thr3ads.net - Secure testing team - [Secure-testing-team] Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632) [Sep 2008]

If this information is useful, please help other people find it:
Share via:

Steffen Joeris

2008-Sep-22 07:51 UTC

[Secure-testing-team] Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

Package: webkit
Severity: grave
Tags: security, patch
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for webkit.

CVE-2008-3950[0]:
| Off-by-one error in the
| _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
| WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4
| and 2.0 allows remote attackers to cause a denial of service (browser
| crash) via a JavaScript alert call with an argument that lacks
| breakable characters and has a length that is a multiple of the memory
| page size, leading to an out-of-bounds read.

CVE-2008-3632[1]:
| Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
| 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
| execute arbitrary code or cause a denial of service (application
| crash) via a web page with crafted Cascading Style Sheets (CSS) import
| statements.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

Please don''t get confused by the very Apple-centric descriptions, it
affects webkit.
A fix for CVE-2008-3632 can be found here[2]. I am not sure about CVE-2008-3950
and it
might not affect the webkit package (I couldn''t even find the function
mentioned), but I
thought I''d mention it as well, in case you have more information.

Please also note that webkit has a security mailinglist and it might be possible
for you
as the debian maintainer to get subscribed, so I''d suggest you ask them
and give it a try. :)
Some information about webkit procedures can be found here[3].

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3950
    http://security-tracker.debian.net/tracker/CVE-2008-3950
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3632
    http://security-tracker.debian.net/tracker/CVE-2008-3632
[2] http://trac.webkit.org/changeset/34815
[3] http://webkit.org/blog/184/reporting-webkit-security-bugs/

Secure testing team - Sep 2008 - Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

[Secure-testing-team] Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)