[Secure-testing-team] Bug#534947: CVE-2009-1709 CVE-2009-1698 CVE-2009-1690 CVE-2009-1687

Giuseppe Iuculano giuseppe at iuculano.it
Sun Jun 28 13:09:01 UTC 2009


Package: libqt4-webkit
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for qt4-x11.

CVE-2009-1709[0]:
| Use-after-free vulnerability in the garbage-collection implementation
| in WebCore in WebKit in Apple Safari before 4.0 allows remote
| attackers to execute arbitrary code or cause a denial of service (heap
| corruption and application crash) via an SVG animation element,
| related to SVG set objects, SVG marker elements, the targetElement
| attribute, and unspecified "caches."

CVE-2009-1698[1]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a
| pointer during handling of a Cascading Style Sheets (CSS) attr
| function call with a large numerical argument, which allows remote
| attackers to execute arbitrary code or cause a denial of service
| (memory corruption and application crash) via a crafted HTML document.

CVE-2009-1690[2]:
| Use-after-free vulnerability in WebKit, as used in Apple Safari before
| 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through
| 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) by setting an
| unspecified property of an HTML tag that causes child elements to be
| freed and later accessed when an HTML error occurs, related to
| "recursion in certain DOM event handlers."

CVE-2009-1687[3]:
| The JavaScript garbage collector in WebKit in Apple Safari before 4.0,
| iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
| 2.2.1 does not properly handle allocation failures, which allows
| remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) via a crafted HTML
| document that triggers write access to an "offset of a NULL pointer."


CVE-2009-1709 is already fixed in unstable

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709
    http://security-tracker.debian.net/tracker/CVE-2009-1709
    Patch: http://trac.webkit.org/changeset/32039
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
    http://security-tracker.debian.net/tracker/CVE-2009-1698
    Patch: http://trac.webkit.org/changeset/42081
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
    http://security-tracker.debian.net/tracker/CVE-2009-1690
    Patch: http://trac.webkit.org/changeset/42532
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1687
    http://security-tracker.debian.net/tracker/CVE-2009-1687
    Patch: http://trac.webkit.org/changeset/41854

Cheers,
Giuseppe.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpHa2oACgkQNxpp46476arYnwCfTbHNZNyhBfqL1ThAgr/1a9A6
W1EAnAzpWhtw2Iv48RxZg0V29abSqdhg
=I7dJ
-----END PGP SIGNATURE-----





More information about the Secure-testing-team mailing list