webkit2gtk: Multiple vulnerabilities (CVE-2020-9862, CVE-2020-9893, CVE-2020-9894, CVE-2020-9895, CVE-2020-9915, CVE-2020-9925)

CVE-2020-9862

• Copying a URL from Web Inspector may lead to command injection.
• A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.
• Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.

CVE-2020-9893

• A remote attacker may be able to cause unexpected application termination or arbitrary code execution.
• An use-after-free issue was addressed with improved memory management.
• Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.

CVE-2020-9894

• A remote attacker may be able to cause unexpected application termination or arbitrary code execution.
• An out-of-bounds read was addressed with improved input validation.
• Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.

CVE-2020-9895

• A remote attacker may be able to cause unexpected application termination or arbitrary code execution.
• An use-after-free issue was addressed with improved memory management.
• Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.

CVE-2020-9915

• Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
• An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.
• Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.

CVE-2020-9925

• Processing maliciously crafted web content may lead to universal cross site scripting.
• A logic issue was addressed with improved state management.
• Versions affected: WebKitGTK before 2.28.4 and WPE WebKit before 2.28.4.

Reference:

https://webkitgtk.org/security/WSA-2020-0007.html

Affected branches:

• master
• 3.12-stable