SB2018092112 - OpenSUSE Linux update for webkit2gtk3
Published: September 21, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2018-12911)
The vulnerability allows a remote attacker to execute arbitrary code with elevated privileges.The weakness exists due to an off-by-one error in the get_simple_globs functions in ThirdParty/xdgmime/src/xdgmimecache.c and ThirdParty/xdgmime/src/xdgmimeglob.c. A remote attacker can trigger out-of-bounds write and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Memory corruption (CVE-ID: CVE-2018-4261)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
3) Memory corruption (CVE-ID: CVE-2018-4262)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
4) Memory corruption (CVE-ID: CVE-2018-4263)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
5) Memory corruption (CVE-ID: CVE-2018-4264)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
6) Memory corruption (CVE-ID: CVE-2018-4265)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
7) Race condition (CVE-ID: CVE-2018-4266)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to race condition when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website and cause the service to crash.
8) Memory corruption (CVE-ID: CVE-2018-4267)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
9) Memory corruption (CVE-ID: CVE-2018-4270)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.
10) Memory corruption (CVE-ID: CVE-2018-4271)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.
11) Memory corruption (CVE-ID: CVE-2018-4272)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.
12) Memory corruption (CVE-ID: CVE-2018-4273)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.
13) Security restrictions bypass (CVE-ID: CVE-2018-4278)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to improper audio taint tracking. A remote attacker can trick the victim into visiting a specially crafted website, bypass security restrictions and exfiltrate audio data cross-origin.
14) Memory corruption (CVE-ID: CVE-2018-4284)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.