From d0c6c8663508aa1de09cd5a07c4a47707bc0c4ad Mon Sep 17 00:00:00 2001 From: Adrian Perez de Castro Date: Tue, 6 Feb 2024 01:07:30 +0200 Subject: [PATCH] Release: WSA-2024-0001 --- .../2024-02-05-security-advisory-2024-0001.md | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 security/2024-02-05-security-advisory-2024-0001.md diff --git a/security/2024-02-05-security-advisory-2024-0001.md b/security/2024-02-05-security-advisory-2024-0001.md new file mode 100644 index 000000000..baed393ae --- /dev/null +++ b/security/2024-02-05-security-advisory-2024-0001.md @@ -0,0 +1,75 @@ +--- +layout: post +title: WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 +permalink: /security/WSA-2024-0001.html +date: 2024-02-05 +tags: WSA +--- + +* Date Reported: **February 05, 2024** + +* Advisory ID: **WSA-2024-0001** + +* CVE identifiers: [CVE-2024-23222](#CVE-2024-23222), [CVE-2024-23206](#CVE-2024-23206), + [CVE-2024-23213](#CVE-2024-23213), [CVE-2023-40414](#CVE-2023-40414), + [CVE-2023-42833](#CVE-2023-42833), [CVE-2014-1745](#CVE-2014-1745). + + +Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. + +* CVE-2024-23222 + * Versions affected: WebKitGTK and WPE WebKit before 2.42.5. + * Credit to Apple. + * Impact: Processing maliciously crafted web content may lead to + arbitrary code execution. Apple is aware of a report that this issue + may have been exploited. Description: A type confusion issue was + addressed with improved checks. + * WebKit Bugzilla: 267134 + +* CVE-2024-23206 + * Versions affected: WebKitGTK and WPE WebKit before 2.42.5. + * Credit to An anonymous researcher. + * Impact: A maliciously crafted webpage may be able to fingerprint the + user. Description: An access issue was addressed with improved + access restrictions. + * WebKit Bugzilla: 262699 + +* CVE-2024-23213 + * Versions affected: WebKitGTK and WPE WebKit before 2.42.5. + * Credit to Wangtaiyu of Zhongfu info. + * Impact: Processing web content may lead to arbitrary code execution. + Description: The issue was addressed with improved memory handling. + * WebKit Bugzilla: 266619 + +* CVE-2023-40414 + * Versions affected: WebKitGTK and WPE WebKit before 2.42.1. + * Credit to Francisco Alonso (@revskills). + * Impact: Processing web content may lead to arbitrary code execution. + Description: A use-after-free issue was addressed with improved + memory management. + * WebKit Bugzilla: 258992 + +* CVE-2023-42833 + * Versions affected: WebKitGTK and WPE WebKit before 2.38.0. + * Credit to Dong Jun Kim (@smlijun) and Jong Seong Kim (@nevul37) of + AbyssLab. + * Impact: Processing web content may lead to arbitrary code execution. + Description: A correctness issue was addressed with improved checks. + * WebKit Bugzilla: 258592 + +* CVE-2014-1745 + * Versions affected: WebKitGTK and WPE WebKit before 2.42.0. + * Credit to An anonymous researcher. + * Impact: Processing a file may lead to a denial-of-service or + potentially disclose memory contents. Description: The issue was + addressed with improved checks. + * WebKit Bugzilla: 249434 + + +We recommend updating to the latest stable versions of WebKitGTK and WPE +WebKit. It is the best way to ensure that you are running safe versions +of WebKit. Please check our websites for information about the latest +stable releases. + +Further information about WebKitGTK and WPE WebKit security advisories can be found at: +[https://webkitgtk.org/security.html](https://webkitgtk.org/security.html) or [https://wpewebkit.org/security/](https://wpewebkit.org/security/).