Bug#538346: CVE-2009-1725: WebKit in Apple Safari before 4.0.2 does not properly handle numeric ...

Luciano Bello luciano at debian.org
Sat Jul 25 01:02:01 UTC 2009


Package: webkit
Version: 1.1.10-2
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for webkit.

CVE-2009-1725[0]:
| WebKit in Apple Safari before 4.0.2 does not properly handle numeric
| character references, which allows remote attackers to execute
| arbitrary code or cause a denial of service (memory corruption and
| application crash) via a crafted HTML document.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1725
    http://security-tracker.debian.net/tracker/CVE-2009-1725

[1] PoC https://cevans-app.appspot.com/static/webkitentityoffbyone.html
[2] Patch http://trac.webkit.org/changeset/44799/





More information about the Pkg-webkit-maintainers mailing list