Rapid7 Vulnerability & Exploit Database

RHSA-2011:0177: webkitgtk security update

Back to Search

RHSA-2011:0177: webkitgtk security update



WebKitGTK+ is the port of the portable web rendering engine WebKit to theGTK+ platform.Multiple memory corruption flaws were found in WebKit. Malicious webcontent could cause an application using WebKitGTK+ to crash or,potentially, execute arbitrary code with the privileges of the user runningthe application. (CVE-2010-1782, CVE-2010-1783, CVE-2010-1784,CVE-2010-1785, CVE-2010-1787, CVE-2010-1788, CVE-2010-1790, CVE-2010-1792,CVE-2010-1807, CVE-2010-1814, CVE-2010-3114, CVE-2010-3116, CVE-2010-3119,CVE-2010-3255, CVE-2010-3812, CVE-2010-4198)Multiple use-after-free flaws were found in WebKit. Malicious web contentcould cause an application using WebKitGTK+ to crash or, potentially,execute arbitrary code with the privileges of the user running theapplication. (CVE-2010-1780, CVE-2010-1786, CVE-2010-1793, CVE-2010-1812,CVE-2010-1815, CVE-2010-3113, CVE-2010-3257, CVE-2010-4197, CVE-2010-4204)Two array index errors, leading to out-of-bounds memory reads, were foundin WebKit. Malicious web content could cause an application usingWebKitGTK+ to crash. (CVE-2010-4206, CVE-2010-4577)A flaw in WebKit could allow malicious web content to trick a user intothinking they are visiting the site reported by the location bar, when thepage is actually content controlled by an attacker. (CVE-2010-3115)It was found that WebKit did not correctly restrict read access to imagescreated from the "canvas" element. Malicious web content could allow aremote attacker to bypass the same-origin policy and potentially accesssensitive image data. (CVE-2010-3259)A flaw was found in the way WebKit handled DNS prefetching. Even when itwas disabled, web content containing certain "link" elements could causeWebKitGTK+ to perform DNS prefetching. (CVE-2010-3813)Users of WebKitGTK+ should upgrade to these updated packages, which containWebKitGTK+ version 1.2.6, and resolve these issues. All runningapplications that use WebKitGTK+ must be restarted for this update to takeeffect.


  • redhat-upgrade-webkitgtk
  • redhat-upgrade-webkitgtk-debuginfo
  • redhat-upgrade-webkitgtk-devel
  • redhat-upgrade-webkitgtk-doc

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center