Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

Mike Hommey mh at glandium.org
Fri Sep 26 12:50:19 UTC 2008 

On Fri, Sep 26, 2008 at 10:17:04PM +1000, Steffen Joeris wrote:
> On Tue, 23 Sep 2008 03:11:34 am Mike Hommey wrote:
> > On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote:
> > > Package: webkit
> > > Severity: grave
> > > Tags: security, patch
> > > Justification: user security hole
> > >
> > > Hi,
> > > the following CVE (Common Vulnerabilities & Exposures) ids were
> > > published for webkit.
> > >
> > > CVE-2008-3950[0]:
> > > | Off-by-one error in the
> > > | _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
> > > | WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4
> > > | and 2.0 allows remote attackers to cause a denial of service (browser
> > > | crash) via a JavaScript alert call with an argument that lacks
> > > | breakable characters and has a length that is a multiple of the memory
> > > | page size, leading to an out-of-bounds read.
> > >
> > > CVE-2008-3632[1]:
> > > | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
> > > | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
> > > | execute arbitrary code or cause a denial of service (application
> > > | crash) via a web page with crafted Cascading Style Sheets (CSS) import
> > > | statements.
> > >
> > > If you fix the vulnerabilities please also make sure to include the
> > > CVE ids in your changelog entry.
> > >
> > > Please don't get confused by the very Apple-centric descriptions, it
> > > affects webkit. A fix for CVE-2008-3632 can be found here[2]. I am not
> > > sure about CVE-2008-3950 and it might not affect the webkit package (I
> > > couldn't even find the function mentioned), but I thought I'd mention it
> > > as well, in case you have more information.
> >
> > It's also strange, as
> > _web_drawInRect:withFont:ellipsis:alignment:measureOnly doesn't sound
> > remotely related to the javascript alert() call.
> I've had a look again and I don't see, how this CVE affects our debian 
> packages.
> This leaves us with only one issue for webkit, did you consider the other 
> patch yet? I didn't see an obvious problem with it, but didn't test anything 
> yet. Did you intend to get 1.0.1-3 into lenny? I guess it would be good to go 
> through unstable with fixing the last CVE, what do you think?

1.0.1-3 is already due for Lenny.
I'll test and upload 1.0.1-4 soon to unstable, including fix for
CVE-2008-3632, and will go for 1.0.1-5 if CVE-2008-3950 appears to
be a problem in debian.

Mike

More information about the Pkg-webkit-maintainers mailing list