Arch Linux Security Advisory ASA-201909-1 ========================================= Severity: Critical Date : 2019-09-04 CVE-ID : CVE-2019-8644 CVE-2019-8649 CVE-2019-8658 CVE-2019-8669 CVE-2019-8678 CVE-2019-8680 CVE-2019-8683 CVE-2019-8684 CVE-2019-8688 Package : webkit2gtk Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1033 Summary ======= The package webkit2gtk before version 2.24.4-1 is vulnerable to multiple issues including arbitrary code execution and cross-site scripting. Resolution ========== Upgrade to 2.24.4-1. # pacman -Syu "webkit2gtk>=2.24.4-1" The problems have been fixed upstream in version 2.24.4. Workaround ========== None. Description =========== - CVE-2019-8644 (arbitrary code execution) An issue has been found in WebKitGTK before 2.24.4 where processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8649 (cross-site scripting) An issue has been found in WebKitGTK before 2.24.4 where processing maliciously crafted web content may lead to universal cross site scripting. - CVE-2019-8658 (cross-site scripting) An issue has been found in WebKitGTK before 2.24.4 where processing maliciously crafted web content may lead to universal cross site scripting. - CVE-2019-8669 (arbitrary code execution) An issue has been found in WebKitGTK before 2.24.4 where processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8678 (arbitrary code execution) An issue has been found in WebKitGTK before 2.24.4 where processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8680 (arbitrary code execution) An issue has been found in WebKitGTK before 2.24.4 where processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8683 (arbitrary code execution) An issue has been found in WebKitGTK before 2.24.4 where processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8684 (arbitrary code execution) An issue has been found in WebKitGTK before 2.24.4 where processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8688 (arbitrary code execution) An issue has been found in WebKitGTK before 2.24.4 where processing maliciously crafted web content may lead to arbitrary code execution. Impact ====== A remote attacker can bypass security restrictions via universal cross- site scripting or execute arbitrary code via crafted web content. References ========== https://webkitgtk.org/security/WSA-2019-0004.html https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8644 https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8649 https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8658 https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8669 https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8678 https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8680 https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8683 https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8684 https://webkitgtk.org/security/WSA-2019-0004.html#CVE-2019-8688 https://security.archlinux.org/CVE-2019-8644 https://security.archlinux.org/CVE-2019-8649 https://security.archlinux.org/CVE-2019-8658 https://security.archlinux.org/CVE-2019-8669 https://security.archlinux.org/CVE-2019-8678 https://security.archlinux.org/CVE-2019-8680 https://security.archlinux.org/CVE-2019-8683 https://security.archlinux.org/CVE-2019-8684 https://security.archlinux.org/CVE-2019-8688