Bug#559759: webkit: multiple security issues

Michael Gilbert michael.s.gilbert at gmail.com
Sun Dec 6 22:33:20 UTC 2009

Package: webkit
Version: 1.0.1-4
Severity: serious
Tags: security

the following CVE (Common Vulnerabilities & Exposures) ids were
published for webkit.

| Multiple unspecified vulnerabilities in WebKit in Apple Safari before
| 4.0.4 on Windows allow remote FTP servers to execute arbitrary code,
| cause a denial of service (application crash), or obtain sensitive
| information via a crafted directory listing in a reply.

| Stack consumption vulnerability in WebKit.dll in WebKit in Apple
| Safari 3.2.3, and possibly other versions before 4.1.2, allows remote
| attackers to cause a denial of service (application crash) via
| JavaScript code that calls eval on a long string composed of A/
| sequences.

| WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform the
| expected callbacks for HTML 5 media elements that have external URLs
| for media resources, which allows remote attackers to trigger requests
| to arbitrary web sites via a crafted HTML document, as demonstrated by
| an HTML e-mail message that uses a media element for
| X-Confirm-Reading-To functionality.

| The implementation of Cross-Origin Resource Sharing (CORS) in WebKit,
| as used in Apple Safari before 4.0.4 and Google Chrome before
|, includes certain custom HTTP headers in the OPTIONS
| request during cross-origin operations with preflight, which makes it
| easier for remote attackers to conduct cross-site request forgery
| (CSRF) attacks via a crafted web page.

| The WebKit component in Safari in Apple iPhone OS before 3.1, and
| iPhone OS before 3.1.1 for iPod touch, does not remove usernames and
| passwords from URLs sent in Referer headers, which allows remote
| attackers to obtain sensitive information by reading Referer logs on a
| web server.

Some additional notes:
- CVE-2009-3384 is already fixed in unstable.
- lenny's webkit does not contain the vulnerable code in CVE-2009-2816.
- I was unable to find any patch info for CVE-2009-2841 or
  CVE-2009-2797, so it is unclear whether debian's webkit is affected or
  not (thanks apple...).

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3384
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3272
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2841
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2816
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2797

More information about the Pkg-webkit-maintainers mailing list