webkit: CVE-2009-1698 CVE-2009-1690 CVE-2009-1687

Debian Bug report logs - #534946
webkit: CVE-2009-1698 CVE-2009-1690 CVE-2009-1687

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: webkit: CVE-2009-1698 CVE-2009-1690 CVE-2009-1687

Date: Sun, 28 Jun 2009 14:45:36 +0200

Package: webkit
Version: 1.0.1-4
Severity: grave
Tags: security lenny

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for webkit.

CVE-2009-1698[0]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
| pointer during handling of a Cascading Style Sheets (CSS) attr
| function call with a large numerical argument, which allows remote
| attackers to execute arbitrary code or cause a denial of service
| (memory corruption and application crash) via a crafted HTML document.

CVE-2009-1690[1]:
| Use-after-free vulnerability in WebKit, as used in Apple Safari before
| 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through
| 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) by setting an
| unspecified property of an HTML tag that causes child elements to be
| freed and later accessed when an HTML error occurs, related to
| "recursion in certain DOM event handlers."

CVE-2009-1687[2]:
| The JavaScript garbage collector in WebKit in Apple Safari before 4.0,
| iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
| 2.2.1 does not properly handle allocation failures, which allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) via a crafted HTML
| document that triggers write access to an "offset of a NULL pointer."


These are already fixed in debian unstable.
Please coordinate with the security team (team@security.debian.org) to
prepare packages for the stable releases.



If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
    http://security-tracker.debian.net/tracker/CVE-2009-1698
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
    http://security-tracker.debian.net/tracker/CVE-2009-1690
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1687
    http://security-tracker.debian.net/tracker/CVE-2009-1687

Message #12 received at 534946@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 534946@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Patch

Date: Sun, 28 Jun 2009 15:00:46 +0200

[Message part 1 (text/plain, inline)]

tags 534946 patch
thanks


CVE-2009-1698 patch: http://trac.webkit.org/changeset/42081
CVE-2009-1690 patch: http://trac.webkit.org/changeset/42532
CVE-2009-1687 patch: http://trac.webkit.org/changeset/41854


Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 534946-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 534946-close@bugs.debian.org

Subject: Bug#534946: fixed in webkit 1.0.1-4+lenny2

Date: Thu, 17 Dec 2009 00:54:46 +0000

Source: webkit
Source-Version: 1.0.1-4+lenny2

We believe that the bug you reported is fixed in the latest version of
webkit, which is due to be installed in the Debian FTP archive:

libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb
  to main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb
libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
  to main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
libwebkit-dev_1.0.1-4+lenny2_all.deb
  to main/w/webkit/libwebkit-dev_1.0.1-4+lenny2_all.deb
webkit_1.0.1-4+lenny2.diff.gz
  to main/w/webkit/webkit_1.0.1-4+lenny2.diff.gz
webkit_1.0.1-4+lenny2.dsc
  to main/w/webkit/webkit_1.0.1-4+lenny2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 534946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated webkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Dec 2009 20:41:40 +0100
Source: webkit
Binary: libwebkit-1.0-1 libwebkit-dev libwebkit-1.0-1-dbg
Architecture: source all i386
Version: 1.0.1-4+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 libwebkit-1.0-1 - Web content engine library for Gtk+
 libwebkit-1.0-1-dbg - Web content engine library for Gtk+ - Debugging symbols
 libwebkit-dev - Web content engine library for Gtk+ - Development files
Closes: 532724 532725 534946 535793 538346
Changes: 
 webkit (1.0.1-4+lenny2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed FTBFS on arm and powerpc: include limits.h for a definition of
     ULONG_MAX introduced in CVE-2009-1687 patch.
 .
 webkit (1.0.1-4+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-0945: NULL-pointer dereference in the SVGList interface
     implementation (Closes: #532724, #532725)
   * Fixed CVE-2009-1687: Integer overflow in JavaScript garbage collector
   * Fixed CVE-2009-1690: Incorrect handling <head> element content once the
     <head> element was removed
   * Fixed CVE-2009-1698: incorrect handling CSS "style" attribute content
   * Fixed CVE-2009-1711: denial of service or arbitrary code execution via
     Attr DOM objects improper memory initialization. (Closes: #534946)
   * Fixed CVE-2009-1712: arbitrary code execution via remote loading of
     local java applets. (Closes: #535793)
   * Fixed CVE-2009-1725: improper handling of numeric character references
     (Closes: #538346)
   * Patch based on work done by Marc Deslauriers <marc.deslauriers@ubuntu.com>
     in Ubuntu, thanks.
   * Fixed CVE-2009-1714: Cross-site scripting (XSS) vulnerability in Web
     Inspector
   * Fixed CVE-2009-1710: Remote attackers can spoof the browser's display of
     the host name, security indicators, and unspecified other UI elements via
     a custom cursor in conjunction with a modified CSS3 hotspot property.
   * Fixed CVE-2009-1697: CRLF injection vulnerability allows remote attackers
     to inject HTTP headers and bypass the Same Origin Policy via a crafted
     HTML document
   * Fixed CVE-2009-1695: Cross-site scripting (XSS) vulnerability allows remote
     attackers to inject arbitrary web script or HTML via vectors involving
     access to frame contents after completion of a page transition.
   * Fixed CVE-2009-1693 and CVE-2009-1694: does not properly handle redirects,
     which allows remote attackers to read images from arbitrary web sites via
     vectors involving a CANVAS element and redirection
   * Fixed CVE-2009-1681: does not prevent web sites from loading third-party
     content into a subframe, which allows remote attackers to bypass the Same
     Origin Policy and conduct "clickjacking" attacks via a crafted HTML
     document.
   * Fixed CVE-2009-1684: Cross-site scripting (XSS) vulnerability allows remote
     attackers to inject arbitrary web script or HTML via an event handler that
     triggers script execution in the context of the next loaded document.
   * Fixed CVE-2009-1692: denial of service (memory consumption or device reset)
     via a web page containing an HTMLSelectElement object with a large length
     attribute, related to the length property of a Select object.
Checksums-Sha1: 
 84c6fe9a45dd53cf5211bedc5139bb06e445b9a1 1447 webkit_1.0.1-4+lenny2.dsc
 bd7b8dec8eb2d1f3545bd92230ad27d5671285ce 13418752 webkit_1.0.1.orig.tar.gz
 bf989e21bf7d7bb829173ee8058ba0c24f2e64b4 35369 webkit_1.0.1-4+lenny2.diff.gz
 cb59b66fbeffc65cb4231c7f92f4d61a4d9845bc 35164 libwebkit-dev_1.0.1-4+lenny2_all.deb
 695bab1bfa0906d7fe99ce27aa906314cbb5db66 3016584 libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
 df4d5eb6f2529c22b9dd3b34508233223fc25340 62161744 libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb
Checksums-Sha256: 
 480a9137c4620c92a6cfe110f1734b8136e3c2c924900b6f34dd80b046163cb7 1447 webkit_1.0.1-4+lenny2.dsc
 9601ed57978e7f1221f770c24933d2037fdb93e4b412716d842b993507f0b856 13418752 webkit_1.0.1.orig.tar.gz
 333c2c20ae64227e1a263672e5c3bac2b2e51a8679f2dd865c272483667cc5d8 35369 webkit_1.0.1-4+lenny2.diff.gz
 a1605d1cd8f8a68796601147399f1eefb60af04d89ec82b62ce1ebdbde492841 35164 libwebkit-dev_1.0.1-4+lenny2_all.deb
 1c8c66171d2c772b358ec1136a90f53e27a551282e9e4ed74e3493d3f2048784 3016584 libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
 009003feebd18778168dcfd364d08d9c76001df5fe61977602da374cbe3d7e73 62161744 libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb
Files: 
 b5f01d6428f01d79bfe18338064452ab 1447 web optional webkit_1.0.1-4+lenny2.dsc
 4de68a5773998bea14e8939aa341c466 13418752 web optional webkit_1.0.1.orig.tar.gz
 506c8f2fef73a9fc856264f11a3ad27e 35369 web optional webkit_1.0.1-4+lenny2.diff.gz
 df682bbcd13389c2f50002c2aaf7347b 35164 libdevel extra libwebkit-dev_1.0.1-4+lenny2_all.deb
 b854f5294527adac80e9776efed37cd7 3016584 libs optional libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
 f89fc6ac6d1110cabe47dd9184c9a9ca 62161744 libdevel extra libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkshY3wACgkQNxpp46476arTNgCfRAlwh409c24VVDe6Hh48odrJ
lxwAoI4WKX2nyLrHy+xvsnTXRA5ZF2ga
=/kz8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.