read has been found in WebKitGTK before 2.24.2, where processing maliciously crafted web content may result in the disclosure of process memory. - CVE-2019-8615 (arbitrary code execution) Multiple memory corruption issues have been found in WebKitGTK before 2.24.2, where processing maliciously crafted web content may lead to arbitrary code execution. Impact ====== A remote attacker can access sensitive information or execute arbitrary code on the affected host via crafted web content. References ========== https://webkitgtk.org/security/WSA-2019-0003.html https://webkitgtk.org/security/WSA-2019-0003.html#CVE-2019-8595 https://webkitgtk.org/security/WSA-2019-0003.html#CVE-2019-8607 https://webkitgtk.org/security/WSA-2019-0003.html#CVE-2019-8615 https://security.archlinux.org/CVE-2019-8595 https://security.archlinux.org/CVE-2019-8607 https://security.archlinux.org/CVE-2019-8615