Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)
Steffen Joeris
steffen.joeris at skolelinux.de
Fri Sep 26 12:17:04 UTC 2008
On Tue, 23 Sep 2008 03:11:34 am Mike Hommey wrote:
> On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote:
> > Package: webkit
> > Severity: grave
> > Tags: security, patch
> > Justification: user security hole
> >
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) ids were
> > published for webkit.
> >
> > CVE-2008-3950[0]:
> > | Off-by-one error in the
> > | _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
> > | WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4
> > | and 2.0 allows remote attackers to cause a denial of service (browser
> > | crash) via a JavaScript alert call with an argument that lacks
> > | breakable characters and has a length that is a multiple of the memory
> > | page size, leading to an out-of-bounds read.
> >
> > CVE-2008-3632[1]:
> > | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
> > | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
> > | execute arbitrary code or cause a denial of service (application
> > | crash) via a web page with crafted Cascading Style Sheets (CSS) import
> > | statements.
> >
> > If you fix the vulnerabilities please also make sure to include the
> > CVE ids in your changelog entry.
> >
> > Please don't get confused by the very Apple-centric descriptions, it
> > affects webkit. A fix for CVE-2008-3632 can be found here[2]. I am not
> > sure about CVE-2008-3950 and it might not affect the webkit package (I
> > couldn't even find the function mentioned), but I thought I'd mention it
> > as well, in case you have more information.
>
> It's also strange, as
> _web_drawInRect:withFont:ellipsis:alignment:measureOnly doesn't sound
> remotely related to the javascript alert() call.
I've had a look again and I don't see, how this CVE affects our debian
packages.
This leaves us with only one issue for webkit, did you consider the other
patch yet? I didn't see an obvious problem with it, but didn't test anything
yet. Did you intend to get 1.0.1-3 into lenny? I guess it would be good to go
through unstable with fixing the last CVE, what do you think?
Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-webkit-maintainers/attachments/20080926/f68e0293/attachment.pgp
More information about the Pkg-webkit-maintainers
mailing list