mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-22 08:58:47 +00:00
Code Issues Releases Activity

Document webkit2-gtk3 CVE's

Browse Source
This commit is contained in:
Koop Mast 2017-07-25 18:17:21 +00:00
parent 14bebda5f1
commit 92ebf45094
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=446617
1 changed files with 218 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

218
security/vuxml/vuln.xml
View File

@ -58,6 +58,224 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="0f66b901-715c-11e7-ad1f-bcaec565249c">
<topic>webkit2-gtk3 -- multiple vulnabilities</topic>
<affects>
<package>
<name>webkit2-gtk3</name>
<range><lt>2.16.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Webkit gtk team reports:</p>
<blockquote cite="https://webkitgtk.org/security/WSA-2017-0006.html">
<p>CVE-2017-7006: Versions affected: WebKitGTK+ before 2.16.2.<br/>
Credit to David Kohlbrenner of UC San Diego, an anonymous
researcher.<br/>
Impact: A malicious website may exfiltrate data cross-origin.
Description: Processing maliciously crafted web content may
allow cross-origin data to be exfiltrated by using SVG filters
to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.</p>
<p>CVE-2017-7011: Versions affected: WebKitGTK+ before 2.16.3.<br/>
Credit to xisigr of Tencents Xuanwu Lab (tencent.com).<br/>
Impact: Visiting a malicious website may lead to address bar
spoofing. Description: A state management issue was addressed
with improved frame handling.</p>
<p>CVE-2017-7012: Versions affected: WebKitGTK+ before 2.16.2.<br/>
Credit to Apple.<br/>
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7018: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to lokihardt of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7019: Versions affected: WebKitGTK+ before 2.16.2.<br/>
Credit to Zhiyang Zeng of Tencent Security Platform Department.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7020: Versions affected: WebKitGTK+ before 2.16.1.<br/>
Credit to likemeng of Baidu Security Lab.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7030: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to chenqin of Ant-financial Light-Year Security Lab
(蚂蚁金服巴斯光年安全实验室).<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7034: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to chenqin of Ant-financial Light-Year Security Lab
(蚂蚁金服巴斯光年安全实验室).<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7037: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to lokihardt of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7038: Versions affected: WebKitGTK+ before 2.16.2.<br/>
Credit to Neil Jenkins of FastMail Pty Ltd, Egor Karbutov
(@ShikariSenpai) of Digital Security and Egor Saltykov
(@ansjdnakjdnajkd) of Digital Security.<br/>
Impact: Processing maliciously crafted web content with
DOMParser may lead to cross site scripting. Description:
A logic issue existed in the handling of DOMParser. This
issue was addressed with improved state management.</p>
<p>CVE-2017-7039: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to Ivan Fratric of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7040: Versions affected: WebKitGTK+ before 2.16.3.<br/>
Credit to Ivan Fratric of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7041: Versions affected: WebKitGTK+ before 2.16.2.<br/>
Credit to Ivan Fratric of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7042: Versions affected: WebKitGTK+ before 2.16.2.<br/>
Credit to Ivan Fratric of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7043: Versions affected: WebKitGTK+ before 2.16.2.<br/>
Credit to Ivan Fratric of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7046: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to Ivan Fratric of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7048: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to Ivan Fratric of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7049: Versions affected: WebKitGTK+ before 2.16.2.<br/>
Credit to Ivan Fratric of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed through improved memory
handling.</p>
<p>CVE-2017-7052: Versions affected: WebKitGTK+ before 2.16.4.<br/>
Credit to cc working with Trend Micros Zero Day Initiative.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7055: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to The UKs National Cyber Security Centre (NCSC).<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7056: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to lokihardt of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7059: Versions affected: WebKitGTK+ before 2.16.3.<br/>
Credit to an anonymous researcher.<br/>
Impact: Processing maliciously crafted web content with
DOMParser may lead to cross site scripting. Description:
A logic issue existed in the handling of DOMParser. This
issue was addressed with improved state management.</p>
<p>CVE-2017-7061: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to lokihardt of Google Project Zero.<br/>
Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory
corruption issues were addressed with improved memory
handling.</p>
<p>CVE-2017-7064: Versions affected: WebKitGTK+ before 2.16.6.<br/>
Credit to lokihardt of Google Project Zero.<br/>
Impact: An application may be able to read restricted
memory. Description: A memory initialization issue was
addressed through improved memory handling.</p>
</blockquote>
</body>
</description>
<references>
<url>https://webkitgtk.org/security/WSA-2017-0006.html</url>
<cvename>CVE-2017-7006</cvename>
<cvename>CVE-2017-7011</cvename>
<cvename>CVE-2017-7012</cvename>
<cvename>CVE-2017-7018</cvename>
<cvename>CVE-2017-7019</cvename>
<cvename>CVE-2017-7020</cvename>
<cvename>CVE-2017-7030</cvename>
<cvename>CVE-2017-7034</cvename>
<cvename>CVE-2017-7037</cvename>
<cvename>CVE-2017-7038</cvename>
<cvename>CVE-2017-7039</cvename>
<cvename>CVE-2017-7040</cvename>
<cvename>CVE-2017-7041</cvename>
<cvename>CVE-2017-7042</cvename>
<cvename>CVE-2017-7043</cvename>
<cvename>CVE-2017-7046</cvename>
<cvename>CVE-2017-7048</cvename>
<cvename>CVE-2017-7049</cvename>
<cvename>CVE-2017-7052</cvename>
<cvename>CVE-2017-7055</cvename>
<cvename>CVE-2017-7056</cvename>
<cvename>CVE-2017-7059</cvename>
<cvename>CVE-2017-7061</cvename>
<cvename>CVE-2017-7064</cvename>
</references>
<dates>
<discovery>2017-07-24</discovery>
<entry>2017-07-25</entry>
</dates>
</vuln>
<vuln vid="8745c67e-7dd1-4165-96e2-fcf9da2dc5b5">
<topic>gsoap -- remote code execution via via overflow</topic>
<affects>