Fedora 27 update for qt5-qtwebengine
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2017-5092 CVE-2017-5093 CVE-2017-5095 CVE-2017-5097 CVE-2017-5099 CVE-2017-5102 CVE-2017-5103 CVE-2017-5107 CVE-2017-5112 CVE-2017-5114 CVE-2017-5117 CVE-2017-5118 |
| CWE-ID | CWE-416 CWE-264 CWE-787 CWE-125 CWE-665 CWE-401 CWE-122 CWE-119 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system qt5-qtwebengine Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Use-after-free error
EUVDB-ID: #VU7619
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5092
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to use-after free error in PPAPI. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Spoofing attack
EUVDB-ID: #VU7620
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5093
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to UI spoofing in Blink. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds write
EUVDB-ID: #VU7622
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5095
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to out-of-bounds write in PDFium. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU7624
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5097
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the system.
The weakness exists due to out-of-bounds read in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and read important files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds write
EUVDB-ID: #VU7626
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5099
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to out-of-bounds write in PPAPI. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Security restrictions bypass
EUVDB-ID: #VU7629
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5102
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The weakness exists due to uninitialized use in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and gain access to the system.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Security restrictions bypass
EUVDB-ID: #VU7630
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5103
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The weakness exists due to uninitialized use in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and gain access to the system.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Memory leak
EUVDB-ID: #VU7636
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5107
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the system.
The weakness exists due to memory leak via SVG. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Heap-based buffer overflow
EUVDB-ID: #VU8125
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5112
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow in WebGL. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Memory corruption
EUVDB-ID: #VU8127
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5114
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to memory lifecycle issue in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Information disclosure
EUVDB-ID: #VU8133
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5117
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to use of uninitialized value in Skia. A remote attacker can trick the victim into visiting a specially crafted website and read arbitrary data from system memory.
Successful exploitation of the vulnerability results in information disclosure.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Security restrictions bypass
EUVDB-ID: #VU8135
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5118
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The weakness exists due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website and bypass content security policy in Blink on the system.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 27
qt5-qtwebengine: before 5.9.2-2.fc27
CPE2.3- cpe:2.3:o:fedoraproject:fedora:27:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:qt5-qtwebengine:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f9bb0861b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
