Arch Linux 811 Published by

A webkit2gtk security update has been released for Arch Linux to address an arbitrary code execution issue.



Arch Linux Security Advisory ASA-202002-7
=========================================

Severity: Critical
Date : 2020-02-12
CVE-ID : CVE-2019-8835 CVE-2019-8844 CVE-2019-8846
Package : webkit2gtk
Type : arbitrary code execution
Remote : Yes
Link :   https://security.archlinux.org/AVG-1098

Summary
=======

The package webkit2gtk before version 2.26.3-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 2.26.3-1.

# pacman -Syu "webkit2gtk>=2.26.3-1"

The problems have been fixed upstream in version 2.26.3.

Workaround
==========

None.

Description
===========

- CVE-2019-8835 (arbitrary code execution)

Multiple memory corruption issues have been found in WebKitGTK before
2.26.3, where processing maliciously crafted web content may lead to
arbitrary code execution.

- CVE-2019-8844 (arbitrary code execution)

Multiple memory corruption issues have been found in WebKitGTK before
2.26.3, where processing maliciously crafted web content may lead to
arbitrary code execution.

- CVE-2019-8846 (arbitrary code execution)

Multiple memory corruption issues have been found in WebKitGTK before
2.26.3, where processing maliciously crafted web content may lead to
arbitrary code execution.

Impact
======

A remote attacker can execute code on the affected host via maliciously
crafted web content.

References
==========

  https://webkitgtk.org/security/WSA-2020-0001.html
  https://webkitgtk.org/security/WSA-2020-0001.html#CVE-2019-8835
  https://webkitgtk.org/security/WSA-2020-0001.html#CVE-2019-8844
  https://webkitgtk.org/security/WSA-2020-0001.html#CVE-2019-8846
  https://security.archlinux.org/CVE-2019-8835
  https://security.archlinux.org/CVE-2019-8844
  https://security.archlinux.org/CVE-2019-8846