CVE-2019-8601

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1, Safari 12.1.1, iTunes for Windows 12.9.5, iCloud for Windows 7.12. Processing maliciously crafted web content may lead to arbitrary code execution.

Weakness

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Affected Software

Name	Vendor	Start Version	End Version
Icloud	Apple	*	7.12 (excluding)
Itunes	Apple	*	12.9.5 (excluding)
Safari	Apple	*	12.1.1 (excluding)
Iphone_os	Apple	*	12.3 (excluding)
Mac_os_x	Apple	*	10.14.5 (excluding)
Tvos	Apple	*	12.3 (excluding)
Watchos	Apple	*	5.2.1 (excluding)
Red Hat Enterprise Linux 7	RedHat	webkitgtk4-0:2.28.2-2.el7	*
Red Hat Enterprise Linux 8	RedHat	accountsservice-0:0.6.50-7.el8	*
Red Hat Enterprise Linux 8	RedHat	appstream-data-0:8-20190805.el8	*
Red Hat Enterprise Linux 8	RedHat	baobab-0:3.28.0-2.el8	*
Red Hat Enterprise Linux 8	RedHat	chrome-gnome-shell-0:10.1-6.el8	*
Red Hat Enterprise Linux 8	RedHat	evince-0:3.28.4-3.el8	*
Red Hat Enterprise Linux 8	RedHat	file-roller-0:3.28.1-2.el8	*
Red Hat Enterprise Linux 8	RedHat	gdk-pixbuf2-0:2.36.12-5.el8	*
Red Hat Enterprise Linux 8	RedHat	gdm-1:3.28.3-22.el8	*
Red Hat Enterprise Linux 8	RedHat	gjs-0:1.56.2-3.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-control-center-0:3.28.2-5.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-desktop3-0:3.32.2-1.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-remote-desktop-0:0.1.6-5.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-settings-daemon-0:3.32.0-4.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-shell-0:3.32.2-9.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-shell-extensions-0:3.32.1-10.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-software-0:3.30.6-2.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-tweaks-0:3.28.1-6.el8	*
Red Hat Enterprise Linux 8	RedHat	gsettings-desktop-schemas-0:3.32.0-3.el8	*
Red Hat Enterprise Linux 8	RedHat	gtk3-0:3.22.30-4.el8	*
Red Hat Enterprise Linux 8	RedHat	gvfs-0:1.36.2-6.el8	*
Red Hat Enterprise Linux 8	RedHat	mozjs60-0:60.9.0-3.el8	*
Red Hat Enterprise Linux 8	RedHat	mutter-0:3.32.2-10.el8	*
Red Hat Enterprise Linux 8	RedHat	nautilus-0:3.28.1-10.el8	*
Red Hat Enterprise Linux 8	RedHat	pango-0:1.42.4-6.el8	*
Red Hat Enterprise Linux 8	RedHat	pidgin-0:2.13.0-5.el8	*
Red Hat Enterprise Linux 8	RedHat	plymouth-0:0.9.3-15.el8	*
Red Hat Enterprise Linux 8	RedHat	SDL-0:1.2.15-35.el8	*
Red Hat Enterprise Linux 8	RedHat	wayland-protocols-0:1.17-1.el8	*
Red Hat Enterprise Linux 8	RedHat	webkit2gtk3-0:2.24.3-1.el8	*
Red Hat Enterprise Linux 8	RedHat	accountsservice-0:0.6.50-7.el8	*
Red Hat Enterprise Linux 8	RedHat	appstream-data-0:8-20190805.el8	*
Red Hat Enterprise Linux 8	RedHat	baobab-0:3.28.0-2.el8	*
Red Hat Enterprise Linux 8	RedHat	chrome-gnome-shell-0:10.1-6.el8	*
Red Hat Enterprise Linux 8	RedHat	evince-0:3.28.4-3.el8	*
Red Hat Enterprise Linux 8	RedHat	file-roller-0:3.28.1-2.el8	*
Red Hat Enterprise Linux 8	RedHat	gdk-pixbuf2-0:2.36.12-5.el8	*
Red Hat Enterprise Linux 8	RedHat	gdm-1:3.28.3-22.el8	*
Red Hat Enterprise Linux 8	RedHat	gjs-0:1.56.2-3.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-control-center-0:3.28.2-5.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-desktop3-0:3.32.2-1.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-remote-desktop-0:0.1.6-5.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-settings-daemon-0:3.32.0-4.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-shell-0:3.32.2-9.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-shell-extensions-0:3.32.1-10.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-software-0:3.30.6-2.el8	*
Red Hat Enterprise Linux 8	RedHat	gnome-tweaks-0:3.28.1-6.el8	*
Red Hat Enterprise Linux 8	RedHat	gsettings-desktop-schemas-0:3.32.0-3.el8	*
Red Hat Enterprise Linux 8	RedHat	gtk3-0:3.22.30-4.el8	*
Red Hat Enterprise Linux 8	RedHat	gvfs-0:1.36.2-6.el8	*
Red Hat Enterprise Linux 8	RedHat	mozjs60-0:60.9.0-3.el8	*
Red Hat Enterprise Linux 8	RedHat	mutter-0:3.32.2-10.el8	*
Red Hat Enterprise Linux 8	RedHat	nautilus-0:3.28.1-10.el8	*
Red Hat Enterprise Linux 8	RedHat	pango-0:1.42.4-6.el8	*
Red Hat Enterprise Linux 8	RedHat	pidgin-0:2.13.0-5.el8	*
Red Hat Enterprise Linux 8	RedHat	plymouth-0:0.9.3-15.el8	*
Red Hat Enterprise Linux 8	RedHat	SDL-0:1.2.15-35.el8	*
Red Hat Enterprise Linux 8	RedHat	wayland-protocols-0:1.17-1.el8	*
Red Hat Enterprise Linux 8	RedHat	webkit2gtk3-0:2.24.3-1.el8	*
Qtwebkit	Ubuntu	eoan	*
Qtwebkit-opensource-src	Ubuntu	bionic	*
Qtwebkit-opensource-src	Ubuntu	cosmic	*
Qtwebkit-opensource-src	Ubuntu	devel	*
Qtwebkit-opensource-src	Ubuntu	disco	*
Qtwebkit-opensource-src	Ubuntu	eoan	*
Qtwebkit-opensource-src	Ubuntu	esm-apps/bionic	*
Qtwebkit-opensource-src	Ubuntu	esm-apps/focal	*
Qtwebkit-opensource-src	Ubuntu	esm-apps/jammy	*
Qtwebkit-opensource-src	Ubuntu	esm-apps/noble	*
Qtwebkit-opensource-src	Ubuntu	esm-infra/xenial	*
Qtwebkit-opensource-src	Ubuntu	focal	*
Qtwebkit-opensource-src	Ubuntu	groovy	*
Qtwebkit-opensource-src	Ubuntu	hirsute	*
Qtwebkit-opensource-src	Ubuntu	impish	*
Qtwebkit-opensource-src	Ubuntu	jammy	*
Qtwebkit-opensource-src	Ubuntu	kinetic	*
Qtwebkit-opensource-src	Ubuntu	lunar	*
Qtwebkit-opensource-src	Ubuntu	mantic	*
Qtwebkit-opensource-src	Ubuntu	noble	*
Qtwebkit-opensource-src	Ubuntu	trusty	*
Qtwebkit-opensource-src	Ubuntu	upstream	*
Qtwebkit-opensource-src	Ubuntu	xenial	*
Qtwebkit-source	Ubuntu	bionic	*
Qtwebkit-source	Ubuntu	cosmic	*
Qtwebkit-source	Ubuntu	disco	*
Qtwebkit-source	Ubuntu	esm-apps/bionic	*
Qtwebkit-source	Ubuntu	esm-apps/xenial	*
Qtwebkit-source	Ubuntu	trusty	*
Qtwebkit-source	Ubuntu	xenial	*
Webkit2gtk	Ubuntu	bionic	*
Webkit2gtk	Ubuntu	cosmic	*
Webkit2gtk	Ubuntu	esm-infra/xenial	*
Webkit2gtk	Ubuntu	upstream	*
Webkit2gtk	Ubuntu	xenial	*
Webkitgtk	Ubuntu	bionic	*
Webkitgtk	Ubuntu	cosmic	*
Webkitgtk	Ubuntu	esm-apps/bionic	*
Webkitgtk	Ubuntu	esm-apps/xenial	*
Webkitgtk	Ubuntu	trusty	*
Webkitgtk	Ubuntu	xenial	*

Potential Mitigations

Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
If possible, choose a language or compiler that performs automatic bounds checking.
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Understand the programming language’s underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, “not-a-number” calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.

https://cwe.mitre.org/data/definitions/92.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-8601
CWE	https://cwe.mitre.org/data/definitions/190.html

Integer Overflow or Wraparound

Weakness

Affected Software

Potential Mitigations

References

CVE-2019-8601

Integer Overflow or Wraparound

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References