[Secure-testing-team] Bug#534952: CVE-2009-1698 CVE-2009-1690 CVE-2009-1687 CVE-2009-0945

Giuseppe Iuculano giuseppe at iuculano.it
Sun Jun 28 13:35:54 UTC 2009


Package: kdelibs
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for kdelibs.

CVE-2009-1698[0]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
| pointer during handling of a Cascading Style Sheets (CSS) attr
| function call with a large numerical argument, which allows remote
| attackers to execute arbitrary code or cause a denial of service
| (memory corruption and application crash) via a crafted HTML document.

CVE-2009-1690[1]:
| Use-after-free vulnerability in WebKit, as used in Apple Safari before
| 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through
| 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) by setting an
| unspecified property of an HTML tag that causes child elements to be
| freed and later accessed when an HTML error occurs, related to
| "recursion in certain DOM event handlers."

CVE-2009-1687[2]:
| The JavaScript garbage collector in WebKit in Apple Safari before 4.0,
| iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
| 2.2.1 does not properly handle allocation failures, which allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) via a crafted HTML
| document that triggers write access to an "offset of a NULL pointer."

CVE-2009-0945[3]:
| Array index error in the insertItemBefore method in WebKit, as used in
| Apple Safari before 3.2.3 and 4 Public Beta, iPhone OS 1.0 through
| 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome
| Stable before 1.0.154.65, and possibly other products allows remote
| attackers to execute arbitrary code via a document with a SVGPathList
| data structure containing a negative index in the (1)
| SVGTransformList, (2) SVGStringList, (3) SVGNumberList, (4)
| SVGPathSegList, (5) SVGPointList, or (6) SVGLengthList SVGList object,
| which triggers memory corruption.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
    http://security-tracker.debian.net/tracker/CVE-2009-1698
    Upstream WebKit patch: http://trac.webkit.org/changeset/42081
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
    http://security-tracker.debian.net/tracker/CVE-2009-1690
    Upstream WebKit patch: http://trac.webkit.org/changeset/42532
    Upstream KDE 4.2 patch: http://websvn.kde.org/?view=rev&revision=983316
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1687
    http://security-tracker.debian.net/tracker/CVE-2009-1687
    Upstream WebKit patch: http://trac.webkit.org/changeset/41854
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0945
    http://security-tracker.debian.net/tracker/CVE-2009-0945
    Upstream WebKit patch: http://trac.webkit.org/changeset/43590
    Upstream KDE 4.2 patch: http://websvn.kde.org/?view=rev&revision=983302

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpHcbcACgkQNxpp46476apx5QCfeH3Pc3dP9utPPbZI0u2HjXrN
/yUAnRkghXsR0jyMpxfPtZooEa8yS/RE
=mO69
-----END PGP SIGNATURE-----





More information about the Secure-testing-team mailing list