-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4233
        WSA-2019-0006 - WebKitGTK and WPE WebKit Security Advisory
                             11 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           WebKitGTK
                   WPE WebKit
Publisher:         Webkit
Operating System:  Linux variants
                   Mac OS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-8823 CVE-2019-8822 CVE-2019-8821
                   CVE-2019-8820 CVE-2019-8819 CVE-2019-8816
                   CVE-2019-8815 CVE-2019-8814 CVE-2019-8813
                   CVE-2019-8812 CVE-2019-8811 CVE-2019-8808
                   CVE-2019-8783 CVE-2019-8782 CVE-2019-8766
                   CVE-2019-8765 CVE-2019-8764 CVE-2019-8743
                   CVE-2019-8710  

Reference:         ESB-2019.4013
                   ESB-2019.4012
                   ESB-2019.4011
                   ESB-2019.4009

Original Bulletin: 
   https://webkitgtk.org/security/WSA-2019-0006.html
   https://wpewebkit.org/security/WSA-2019-0006.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- ------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory                 WSA-2019-0006
- ------------------------------------------------------------------------

Date reported           : November 08, 2019
Advisory ID             : WSA-2019-0006
WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2019-0006.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0006.html
CVE identifiers         : CVE-2019-8710, CVE-2019-8743, CVE-2019-8764,
                          CVE-2019-8765, CVE-2019-8766, CVE-2019-8782,
                          CVE-2019-8783, CVE-2019-8808, CVE-2019-8811,
                          CVE-2019-8812, CVE-2019-8813, CVE-2019-8814,
                          CVE-2019-8815, CVE-2019-8816, CVE-2019-8819,
                          CVE-2019-8820, CVE-2019-8821, CVE-2019-8822,
                          CVE-2019-8823.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2019-8710
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to found by OSS-Fuzz.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8743
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to zhunki from Codesafe Team of Legendsec at Qi'anxin Group.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8764
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to Sergei Glazunov of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    universal cross site scripting. Description: A logic issue was
    addressed with improved state management.

CVE-2019-8765
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to Samuel Gro=C3=9F of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8766
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to found by OSS-Fuzz.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8782
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to Cheolung Lee of LINE+ Security Team.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8783
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Cheolung Lee of LINE+ Graylab Security Team.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8808
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to found by OSS-Fuzz.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8811
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Soyeon Park of SSLab at Georgia Tech.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8812
    Versions affected: WebKitGTK before 2.26.2 and WPE WebKit before
    2.26.2.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8813
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    universal cross site scripting. Description: A logic issue was
    addressed with improved state management.

CVE-2019-8814
    Versions affected: WebKitGTK before 2.26.2 and WPE WebKit before
    2.26.2.
    Credit to Cheolung Lee of LINE+ Security Team.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8815
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to Apple.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8816
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Soyeon Park of SSLab at Georgia Tech.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8819
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Cheolung Lee of LINE+ Security Team.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8820
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Samuel Gro=C3=9F of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8821
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to Sergei Glazunov of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8822
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to Sergei Glazunov of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8823
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Sergei Glazunov of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.


We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.

Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.

The WebKitGTK and WPE WebKit team,
November 08, 2019

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXcjRG2aOgq3Tt24GAQj5jQ//Z2rls4CHHyZl1efYPWBWrw5vCEQginsB
itKpmxTwUDuTH6bx/oOApc2icxJn5qjO5joxvl8byQLD99GG8+u/1O0dj4meVafO
Ca+tl5KiwssyBXpMjge0Aige3w1EBd0eW5gBgkGlH4ZoO56kO+AZJVe6abr12/Kh
X9yapiFpdSP7Sj2HCxax5d+EYUJRaoSpxptsnbnrDQCKut/0c874/w8hikJPhPlq
akXZ7NmsnSH1nZc66Aae/2Z1JdtqY063Aobrb0G1MMEGAYpqMEJ7Te+cNjX40O31
5TlEI0A1X1dW6RggPXsjkSu8nsAUysBgo99VHNx2bmZ2XQXnBYMMHJsmFnzvbXuY
VlZXvpkPn8i8IvTeC94pwTj8KcMqK6YACzpZHUFWLqaLLvF3saZrJd8KnUZF7Rj9
Gu5N/qaFH3jx+CppvS3y3Ywq6hxmDNBcOJyJUNba3B752IBoxO18ILtIGIsRmlDx
VihDgqe5CnZdxt7kNgKoLnNRW06cl1HkIVKQMcsRcV+w6t1/3AuEClGCI+TJBXwd
0cCiR3p+VSsZc+qOryHq9LxEqcAm5I2c8TrV5iL6zP5W6GtVLtZOcMy/msVo0heI
C3SLTchWilpRTtfZ1QUjE1dZts7FgT7UURaf+Ep9e8yVMBF/LmFW0ZcR2rnJ1jDD
fJRfwo7MEo0=
=pKbr
-----END PGP SIGNATURE-----