CVE-2018-12293
published 2018-06-19CVE-2018-12293: The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to…
PriorityP260high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
10.53%
95.2th percentile
The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.3 and WPE WebKit prior to version 2.20.1, is vulnerable to a heap-based buffer overflow triggered by an integer overflow, which could be abused by crafted HTML content.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | webkit2gtk | < webkit2gtk 2.20.3-1 (bookworm) | webkit2gtk 2.20.3-1 (bookworm) |
| webkitgtk | webkitgtk | < 2.20.3 | 2.20.3 |
| wpewebkit | wpe_webkit | < 2.20.1 | 2.20.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor JavaScript canvas API calls to getImageData() with extremely large width/height values (e.g., 32768x32768) that would cause integer overflow in rect.width() * rect.height() * 4, triggering a heap-based buffer overflow in ImageBufferCairo::getImageData(). ↗
- →The vulnerable code path is in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp — specifically the Uint8ClampedArray::createUninitialized(rect.width() * rect.height() * 4) call, which overflows when large canvas dimensions are supplied via crafted HTML content. ↗
- →UBSAN output indicating undefined behavior in libwebkit2gtk-4.0.so can be a runtime signal of exploitation attempts against this vulnerability. ↗
- ·The PoC targets WebKitGTK+ versions prior to 2.20.3 and WPE WebKit prior to 2.20.1; systems running patched versions (2.20.3-1 or later on Debian) are not vulnerable. ↗
- ·Exploitation requires the target page to include an HTML5 canvas element; the PoC itself notes the absence of a canvas tag as a prerequisite condition to observe the overflow. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
WebKitGTK+ vulnerabilities
vendor_ubuntu·2018-06-18
CVE-2018-12293 WebKitGTK+ vulnerabilities
Title: WebKitGTK+ vulnerabilities
Summary: Several security issues were fixed in WebKitGTK+.
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
Debian
CVE-2018-12293: webkit2gtk - The getImageData function in the ImageBufferCairo class in WebCore/platform/grap...
vendor_debian·2018·CVSS 8.8
CVE-2018-12293 [HIGH] CVE-2018-12293: webkit2gtk - The getImageData function in the ImageBufferCairo class in WebCore/platform/grap...
The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.3 and WPE WebKit prior to version 2.20.1, is vulnerable to a heap-based buffer overflow triggered by an integer overflow, which could be abused by crafted HTML content.
Scope: local
bookworm: resolved (fixed in 2.20.3-1)
bullseye: resolved (fixed in 2.20.3-1)
forky: resolved (fixed in 2.20.3-1)
sid: resolved (fixed in 2.20.3-1)
trixie: resolved (fixed in 2.20.3-1)
GHSA
GHSA-g7g2-cvmj-5ppx: The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo
ghsa_unreviewed·2022-05-13
CVE-2018-12293 [HIGH] CWE-787 GHSA-g7g2-cvmj-5ppx: The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo
The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.3 and WPE WebKit prior to version 2.20.1, is vulnerable to a heap-based buffer overflow triggered by an integer overflow, which could be abused by crafted HTML content.
OSV
CVE-2018-12293: The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo
osv·2018-06-19·CVSS 8.8
CVE-2018-12293 [HIGH] CVE-2018-12293: The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo
The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.3 and WPE WebKit prior to version 2.20.1, is vulnerable to a heap-based buffer overflow triggered by an integer overflow, which could be abused by crafted HTML content.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/148200/WebKitGTK-Data-Leak-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2018/06/14/1http://www.securityfocus.com/archive/1/542087/100/0/threadedhttps://bugs.webkit.org/show_bug.cgi?id=186384https://security.gentoo.org/glsa/201808-04https://trac.webkit.org/changeset/232618https://usn.ubuntu.com/3687-1/https://www.exploit-db.com/exploits/45205/http://packetstormsecurity.com/files/148200/WebKitGTK-Data-Leak-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2018/06/14/1http://www.securityfocus.com/archive/1/542087/100/0/threadedhttps://bugs.webkit.org/show_bug.cgi?id=186384https://security.gentoo.org/glsa/201808-04https://trac.webkit.org/changeset/232618https://usn.ubuntu.com/3687-1/https://www.exploit-db.com/exploits/45205/
2018-06-19
Published