Arch Linux Security Advisory ASA-202002-10 ========================================== Severity: High Date : 2020-02-17 CVE-ID : CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 Package : webkit2gtk Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1100 Summary ======= The package webkit2gtk before version 2.26.4-1 is vulnerable to multiple issues including arbitrary code execution, cross-site scripting, sandbox escape, denial of service and same-origin policy bypass. Resolution ========== Upgrade to 2.26.4-1. # pacman -Syu "webkit2gtk>=2.26.4-1" The problems have been fixed upstream in version 2.26.4. Workaround ========== None. Description =========== - CVE-2020-3862 (denial of service) A malicious website may be able to cause a denial of service. - CVE-2020-3864 (same-origin policy bypass) A DOM object context may not have had a unique security origin. - CVE-2020-3865 (sandbox escape) A top-level DOM object context may have incorrectly been considered secure. - CVE-2020-3867 (cross-site scripting) Processing maliciously crafted web content may lead to universal cross site scripting. - CVE-2020-3868 (arbitrary code execution) Processing maliciously crafted web content may lead to arbitrary code execution. Credit to Marcin Towalski of Cisco Talos. Impact ====== A remote attacker can bypass security restrictions via universal cross- site scripting or execute arbitrary code via crafted web content. References ========== https://webkitgtk.org/security/WSA-2020-0002.html https://security.archlinux.org/CVE-2020-3862 https://security.archlinux.org/CVE-2020-3864 https://security.archlinux.org/CVE-2020-3865 https://security.archlinux.org/CVE-2020-3867 https://security.archlinux.org/CVE-2020-3868