Bug#535793: webkit: deluge of security vulnerabilities
Michael S Gilbert
michael.s.gilbert at gmail.com
Sun Jul 5 05:16:48 UTC 2009
package: webkit
version: 1.0.1-4
severity: grave
tags: security
hello,
webkit has recently been hit by a deluge of security issues [1],[2].
i've been trying to figure out the state of these problems and where
debian is affected, but apple's security announcements have been
notoriously sparse.
the only definitive information i can figure out at this point is that
webkit is possibly affected by the following CVEs. it is unknown
which versions are affected and which versions are fixed. i will
start a dialog with upstream to try to start to figure this out.
| WebKit
| CVE-ID: CVE-2006-2783
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to a cross-
| site scripting attack
| Description: WebKit ignores Unicode byte order mark sequences when
| parsing web pages. Certain websites and web content filters attempt
| to sanitize input by blocking specific HTML tags. This approach to
| filtering may be bypassed and lead to cross-site scripting when
| encountering maliciously-crafted HTML tags containing byte order mark
| sequences. This update addresses the issue through improved handling
| of byte order mark sequences. Credit to Chris Weber of Casaba
| Security, LLC for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2008-1588
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Unicode ideographic spaces may be used to spoof a website
| Description: When Safari displays the current URL in the address
| bar, Unicode ideographic spaces are rendered. This allows a
| maliciously crafted website to direct the user to a spoofed site that
| visually appears to be a legitimate domain. This update addresses the
| issue by not rendering Unicode ideographic spaces in the address bar.
|
| WebKit
| CVE-ID: CVE-2008-2320
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description: A memory corruption issue exists in WebKit's handling
| of invalid color strings in CSS. Visiting a maliciously crafted
| website may lead to an unexpected application termination or
| arbitrary code execution. This update addresses the issue through
| improved handling of color strings. Credit to Thomas Raffetseder of
| the International Secure Systems Lab for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2008-3632
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description: A use-after-free issue exists in WebKit's handling of
| '@import' statements within Cascading Style Sheets. Visiting a
| maliciously crafted website may lead to an unexpected application
| termination or arbitrary code execution. This update addresses the
| issue through improved handling of style sheets. Credit to Dean
| McNamee of Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2008-4231
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description: An uninitialized memory access issue exists in WebKit's
| handling of HTML tables. Visiting a maliciously crafted website may
| lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through proper
| initialization of the internal representation of HTML tables. Credit
| to Haifei Li of Fortinet's FortiGuard Global Security Research Team
| for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1681
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Interacting with a maliciously crafted website may result in
| unexpected actions on other sites
| Description: A design issue exists in the same-origin policy
| mechanism used to limit interactions between websites. This policy
| allows websites to load pages from third-party websites into a
| subframe. This frame may be positioned to entice the user to click a
| particular element within the frame, an attack referred to as
| "clickjacking". A maliciously crafted website may be able to
| manipulate a user into taking an unexpected action, such as
| initiating a purchase. This update addresses the issue through
| adoption of the industry-standard 'X-Frame-Options' extension header,
| that allows individual web pages to opt out of being displayed within
| a subframe.
|
| WebKit
| CVE-ID: CVE-2009-1684
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in cross-
| site scripting
| Description: A cross-site scripting issue exists in the separation
| of JavaScript contexts. A maliciously crafted web page may use an
| event handler to execute a script in the security context of the next
| web page that is loaded in its window or frame. This update addresses
| the issue by ensuring that event handlers are not able to directly
| affect an in-progress page transition. Credit to Michal Zalewski of
| Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1685
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in cross-
| site scripting
| Description: A cross-site scripting issue exists in the separation
| of JavaScript contexts. By enticing a user to visit a maliciously
| crafted web page, the attacker may overwrite the
| 'document.implementation' of an embedded or parent document served
| from a different security zone. This update addresses the issue by
| ensuring that changes to 'document.implementation' do not affect
| other documents. Credit to Dean McNamee of Google Inc. for reporting
| this issue.
|
| WebKit
| CVE-ID: CVE-2009-1686
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to arbitrary
| code execution
| Description: A type conversion issue exists in WebKit's JavaScript
| exception handling. When an attempt is made to assign the exception
| to a variable that is declared as a constant, an object is cast to an
| invalid type, causing memory corruption. Visiting a maliciously
| crafted website may lead to an unexpected application termination or
| arbitrary code execution. This update addresses the issue by ensuring
| that assignment in a const declaration writes to the variable object.
| Credit to Jesse Ruderman of Mozilla Corporation for reporting this
| issue.
|
| WebKit
| CVE-ID: CVE-2009-1687
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description: A memory corruption issue exists in WebKit's JavaScript
| garbage collector. If an allocation fails, a memory write to an
| offset of a NULL pointer may result, leading to an unexpected
| application termination or arbitrary code execution. This update
| addresses the issue by checking for allocation failure. Credit to
| SkyLined of Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1688
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in cross-
| site scripting
| Description: WebKit does not use the HTML 5 standard method to
| determine the security context associated with a given script. An
| implementation issue in WebKit's method may result in a cross-site
| scripting attack under certain conditions. This update addresses the
| issue by using the standards-compliant method to determine the
| security context associated with a script. Credit to Adam Barth of UC
| Berkeley, and Collin Jackson of Stanford University for reporting
| this issue.
|
| WebKit
| CVE-ID: CVE-2009-1689
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in a
| cross-site scripting attack
| Description: A cross-site scripting issue exists in WebKit. A
| maliciously crafted website containing a form submitted to
| 'about:blank' may synchronously replace the document's security
| context, allowing currently-executing scripts to run in the new
| security context. This update addresses the issue through improved
| handling of cross-site interaction with form submission. Credit to
| Adam Barth of UC Berkeley, and Collin Jackson of Stanford University
| for reporting this issue.
|
| Webkit
| CVE-ID: CVE-2009-1690
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in an
| unexpected application termination or arbitrary code execution
| Description: A memory corruption issue exists in WebKit's handling
| of recursion in certain DOM event handlers. Visiting a maliciously
| crafted website may lead to an unexpected application termination or
| arbitrary code execution. This update addresses the issue through
| improved memory management. Credit to SkyLined of Google Inc, and
| wushi & ling of team509 working with Verisign iDefense VCP for
| reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1691
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to cross-
| site scripting
| Description: A cross-site scripting issue in Safari allows a
| maliciously crafted website to alter standard JavaScript prototypes
| of websites served from a different domain. By enticing a user to
| visit a maliciously crafted web page, an attacker may be able to
| alter the execution of JavaScript served from other websites. This
| update addresses the issue through improved access controls on these
| prototypes.
|
| WebKit
| CVE-ID: CVE-2009-1693
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may disclose images
| from other sites
| Description: A cross-site image capture issue exists in WebKit. By
| using a canvas with an SVG image, a maliciously crafted website may
| load and capture an image from another website. This update addresses
| the issue by restricting the reading of canvases that have images
| loaded from other websites. Credit to Chris Evans of Google Inc. for
| reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1694
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may disclose images
| from other sites
| Description: A cross-site image capture issue exists in WebKit. By
| using a canvas and a redirect, a maliciously crafted website may load
| and capture an image from another website. This update addresses the
| issue through improved handling of redirects. Credit to Chris Evans
| of for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1695
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in a
| cross-site scripting attack
| Description: An issue in WebKit allows the contents of a frame to be
| accessed by an HTML document after a page transition has taken place.
| This may allow a maliciously crafted website to perform a cross-site
| scripting attack. This update addresses the issue through an improved
| domain check. Credit to Feng Qian of Google Inc. for reporting this
| issue.
|
| WebKit
| CVE-ID: CVE-2009-1696
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Websites may surreptitiously track users
| Description: Safari generates random numbers for JavaScript
| applications using a predictable algorithm. This could allow a
| website to track a particular Safari session without using cookies,
| hidden form elements, IP addresses, or other techniques. This update
| addresses the issue by using a better random number generator. Credit
| to Amit Klein of Trusteer for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1697
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in a
| cross-site scripting attack
| Description: A CRLF injection issue exists in the handling of
| XMLHttpRequest headers in WebKit. This may allow a maliciously
| crafted website to bypass the same-origin policy by issuing an
| XMLHttpRequest that does not contain a Host header. XMLHttpRequests
| without a Host header may reach other websites on the same server,
| and allow attacker-supplied JavaScript to interact with those sites.
| This update addresses the issue through improved handling of
| XMLHttpRequest headers. Credit to Per von Zweigbergk for reporting
| this issue.
|
| WebKit
| CVE-ID: CVE-2009-1698
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Viewing a maliciously crafted web page may lead to an
| unexpected application termination or arbitrary code execution
| Description: An uninitialized pointer issue exists in the handling
| of the CSS 'attr' function. Viewing a maliciously crafted web page
| may lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through additional
| validation of CSS elements. Credit to Thierry Zoller working with
| TippingPoint's Zero Day Initiative, and Robert Swiecki of the Google
| Security Team for reporting this as a security issue.
|
| WebKit
| CVE-ID: CVE-2009-1699
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in an
| information disclosure
| Description: An XML External Entity issue exists in WebKit's
| handling of XML. A maliciously crafted website may be able to read
| files from the user's system. This update addresses the issue by not
| loading external entities across origins. Credit to Chris Evans of
| Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1700
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in the
| disclosure of sensitive information
| Description: WebKit does not properly handle redirects when
| processing Extensible Stylesheet Language Transformations (XSLT).
| This allows a maliciously crafted website to retrieve XML content
| from pages on other websites, which could result in the disclosure of
| sensitive information. This update addresses the issue by ensuring
| that documents referenced in transformations are downloaded from the
| same domain as the transformation itself. Credit to Chris Evans of
| Google for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1701
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description: A use-after-free issue exists in WebKit's handling of
| the JavaScript DOM. Visiting a maliciously crafted website may lead
| to an unexpected application termination or arbitrary code execution.
| This update addresses the issue through improved handling of document
| elements. Credit to wushi & ling of team509 working with
| TippingPoint's Zero Day Initiative for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1702
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to a cross-
| site scripting attack
| Description: An issue in WebKit's handling of Location and History
| objects may result in a cross-site scripting attack when visiting a
| maliciously crafted website. This update addresses the issue through
| improved handling of Location and History objects. Credit to Adam
| Barth and Joel Weinberger of UC Berkeley for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1703
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to
| information disclosure
| Description: WebKit's handling of audio and video HTML elements
| allows a remote website to reference local "file:" URLs. A
| maliciously crafted website could perform file existence checking,
| which may lead to information disclosure. This update addresses the
| issue through improved handling of audio and video elements. Credit
| to Dino Dai Zovi for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1709
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description: A use-after-free issue exists in WebKit's handling of
| SVG animation elements. Visiting a maliciously crafted website may
| lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through improved handling
| of caches. Credit to an anonymous researcher working with
| TippingPoint's Zero Day Initiative for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1710
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: A maliciously crafted website may spoof browser UI elements
| Description: By specifying a large and mostly transparent custom
| cursor, and adjusting the CSS3 hotspot property, a maliciously
| crafted website may spoof browser UI elements, such as the host name
| and security indicators. This update addresses the issue through
| additional restriction on custom cursors. Credit to Dean McNamee of
| Google for reporting this issue
|
| WebKit
| CVE-ID: CVE-2009-1711
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description: An uninitialized memory access issue exists in WebKit's
| handling of Attr DOM objects. Visiting a maliciously crafted website
| may lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through improved
| validation of DOM objects. Credit to Feng Qian of Google Inc. for
| reporting this issue.
|
| Webkit
| CVE-ID: CVE-2009-1712
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may lead to
| information disclosure or arbitrary code execution
| Description: WebKit allows remote websites to load Java applets from
| the local system. Local applets may not expect to be loaded remotely
| and may allow the remote site to execute arbitrary code or otherwise
| grant unexpected privileges to the remote site. This update addresses
| the issue by preventing remote websites from loading local applets.
|
| WebKit
| CVE-ID: CVE-2009-1713
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Visiting a maliciously crafted website may result in an
| information disclosure
| Description: An information disclosure issue exists in WebKit's
| implementation of the document() function used in XSLT documents. A
| maliciously crafted website may be able to read files from other
| security zones, including the user's system. This update addresses
| the issue by preventing the loading of resources across origins.
| Credit to Chris Evans of Google for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1714
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Using Web Inspector on a maliciously crafted website may
| result in cross-site scripting
| Description: An issue in Web Inspector allows a page being inspected
| to run injected script with elevated privileges, including the
| ability to read the user's file system. This update addresses the
| issue by proper escaping of HTML attributes. Credit to Pengsu Cheng
| of Wuhan University for reporting this issue.|
|
| WebKit
| CVE-ID: CVE-2009-1715
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Using Web Inspector on a maliciously crafted website may
| result in cross-site scripting
| Description: An issue in Web Inspector allows a page being inspected
| to run injected script with elevated privileges, including the
| ability to read the user's file system. This update addresses the
| issue by executing scripts with the privileges of the web page being
| inspected. Credit to Collin Jackson of Stanford University, and Adam
| Barth of UC Berkeley for reporting this issue.
|
| WebKit
| CVE-ID: CVE-2009-1718
| Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact: Dragging content over a maliciously crafted web page may
| lead to information disclosure
| Description: An issue exists in WebKit's handling of drag events.
| This may lead to the disclosure of sensitive information when content
| is dragged over a maliciously crafted web page. This update addresses
| the issue through improved handling of drag events. Credit to Eric
| Seidel of Google, Inc. for reporting this issue.
please help the security team (team at security.debian.org) figure these
problems out.
[1] http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html
[2] http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html
More information about the Pkg-webkit-maintainers
mailing list