Debian DSA-4515-1 : webkit2gtk - security update

High Nessus Plugin ID 128511

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the webkit2gtk web engine :

- CVE-2019-8644 G. Geshev discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8649 Sergei Glazunov discovered an issue that may lead to universal cross site scripting.

- CVE-2019-8658 akayn discovered an issue that may lead to universal cross site scripting.

- CVE-2019-8666 Zongming Wang and Zhe Jin discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8669 akayn discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8671 Apple discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8672 Samuel Gross discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8673 Soyeon Park and Wen Xu discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8676 Soyeon Park and Wen Xu discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8677 Jihui Lu discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8678 An anonymous researcher, Anthony Lai, Ken Wong, Jeonghoon Shin, Johnny Yu, Chris Chan, Phil Mok, Alan Ho, and Byron Wai discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8679 Jihui Lu discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8680 Jihui Lu discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8681 G. Geshev discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8683 lokihardt discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8684 lokihardt discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8686 G. Geshev discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8687 Apple discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8688 Insu Yun discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8689 lokihardt discovered memory corruption issues that can lead to arbitrary code execution.

- CVE-2019-8690 Sergei Glazunov discovered an issue that may lead to universal cross site scripting.

You can see more details on the WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004.

Solution

Upgrade the webkit2gtk packages.

For the stable distribution (buster), these problems have been fixed in version 2.24.4-1~deb10u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2019-8644

https://security-tracker.debian.org/tracker/CVE-2019-8649

https://security-tracker.debian.org/tracker/CVE-2019-8658

https://security-tracker.debian.org/tracker/CVE-2019-8666

https://security-tracker.debian.org/tracker/CVE-2019-8669

https://security-tracker.debian.org/tracker/CVE-2019-8671

https://security-tracker.debian.org/tracker/CVE-2019-8672

https://security-tracker.debian.org/tracker/CVE-2019-8673

https://security-tracker.debian.org/tracker/CVE-2019-8676

https://security-tracker.debian.org/tracker/CVE-2019-8677

https://security-tracker.debian.org/tracker/CVE-2019-8678

https://security-tracker.debian.org/tracker/CVE-2019-8679

https://security-tracker.debian.org/tracker/CVE-2019-8680

https://security-tracker.debian.org/tracker/CVE-2019-8681

https://security-tracker.debian.org/tracker/CVE-2019-8683

https://security-tracker.debian.org/tracker/CVE-2019-8684

https://security-tracker.debian.org/tracker/CVE-2019-8686

https://security-tracker.debian.org/tracker/CVE-2019-8687

https://security-tracker.debian.org/tracker/CVE-2019-8688

https://security-tracker.debian.org/tracker/CVE-2019-8689

https://security-tracker.debian.org/tracker/CVE-2019-8690

https://security-tracker.debian.org/tracker/source-package/webkit2gtk

https://packages.debian.org/source/buster/webkit2gtk

https://www.debian.org/security/2019/dsa-4515

Plugin Details

Severity: High

ID: 128511

File Name: debian_DSA-4515.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2019/09/05

Updated: 2019/12/31

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:webkit2gtk, cpe:/o:debian:debian_linux:10.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2019/09/04

Vulnerability Publication Date: 2019/12/18

Reference Information

CVE: CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8690

DSA: 4515