webkit: deluge of security vulnerabilities

Debian Bug report logs - #535793
webkit: deluge of security vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael S Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: webkit: deluge of security vulnerabilities

Date: Sun, 5 Jul 2009 01:16:48 -0400

package: webkit
version: 1.0.1-4
severity: grave
tags: security

hello,

webkit has recently been hit by a deluge of security issues [1],[2].
i've been trying to figure out the state of these problems and where
debian is affected, but apple's security announcements have been
notoriously sparse.

the only definitive information i can figure out at this point is that
webkit is possibly affected by the following CVEs.  it is unknown
which versions are affected and which versions are fixed.  i will
start a dialog with upstream to try to start to figure this out.

| WebKit
| CVE-ID:  CVE-2006-2783
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to a cross-
| site scripting attack
| Description:  WebKit ignores Unicode byte order mark sequences when
| parsing web pages. Certain websites and web content filters attempt
| to sanitize input by blocking specific HTML tags. This approach to
| filtering may be bypassed and lead to cross-site scripting when
| encountering maliciously-crafted HTML tags containing byte order mark
| sequences. This update addresses the issue through improved handling
| of byte order mark sequences. Credit to Chris Weber of Casaba
| Security, LLC for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2008-1588
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Unicode ideographic spaces may be used to spoof a website
| Description:  When Safari displays the current URL in the address
| bar, Unicode ideographic spaces are rendered. This allows a
| maliciously crafted website to direct the user to a spoofed site that
| visually appears to be a legitimate domain. This update addresses the
| issue by not rendering Unicode ideographic spaces in the address bar.
|
| WebKit
| CVE-ID:  CVE-2008-2320
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A memory corruption issue exists in WebKit's handling
| of invalid color strings in CSS. Visiting a maliciously crafted
| website may lead to an unexpected application termination or
| arbitrary code execution. This update addresses the issue through
| improved handling of color strings. Credit to Thomas Raffetseder of
| the International Secure Systems Lab for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2008-3632
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A use-after-free issue exists in WebKit's handling of
| '@import' statements within Cascading Style Sheets. Visiting a
| maliciously crafted website may lead to an unexpected application
| termination or arbitrary code execution. This update addresses the
| issue through improved handling of style sheets. Credit to Dean
| McNamee of Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2008-4231
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  An uninitialized memory access issue exists in WebKit's
| handling of HTML tables. Visiting a maliciously crafted website may
| lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through proper
| initialization of the internal representation of HTML tables. Credit
| to Haifei Li of Fortinet's FortiGuard Global Security Research Team
| for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1681
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Interacting with a maliciously crafted website may result in
| unexpected actions on other sites
| Description:  A design issue exists in the same-origin policy
| mechanism used to limit interactions between websites. This policy
| allows websites to load pages from third-party websites into a
| subframe. This frame may be positioned to entice the user to click a
| particular element within the frame, an attack referred to as
| "clickjacking". A maliciously crafted website may be able to
| manipulate a user into taking an unexpected action, such as
| initiating a purchase. This update addresses the issue through
| adoption of the industry-standard 'X-Frame-Options' extension header,
| that allows individual web pages to opt out of being displayed within
| a subframe.
|
| WebKit
| CVE-ID:  CVE-2009-1684
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in cross-
| site scripting
| Description:  A cross-site scripting issue exists in the separation
| of JavaScript contexts. A maliciously crafted web page may use an
| event handler to execute a script in the security context of the next
| web page that is loaded in its window or frame. This update addresses
| the issue by ensuring that event handlers are not able to directly
| affect an in-progress page transition. Credit to Michal Zalewski of
| Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1685
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in cross-
| site scripting
| Description:  A cross-site scripting issue exists in the separation
| of JavaScript contexts. By enticing a user to visit a maliciously
| crafted web page, the attacker may overwrite the
| 'document.implementation' of an embedded or parent document served
| from a different security zone. This update addresses the issue by
| ensuring that changes to 'document.implementation' do not affect
| other documents. Credit to Dean McNamee of Google Inc. for reporting
| this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1686
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to arbitrary
| code execution
| Description:  A type conversion issue exists in WebKit's JavaScript
| exception handling. When an attempt is made to assign the exception
| to a variable that is declared as a constant, an object is cast to an
| invalid type, causing memory corruption. Visiting a maliciously
| crafted website may lead to an unexpected application termination or
| arbitrary code execution. This update addresses the issue by ensuring
| that assignment in a const declaration writes to the variable object.
| Credit to Jesse Ruderman of Mozilla Corporation for reporting this
| issue.
|
| WebKit
| CVE-ID:  CVE-2009-1687
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A memory corruption issue exists in WebKit's JavaScript
| garbage collector. If an allocation fails, a memory write to an
| offset of a NULL pointer may result, leading to an unexpected
| application termination or arbitrary code execution. This update
| addresses the issue by checking for allocation failure. Credit to
| SkyLined of Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1688
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in cross-
| site scripting
| Description:  WebKit does not use the HTML 5 standard method to
| determine the security context associated with a given script. An
| implementation issue in WebKit's method may result in a cross-site
| scripting attack under certain conditions. This update addresses the
| issue by using the standards-compliant method to determine the
| security context associated with a script. Credit to Adam Barth of UC
| Berkeley, and Collin Jackson of Stanford University for reporting
| this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1689
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in a
| cross-site scripting attack
| Description:  A cross-site scripting issue exists in WebKit. A
| maliciously crafted website containing a form submitted to
| 'about:blank' may synchronously replace the document's security
| context, allowing currently-executing scripts to run in the new
| security context. This update addresses the issue through improved
| handling of cross-site interaction with form submission. Credit to
| Adam Barth of UC Berkeley, and Collin Jackson of Stanford University
| for reporting this issue.
|
| Webkit
| CVE-ID:  CVE-2009-1690
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in an
| unexpected application termination or arbitrary code execution
| Description:  A memory corruption issue exists in WebKit's handling
| of recursion in certain DOM event handlers. Visiting a maliciously
| crafted website may lead to an unexpected application termination or
| arbitrary code execution. This update addresses the issue through
| improved memory management. Credit to SkyLined of Google Inc, and
| wushi & ling of team509 working with Verisign iDefense VCP for
| reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1691
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to cross-
| site scripting
| Description:  A cross-site scripting issue in Safari allows a
| maliciously crafted website to alter standard JavaScript prototypes
| of websites served from a different domain. By enticing a user to
| visit a maliciously crafted web page, an attacker may be able to
| alter the execution of JavaScript served from other websites. This
| update addresses the issue through improved access controls on these
| prototypes.
|
| WebKit
| CVE-ID:  CVE-2009-1693
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may disclose images
| from other sites
| Description:  A cross-site image capture issue exists in WebKit. By
| using a canvas with an SVG image, a maliciously crafted website may
| load and capture an image from another website. This update addresses
| the issue by restricting the reading of canvases that have images
| loaded from other websites. Credit to Chris Evans of Google Inc. for
| reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1694
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may disclose images
| from other sites
| Description:  A cross-site image capture issue exists in WebKit. By
| using a canvas and a redirect, a maliciously crafted website may load
| and capture an image from another website. This update addresses the
| issue through improved handling of redirects. Credit to Chris Evans
| of for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1695
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in a
| cross-site scripting attack
| Description:  An issue in WebKit allows the contents of a frame to be
| accessed by an HTML document after a page transition has taken place.
| This may allow a maliciously crafted website to perform a cross-site
| scripting attack. This update addresses the issue through an improved
| domain check. Credit to Feng Qian of Google Inc. for reporting this
| issue.
|
| WebKit
| CVE-ID:  CVE-2009-1696
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Websites may surreptitiously track users
| Description:  Safari generates random numbers for JavaScript
| applications using a predictable algorithm. This could allow a
| website to track a particular Safari session without using cookies,
| hidden form elements, IP addresses, or other techniques. This update
| addresses the issue by using a better random number generator. Credit
| to Amit Klein of Trusteer for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1697
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in a
| cross-site scripting attack
| Description:  A CRLF injection issue exists in the handling of
| XMLHttpRequest headers in WebKit. This may allow a maliciously
| crafted website to bypass the same-origin policy by issuing an
| XMLHttpRequest that does not contain a Host header. XMLHttpRequests
| without a Host header may reach other websites on the same server,
| and allow attacker-supplied JavaScript to interact with those sites.
| This update addresses the issue through improved handling of
| XMLHttpRequest headers. Credit to Per von Zweigbergk for reporting
| this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1698
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Viewing a maliciously crafted web page may lead to an
| unexpected application termination or arbitrary code execution
| Description:  An uninitialized pointer issue exists in the handling
| of the CSS 'attr' function. Viewing a maliciously crafted web page
| may lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through additional
| validation of CSS elements. Credit to Thierry Zoller working with
| TippingPoint's Zero Day Initiative, and Robert Swiecki of the Google
| Security Team for reporting this as a security issue.
|
| WebKit
| CVE-ID:  CVE-2009-1699
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in an
| information disclosure
| Description:  An XML External Entity issue exists in WebKit's
| handling of XML. A maliciously crafted website may be able to read
| files from the user's system. This update addresses the issue by not
| loading external entities across origins. Credit to Chris Evans of
| Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1700
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in the
| disclosure of sensitive information
| Description:  WebKit does not properly handle redirects when
| processing Extensible Stylesheet Language Transformations (XSLT).
| This allows a maliciously crafted website to retrieve XML content
| from pages on other websites, which could result in the disclosure of
| sensitive information. This update addresses the issue by ensuring
| that documents referenced in transformations are downloaded from the
| same domain as the transformation itself. Credit to Chris Evans of
| Google for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1701
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A use-after-free issue exists in WebKit's handling of
| the JavaScript DOM. Visiting a maliciously crafted website may lead
| to an unexpected application termination or arbitrary code execution.
| This update addresses the issue through improved handling of document
| elements. Credit to wushi & ling of team509 working with
| TippingPoint's Zero Day Initiative for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1702
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to a cross-
| site scripting attack
| Description:  An issue in WebKit's handling of Location and History
| objects may result in a cross-site scripting attack when visiting a
| maliciously crafted website. This update addresses the issue through
| improved handling of Location and History objects. Credit to Adam
| Barth and Joel Weinberger of UC Berkeley for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1703
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to
| information disclosure
| Description:  WebKit's handling of audio and video HTML elements
| allows a remote website to reference local "file:" URLs. A
| maliciously crafted website could perform file existence checking,
| which may lead to information disclosure. This update addresses the
| issue through improved handling of audio and video elements. Credit
| to Dino Dai Zovi for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1709
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A use-after-free issue exists in WebKit's handling of
| SVG animation elements. Visiting a maliciously crafted website may
| lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through improved handling
| of caches. Credit to an anonymous researcher working with
| TippingPoint's Zero Day Initiative for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1710
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  A maliciously crafted website may spoof browser UI elements
| Description:  By specifying a large and mostly transparent custom
| cursor, and adjusting the CSS3 hotspot property, a maliciously
| crafted website may spoof browser UI elements, such as the host name
| and security indicators. This update addresses the issue through
| additional restriction on custom cursors. Credit to Dean McNamee of
| Google for reporting this issue
|
| WebKit
| CVE-ID:  CVE-2009-1711
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  An uninitialized memory access issue exists in WebKit's
| handling of Attr DOM objects. Visiting a maliciously crafted website
| may lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through improved
| validation of DOM objects. Credit to Feng Qian of Google Inc. for
| reporting this issue.
|
| Webkit
| CVE-ID:  CVE-2009-1712
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to
| information disclosure or arbitrary code execution
| Description:  WebKit allows remote websites to load Java applets from
| the local system. Local applets may not expect to be loaded remotely
| and may allow the remote site to execute arbitrary code or otherwise
| grant unexpected privileges to the remote site. This update addresses
| the issue by preventing remote websites from loading local applets.
|
| WebKit
| CVE-ID:  CVE-2009-1713
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in an
| information disclosure
| Description:  An information disclosure issue exists in WebKit's
| implementation of the document() function used in XSLT documents. A
| maliciously crafted website may be able to read files from other
| security zones, including the user's system. This update addresses
| the issue by preventing the loading of resources across origins.
| Credit to Chris Evans of Google for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1714
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Using Web Inspector on a maliciously crafted website may
| result in cross-site scripting
| Description:  An issue in Web Inspector allows a page being inspected
| to run injected script with elevated privileges, including the
| ability to read the user's file system. This update addresses the
| issue by proper escaping of HTML attributes. Credit to Pengsu Cheng
| of Wuhan University for reporting this issue.|
|
| WebKit
| CVE-ID:  CVE-2009-1715
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Using Web Inspector on a maliciously crafted website may
| result in cross-site scripting
| Description:  An issue in Web Inspector allows a page being inspected
| to run injected script with elevated privileges, including the
| ability to read the user's file system. This update addresses the
| issue by executing scripts with the privileges of the web page being
| inspected. Credit to Collin Jackson of Stanford University, and Adam
| Barth of UC Berkeley for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1718
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Dragging content over a maliciously crafted web page may
| lead to information disclosure
| Description:  An issue exists in WebKit's handling of drag events.
| This may lead to the disclosure of sensitive information when content
| is dragged over a maliciously crafted web page. This update addresses
| the issue through improved handling of drag events. Credit to Eric
| Seidel of Google, Inc. for reporting this issue.

please help the security team (team@security.debian.org) figure these
problems out.

[1] http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html
[2] http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html

Message #10 received at 535793@bugs.debian.org (full text, mbox, reply):

From: Michael S Gilbert <michael.s.gilbert@gmail.com>

To: 535793@bugs.debian.org, control@bugs.debian.org

Subject: upstream discussion

Date: Sun, 5 Jul 2009 01:44:46 -0400

forwarded 535793 https://bugs.webkit.org/show_bug.cgi?id=26973
thanks

i've started a discussion on these issues in the upstream bug report
in the above link.

Message #19 received at 535793-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 535793-close@bugs.debian.org

Subject: Bug#535793: fixed in webkit 1.0.1-4+lenny2

Date: Thu, 17 Dec 2009 00:54:47 +0000

Source: webkit
Source-Version: 1.0.1-4+lenny2

We believe that the bug you reported is fixed in the latest version of
webkit, which is due to be installed in the Debian FTP archive:

libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb
  to main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb
libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
  to main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
libwebkit-dev_1.0.1-4+lenny2_all.deb
  to main/w/webkit/libwebkit-dev_1.0.1-4+lenny2_all.deb
webkit_1.0.1-4+lenny2.diff.gz
  to main/w/webkit/webkit_1.0.1-4+lenny2.diff.gz
webkit_1.0.1-4+lenny2.dsc
  to main/w/webkit/webkit_1.0.1-4+lenny2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 535793@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated webkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Dec 2009 20:41:40 +0100
Source: webkit
Binary: libwebkit-1.0-1 libwebkit-dev libwebkit-1.0-1-dbg
Architecture: source all i386
Version: 1.0.1-4+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 libwebkit-1.0-1 - Web content engine library for Gtk+
 libwebkit-1.0-1-dbg - Web content engine library for Gtk+ - Debugging symbols
 libwebkit-dev - Web content engine library for Gtk+ - Development files
Closes: 532724 532725 534946 535793 538346
Changes: 
 webkit (1.0.1-4+lenny2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed FTBFS on arm and powerpc: include limits.h for a definition of
     ULONG_MAX introduced in CVE-2009-1687 patch.
 .
 webkit (1.0.1-4+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-0945: NULL-pointer dereference in the SVGList interface
     implementation (Closes: #532724, #532725)
   * Fixed CVE-2009-1687: Integer overflow in JavaScript garbage collector
   * Fixed CVE-2009-1690: Incorrect handling <head> element content once the
     <head> element was removed
   * Fixed CVE-2009-1698: incorrect handling CSS "style" attribute content
   * Fixed CVE-2009-1711: denial of service or arbitrary code execution via
     Attr DOM objects improper memory initialization. (Closes: #534946)
   * Fixed CVE-2009-1712: arbitrary code execution via remote loading of
     local java applets. (Closes: #535793)
   * Fixed CVE-2009-1725: improper handling of numeric character references
     (Closes: #538346)
   * Patch based on work done by Marc Deslauriers <marc.deslauriers@ubuntu.com>
     in Ubuntu, thanks.
   * Fixed CVE-2009-1714: Cross-site scripting (XSS) vulnerability in Web
     Inspector
   * Fixed CVE-2009-1710: Remote attackers can spoof the browser's display of
     the host name, security indicators, and unspecified other UI elements via
     a custom cursor in conjunction with a modified CSS3 hotspot property.
   * Fixed CVE-2009-1697: CRLF injection vulnerability allows remote attackers
     to inject HTTP headers and bypass the Same Origin Policy via a crafted
     HTML document
   * Fixed CVE-2009-1695: Cross-site scripting (XSS) vulnerability allows remote
     attackers to inject arbitrary web script or HTML via vectors involving
     access to frame contents after completion of a page transition.
   * Fixed CVE-2009-1693 and CVE-2009-1694: does not properly handle redirects,
     which allows remote attackers to read images from arbitrary web sites via
     vectors involving a CANVAS element and redirection
   * Fixed CVE-2009-1681: does not prevent web sites from loading third-party
     content into a subframe, which allows remote attackers to bypass the Same
     Origin Policy and conduct "clickjacking" attacks via a crafted HTML
     document.
   * Fixed CVE-2009-1684: Cross-site scripting (XSS) vulnerability allows remote
     attackers to inject arbitrary web script or HTML via an event handler that
     triggers script execution in the context of the next loaded document.
   * Fixed CVE-2009-1692: denial of service (memory consumption or device reset)
     via a web page containing an HTMLSelectElement object with a large length
     attribute, related to the length property of a Select object.
Checksums-Sha1: 
 84c6fe9a45dd53cf5211bedc5139bb06e445b9a1 1447 webkit_1.0.1-4+lenny2.dsc
 bd7b8dec8eb2d1f3545bd92230ad27d5671285ce 13418752 webkit_1.0.1.orig.tar.gz
 bf989e21bf7d7bb829173ee8058ba0c24f2e64b4 35369 webkit_1.0.1-4+lenny2.diff.gz
 cb59b66fbeffc65cb4231c7f92f4d61a4d9845bc 35164 libwebkit-dev_1.0.1-4+lenny2_all.deb
 695bab1bfa0906d7fe99ce27aa906314cbb5db66 3016584 libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
 df4d5eb6f2529c22b9dd3b34508233223fc25340 62161744 libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb
Checksums-Sha256: 
 480a9137c4620c92a6cfe110f1734b8136e3c2c924900b6f34dd80b046163cb7 1447 webkit_1.0.1-4+lenny2.dsc
 9601ed57978e7f1221f770c24933d2037fdb93e4b412716d842b993507f0b856 13418752 webkit_1.0.1.orig.tar.gz
 333c2c20ae64227e1a263672e5c3bac2b2e51a8679f2dd865c272483667cc5d8 35369 webkit_1.0.1-4+lenny2.diff.gz
 a1605d1cd8f8a68796601147399f1eefb60af04d89ec82b62ce1ebdbde492841 35164 libwebkit-dev_1.0.1-4+lenny2_all.deb
 1c8c66171d2c772b358ec1136a90f53e27a551282e9e4ed74e3493d3f2048784 3016584 libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
 009003feebd18778168dcfd364d08d9c76001df5fe61977602da374cbe3d7e73 62161744 libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb
Files: 
 b5f01d6428f01d79bfe18338064452ab 1447 web optional webkit_1.0.1-4+lenny2.dsc
 4de68a5773998bea14e8939aa341c466 13418752 web optional webkit_1.0.1.orig.tar.gz
 506c8f2fef73a9fc856264f11a3ad27e 35369 web optional webkit_1.0.1-4+lenny2.diff.gz
 df682bbcd13389c2f50002c2aaf7347b 35164 libdevel extra libwebkit-dev_1.0.1-4+lenny2_all.deb
 b854f5294527adac80e9776efed37cd7 3016584 libs optional libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
 f89fc6ac6d1110cabe47dd9184c9a9ca 62161744 libdevel extra libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkshY3wACgkQNxpp46476arTNgCfRAlwh409c24VVDe6Hh48odrJ
lxwAoI4WKX2nyLrHy+xvsnTXRA5ZF2ga
=/kz8
-----END PGP SIGNATURE-----

Message #24 received at 535793@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 535793@bugs.debian.org, control@bugs.debian.org

Cc: secure-testing-team@lists.debian.org

Subject: Re: Bug#535793 closed by Giuseppe Iuculano (Bug#535793: fixed in webkit 1.0.1-4+lenny2)

Date: Wed, 16 Dec 2009 21:54:01 -0500

reopen 535793
thanks

On Thu, 17 Dec 2009 00:57:12 +0000 Debian Bug Tracking System wrote:
> webkit (1.0.1-4+lenny2) stable-security; urgency=high
>  .
>    * Non-maintainer upload by the Security Team.
>    * Fixed FTBFS on arm and powerpc: include limits.h for a definition
> of ULONG_MAX introduced in CVE-2009-1687 patch.
>  .
>  webkit (1.0.1-4+lenny1) stable-security; urgency=high
>  .
>    * Non-maintainer upload by the Security Team.
>    * Fixed CVE-2009-0945: NULL-pointer dereference in the SVGList
> interface implementation (Closes: #532724, #532725)
>    * Fixed CVE-2009-1687: Integer overflow in JavaScript garbage
> collector
>    * Fixed CVE-2009-1690: Incorrect handling <head> element content
> once the <head> element was removed
>    * Fixed CVE-2009-1698: incorrect handling CSS "style" attribute
> content
>    * Fixed CVE-2009-1711: denial of service or arbitrary code execution
> via Attr DOM objects improper memory initialization. (Closes: #534946)
>    * Fixed CVE-2009-1712: arbitrary code execution via remote loading of
>      local java applets. (Closes: #535793)
>    * Fixed CVE-2009-1725: improper handling of numeric character
> references (Closes: #538346)
>    * Patch based on work done by Marc Deslauriers in Ubuntu, thanks.
>    * Fixed CVE-2009-1714: Cross-site scripting (XSS) vulnerability in
> Web Inspector
>    * Fixed CVE-2009-1710: Remote attackers can spoof the browser's
> display of the host name, security indicators, and unspecified other UI
> elements via a custom cursor in conjunction with a modified CSS3
> hotspot property.
>    * Fixed CVE-2009-1697: CRLF injection vulnerability allows remote
> attackers to inject HTTP headers and bypass the Same Origin Policy via
> a crafted HTML document
>    * Fixed CVE-2009-1695: Cross-site scripting (XSS) vulnerability
> allows remote attackers to inject arbitrary web script or HTML via
> vectors involving access to frame contents after completion of a page
> transition.
>    * Fixed CVE-2009-1693 and CVE-2009-1694: does not properly handle
> redirects, which allows remote attackers to read images from arbitrary
> web sites via vectors involving a CANVAS element and redirection
>    * Fixed CVE-2009-1681: does not prevent web sites from loading
> third-party content into a subframe, which allows remote attackers to
> bypass the Same Origin Policy and conduct "clickjacking" attacks via a
> crafted HTML document.
>    * Fixed CVE-2009-1684: Cross-site scripting (XSS) vulnerability
> allows remote attackers to inject arbitrary web script or HTML via an
> event handler that triggers script execution in the context of the next
> loaded document.
>   * Fixed CVE-2009-1692: denial of service (memory consumption or
> device reset) via a web page containing an HTMLSelectElement object
> with a large length attribute, related to the length property of a
> Select object.

hi Giuseppe,

this patch didn't address all of the CVEs in the orignal bug report,
and i've confirmed that they are still open in the tracker, so i am
reopening the bug since there are still unaddressed issues if that is
ok.

mike

Message #31 received at 535793@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 535793@bugs.debian.org, control@bugs.debian.org

Subject: re: webkit: deluge of security vulnerabilities

Date: Sun, 28 Feb 2010 16:23:31 -0500

fixed 535793 1.1.21-1
thanks

hi, all of these issues have been triaged in the debian security
tracker [0] and found to be fixed on or before the latest webkit in
unstable.

many of these; however are still open in stable (the "open issues" at
[0]). a DSA needs to be issued for those.

thanks,
mike

[0] http://security-tracker.debian.org/tracker/source-package/webkit

Message #38 received at 535793-done@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: 535793-done@bugs.debian.org

Subject: Properly closing

Date: Fri, 5 Mar 2010 22:00:59 +0100

Version: 1.1.21-1

Message #43 received at 535793-done@bugs.debian.org (full text, mbox, reply):

From: Gustavo Noronha Silva <kov@debian.org>

To: 535793-done@bugs.debian.org

Subject: why does this show up in the listing?

Date: Tue, 28 Sep 2010 21:03:15 -0300

Package: webkit
Version: 1.1.21-1

Why, oh why?

-- 
Gustavo Noronha Silva <kov@debian.org>
Debian Project

Send a report that this bug log contains spam.