CVE-2018-12293

Published: Jun 19, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.3 and WPE WebKit prior to version 2.20.1, is vulnerable to a heap-based buffer overflow triggered by an integer overflow, which could be abused by crafted HTML content.

Affected (5)

Products: Canonical: Ubuntu Linux · Webkitgtk: Webkitgtk+ · Wpewebkit: Wpe Webkit

1 product

1 product

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 17.10
Canonical Ubuntu Linux	Version 18.04

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Webkitgtk Webkitgtk+	Before 2.20.3

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Wpewebkit Wpe Webkit	Before 2.20.1

Related CWEs

Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (16)

http://packetstormsecurity.com/files/148200/WebKitGTK-Data-Leak-Code-Execution.html

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.openwall.com/lists/oss-security/2018/06/14/1

Source: cve@mitre.org

Mailing ListTechnical Description

http://www.securityfocus.com/archive/1/542087/100/0/threaded

Source: cve@mitre.org

https://bugs.webkit.org/show_bug.cgi?id=186384

Source: cve@mitre.org

Permissions RequiredVendor Advisory

https://security.gentoo.org/glsa/201808-04

Source: cve@mitre.org

https://trac.webkit.org/changeset/232618

Source: cve@mitre.org

PatchThird Party AdvisoryVendor Advisory

https://usn.ubuntu.com/3687-1/

Source: cve@mitre.org

Third Party Advisory

https://www.exploit-db.com/exploits/45205/

Source: cve@mitre.org

http://packetstormsecurity.com/files/148200/WebKitGTK-Data-Leak-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.openwall.com/lists/oss-security/2018/06/14/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListTechnical Description

http://www.securityfocus.com/archive/1/542087/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugs.webkit.org/show_bug.cgi?id=186384

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

https://security.gentoo.org/glsa/201808-04

Source: af854a3a-2127-422b-91ae-364da2661108

https://trac.webkit.org/changeset/232618

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party AdvisoryVendor Advisory

https://usn.ubuntu.com/3687-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.exploit-db.com/exploits/45205/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.