SB2020042012 - Use-after-free in webkit2gtk (Alpine package)
Published: April 20, 2020
Security Bulletin ID
SB2020042012
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use-after-free (CVE-ID: CVE-2020-11793)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
A use-after-free issue exists in WebKitGTK before 2.28.1 and WPE WebKit before 2.28.1 via crafted web content that allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash).
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=d0492bb3cf8aed245161ec53d80f18398b8431ad
- https://git.alpinelinux.org/aports/commit/?id=2fecc7041589c29dc744231cf77bb254ecc8942d
- https://git.alpinelinux.org/aports/commit/?id=c1b810460838fda613bba8ce18ea3c0f82720c77
- https://git.alpinelinux.org/aports/commit/?id=9a5d4d0a16956584f9355d55a7966e96e855ec81