Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

Mike Hommey mh at glandium.org
Mon Sep 22 17:11:34 UTC 2008

On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote:
> Package: webkit
> Severity: grave
> Tags: security, patch
> Justification: user security hole
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for webkit.
> CVE-2008-3950[0]:
> | Off-by-one error in the
> | _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
> | WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4
> | and 2.0 allows remote attackers to cause a denial of service (browser
> | crash) via a JavaScript alert call with an argument that lacks
> | breakable characters and has a length that is a multiple of the memory
> | page size, leading to an out-of-bounds read.
> CVE-2008-3632[1]:
> | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
> | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
> | execute arbitrary code or cause a denial of service (application
> | crash) via a web page with crafted Cascading Style Sheets (CSS) import
> | statements.
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
> Please don't get confused by the very Apple-centric descriptions, it affects webkit.
> A fix for CVE-2008-3632 can be found here[2]. I am not sure about CVE-2008-3950 and it
> might not affect the webkit package (I couldn't even find the function mentioned), but I
> thought I'd mention it as well, in case you have more information.

It's also strange, as
_web_drawInRect:withFont:ellipsis:alignment:measureOnly doesn't sound
remotely related to the javascript alert() call.


More information about the Pkg-webkit-maintainers mailing list