[Secure-testing-commits] r13466 - in data: . CVE

Michael Gilbert gilbert-guest at alioth.debian.org
Sun Dec 6 22:51:38 UTC 2009 

Author: gilbert-guest
Date: 2009-12-06 22:51:38 +0000 (Sun, 06 Dec 2009)
New Revision: 13466

Modified:
   data/CVE/list
   data/embedded-code-copies
Log:
new webkit issues

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-12-06 16:32:50 UTC (rev 13465)
+++ data/CVE/list	2009-12-06 22:51:38 UTC (rev 13466)
@@ -611,7 +611,11 @@
 CVE-2009-3934 (The WebFrameLoaderClient::dispatchDidChangeLocationWithinPage function ...)
 	TODO: check
 CVE-2009-3933 (WebKit before r50173, as used in Google Chrome before 3.0.195.32, ...)
-	TODO: check
+	- webkit <not-affected> (chromium-specific issue in their timer)
+	- qt4-x11 <not-affected> (chromium-specific issue in their timer)
+	- kdelibs <not-affected> (chromium-specific issue in their timer)
+	- kde4libs <not-affected> (chromium-specific issue in their timer)
+	- chromium <itp> (low; bug #520324)
 CVE-2009-3932 (The Gears plugin in Google Chrome before 3.0.195.32 allows ...)
 	TODO: check
 CVE-2009-3931 (Incomplete blacklist vulnerability in browser/download/download_exe.cc ...)
@@ -2050,7 +2054,8 @@
 CVE-2009-3385
 	RESERVED
 CVE-2009-3384 (Multiple unspecified vulnerabilities in WebKit in Apple Safari before ...)
-	TODO: check
+	- webkit 1.1.17-2 (medium; bug #559759)
+	TODO: check qt4-x11, kdelibs, kde4libs
 CVE-2009-3383 (Multiple unspecified vulnerabilities in the JavaScript engine in ...)
 	- xulrunner 1.9.1.4-1
 	[lenny] - xulrunner <not-affected> (Only affects Firefox 3.5)
@@ -2336,8 +2341,11 @@
 CVE-2009-3273 (iPhone Mail in Apple iPhone OS, and iPhone OS for iPod touch, does not ...)
 	NOT-FOR-US: Apple iPhone
 CVE-2009-3272 (Stack consumption vulnerability in WebKit.dll in WebKit in Apple ...)
-	- webkit <unfixed> (medium)
-	TODO: someone needs to become a member of the webkit security list so we can actually triage these apple webkit issues
+	- webkit <unfixed> (unimportant; bug #559759)
+	- qt4-x11 <unfixed> (unimportant)
+	- kdelibs <unfixed> (unimportant)
+	- kde4libs <unfixed> (unimportant)
+	NOTE: browser crashers are not considered security-relevant
 CVE-2009-3271 (Apple Safari on iPhone OS 3.0.1 allows remote attackers to cause a ...)
 	NOT-FOR-US: Apple Safari on iPhone OS 3.0.1
 CVE-2009-3290 (The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the ...)
@@ -4001,7 +4009,9 @@
 CVE-2009-2842 (Apple Safari before 4.0.4 does not properly implement certain (1) Open ...)
 	TODO: check
 CVE-2009-2841 (WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform the ...)
-	TODO: check
+	- webkit <unfixed> (medium; bug #559759)
+	TODO: work with upstream to determine affected/not-affected versions
+	TODO: check qt4-x11, kdelibs, kde4libs
 CVE-2009-2840 (Spotlight in Apple Mac OS X 10.5.8 does not properly handle temporary ...)
 	TODO: check
 CVE-2009-2839 (Screen Sharing in Apple Mac OS X 10.5.8 allows remote VNC servers to ...)
@@ -4053,7 +4063,9 @@
 CVE-2009-2817 (Buffer overflow in Apple iTunes before 9.0.1 allows remote attackers ...)
 	NOT-FOR-US: Apple iTunes
 CVE-2009-2816 (The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, ...)
-	TODO: check
+	- webkit <unfixed> (medium; bug #559759)
+	[lenny] - webkit <not-affected> (vulnerable code not present)
+	TODO: check qt4-x11, kdelibs, kde4libs
 CVE-2009-2815 (The Telephony component in Apple iPhone OS before 3.1 does not ...)
 	NOT-FOR-US: Apple iPhone OS
 CVE-2009-2814 (Cross-site scripting (XSS) vulnerability in the Wiki Server in Apple ...)
@@ -4095,8 +4107,9 @@
 CVE-2009-2798 (Heap-based buffer overflow in Apple QuickTime before 7.6.4 allows ...)
 	NOT-FOR-US: Apple QuickTime
 CVE-2009-2797 (The WebKit component in Safari in Apple iPhone OS before 3.1, and ...)
-	- webkit <unfixed> (medium)
+	- webkit <unfixed> (medium; bug #559759)
 	TODO: someone needs to gain membership to the webkit security list so we can actually check these issues
+	TODO: check qt4-x11, kdelibs, kde4libs
 CVE-2009-2796 (The UIKit component in Apple iPhone OS 3.0, and iPhone OS 3.0.1 for ...)
 	NOT-FOR-US: Apple iPhone OS
 CVE-2009-2795 (Heap-based buffer overflow in the Recovery Mode component in Apple ...)
@@ -7319,8 +7332,6 @@
 	- qt4-x11 <unfixed> (low; bug #538403)
 	- webkit 1.1.13-1 (low; bug #538402)
 	NOTE: http://www.thespanner.co.uk/2009/06/19/minor-safari-cross-domain-bug/
-	TODO: check 
-	NOTE: Can't find details on webkit
 CVE-2009-1723 (CFNetwork in Apple Mac OS X 10.5 before 10.5.8 places an incorrect URL ...)
 	NOT-FOR-US: CFNetwork in Apple Mac OS X
 CVE-2009-1722 (Heap-based buffer overflow in the compression implementation in ...)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2009-12-06 16:32:50 UTC (rev 13465)
+++ data/embedded-code-copies	2009-12-06 22:51:38 UTC (rev 13466)
@@ -635,7 +635,9 @@
 	NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
 
 webkit
-	- qt4-x11 <unfixed> (embed)
+	- qt4-x11 <unfixed> (embed; bug #479851)
+	- kdelibs <unfixed> (old-version)
+	- kde4libs <unfixed> (fork)
 
 ftgl
 	- blender 2.46+dfsg-1 (embed)

More information about the Secure-testing-commits mailing list