Vulnerability CVE-2018-12293


Published: 2018-06-19

Description:
The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.3 and WPE WebKit prior to version 2.20.1, is vulnerable to a heap-based buffer overflow triggered by an integer overflow, which could be abused by crafted HTML content.

See advisories in our WLB2 database:
Topic
Author
Date
High
WebkitGTK+ 2.20.3 ImageBufferCairo::getImageData() Buffer Overflow (PoC)
PeregrineX
16.08.2018

Type:

CWE-190

(Integer Overflow or Wraparound)

Vendor: Webkitgtk
Product: Webkitgtk+ 
Version:
2.9.92
2.9.91
2.9.90
2.9.5
2.9.4
2.9.3
2.9.2
2.9.1
2.8.5
2.8.4
2.8.3
2.8.2
2.8.1
2.8.0
2.7.92
2.7.91
2.7.90
2.7.4
2.7.3
2.7.2
2.7.1
2.6.6
2.6.5
2.6.4
2.6.3
2.6.2
2.6.1
2.6.0
2.5.90
2.5.3a
2.5.2a
2.5.1a
2.4.9
2.4.8
2.4.7
2.4.6
2.4.5a
2.4.4a
2.4.3a
2.4.2a
2.4.1a
2.4.11
2.4.10
2.4.0a
2.3.92a
2.3.91a
2.3.90a
2.3.5a
2.3.4a
2.3.3a
2.3.2a
2.3.1a
2.2.8
2.2.7a
2.2.6a
2.2.5a
2.2.4a
2.2.3a
2.2.2a
2.2.1a
2.2.0a
2.19.2
2.19.1
2.18.3
2.18.2
2.18.1
2.18.0
2.17.92
2.17.91
2.17.90
2.17.5
2.17.4
2.17.3
2.17.2
2.17.1
2.16.6
2.16.5
2.16.4
2.16.3
2.16.2
2.16.1
2.16.0
2.15.92
2.15.91
2.15.90
2.15.4
2.15.3
2.15.2
2.15.1
2.14.7
2.14.6
2.14.5
2.14.4
2.14.3
2.14.2
2.14.1
2.14.0
2.13.92
2.13.91
2.13.90
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://packetstormsecurity.com/files/148200/WebKitGTK-Data-Leak-Code-Execution.html
http://www.openwall.com/lists/oss-security/2018/06/14/1
http://www.securityfocus.com/archive/1/542087/100/0/threaded
https://bugs.webkit.org/show_bug.cgi?id=186384
https://security.gentoo.org/glsa/201808-04
https://trac.webkit.org/changeset/232618
https://usn.ubuntu.com/3687-1/
https://www.exploit-db.com/exploits/45205/

Related CVE
CVE-2019-11070
WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing t...
CVE-2019-6234
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary...
CVE-2019-8375
The UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.90 and WebKitGTK+ through 2.22.6 and other products, does not prevent the script dialog size from exceeding the web view size, which allows remote attackers to cause a denial of ser...
CVE-2019-6251
WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 ...
CVE-2018-4213
In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks.
CVE-2018-4212
In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks.
CVE-2018-4210
In iOS before 11.3, Safari before 11.1, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, an array indexing issue existed in the handling of a function in javascript core. This issue was addressed with improved checks.
CVE-2018-4208
In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, tvOS before 11.3, watchOS before 4.3, iTunes before 12.7.4 for Windows, unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks.

Copyright 2019, cxsecurity.com

 

Back to Top