Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)
Steffen Joeris
steffen.joeris at skolelinux.de
Mon Sep 22 07:51:02 UTC 2008
Package: webkit
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for webkit.
CVE-2008-3950[0]:
| Off-by-one error in the
| _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
| WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4
| and 2.0 allows remote attackers to cause a denial of service (browser
| crash) via a JavaScript alert call with an argument that lacks
| breakable characters and has a length that is a multiple of the memory
| page size, leading to an out-of-bounds read.
CVE-2008-3632[1]:
| Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
| 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
| execute arbitrary code or cause a denial of service (application
| crash) via a web page with crafted Cascading Style Sheets (CSS) import
| statements.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Please don't get confused by the very Apple-centric descriptions, it affects webkit.
A fix for CVE-2008-3632 can be found here[2]. I am not sure about CVE-2008-3950 and it
might not affect the webkit package (I couldn't even find the function mentioned), but I
thought I'd mention it as well, in case you have more information.
Please also note that webkit has a security mailinglist and it might be possible for you
as the debian maintainer to get subscribed, so I'd suggest you ask them and give it a try. :)
Some information about webkit procedures can be found here[3].
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3950
http://security-tracker.debian.net/tracker/CVE-2008-3950
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3632
http://security-tracker.debian.net/tracker/CVE-2008-3632
[2] http://trac.webkit.org/changeset/34815
[3] http://webkit.org/blog/184/reporting-webkit-security-bugs/
More information about the Pkg-webkit-maintainers
mailing list