thr3ads.net - Secure testing team - [Secure-testing-team] Bug#534946: webkit: CVE-2009-1698 CVE-2009-1690 CVE-2009-1687 [Jun 2009]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2009-Jun-28 12:45 UTC

[Secure-testing-team] Bug#534946: webkit: CVE-2009-1698 CVE-2009-1690 CVE-2009-1687

Package: webkit
Version: 1.0.1-4
Severity: grave
Tags: security lenny

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for webkit.

CVE-2009-1698[0]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
| pointer during handling of a Cascading Style Sheets (CSS) attr
| function call with a large numerical argument, which allows remote
| attackers to execute arbitrary code or cause a denial of service
| (memory corruption and application crash) via a crafted HTML document.

CVE-2009-1690[1]:
| Use-after-free vulnerability in WebKit, as used in Apple Safari before
| 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through
| 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) by setting an
| unspecified property of an HTML tag that causes child elements to be
| freed and later accessed when an HTML error occurs, related to
| "recursion in certain DOM event handlers."

CVE-2009-1687[2]:
| The JavaScript garbage collector in WebKit in Apple Safari before 4.0,
| iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
| 2.2.1 does not properly handle allocation failures, which allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) via a crafted HTML
| document that triggers write access to an "offset of a NULL
pointer."


These are already fixed in debian unstable.
Please coordinate with the security team (team at security.debian.org) to
prepare packages for the stable releases.



If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
    http://security-tracker.debian.net/tracker/CVE-2009-1698
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
    http://security-tracker.debian.net/tracker/CVE-2009-1690
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1687
    http://security-tracker.debian.net/tracker/CVE-2009-1687

Secure testing team - Jun 2009 - Bug#534946: webkit: CVE-2009-1698 CVE-2009-1690 CVE-2009-1687

[Secure-testing-team] Bug#534946: webkit: CVE-2009-1698 CVE-2009-1690 CVE-2009-1687