Giuseppe Iuculano
2009-Jun-28 13:09 UTC
[Secure-testing-team] Bug#534947: CVE-2009-1709 CVE-2009-1698 CVE-2009-1690 CVE-2009-1687
Package: libqt4-webkit
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for qt4-x11.
CVE-2009-1709[0]:
| Use-after-free vulnerability in the garbage-collection implementation
| in WebCore in WebKit in Apple Safari before 4.0 allows remote
| attackers to execute arbitrary code or cause a denial of service (heap
| corruption and application crash) via an SVG animation element,
| related to SVG set objects, SVG marker elements, the targetElement
| attribute, and unspecified "caches."
CVE-2009-1698[1]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
| pointer during handling of a Cascading Style Sheets (CSS) attr
| function call with a large numerical argument, which allows remote
| attackers to execute arbitrary code or cause a denial of service
| (memory corruption and application crash) via a crafted HTML document.
CVE-2009-1690[2]:
| Use-after-free vulnerability in WebKit, as used in Apple Safari before
| 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through
| 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) by setting an
| unspecified property of an HTML tag that causes child elements to be
| freed and later accessed when an HTML error occurs, related to
| "recursion in certain DOM event handlers."
CVE-2009-1687[3]:
| The JavaScript garbage collector in WebKit in Apple Safari before 4.0,
| iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
| 2.2.1 does not properly handle allocation failures, which allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) via a crafted HTML
| document that triggers write access to an "offset of a NULL
pointer."
CVE-2009-1709 is already fixed in unstable
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709
http://security-tracker.debian.net/tracker/CVE-2009-1709
Patch: http://trac.webkit.org/changeset/32039
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
http://security-tracker.debian.net/tracker/CVE-2009-1698
Patch: http://trac.webkit.org/changeset/42081
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
http://security-tracker.debian.net/tracker/CVE-2009-1690
Patch: http://trac.webkit.org/changeset/42532
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1687
http://security-tracker.debian.net/tracker/CVE-2009-1687
Patch: http://trac.webkit.org/changeset/41854
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpHa2oACgkQNxpp46476arYnwCfTbHNZNyhBfqL1ThAgr/1a9A6
W1EAnAzpWhtw2Iv48RxZg0V29abSqdhg
=I7dJ
-----END PGP SIGNATURE-----