Bug#561762: kde4libs: many webkit vulnerabilities
Package: kde4libs
Version: 4:4.3.4-1
Severity: serious
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for webkit. webkit was forked from khtml, so these
issues very like apply to this package as well. Since there are so
many problems, I have not had time to check whether the vulnerable code
is present or has an impact. Please check this and keep either myself
or the security team informed of the affected/not-affected issues.
Thank you very much for looking into this.
CVE-2006-2783[0]:
| Mozilla Firefox and Thunderbird before 1.5.0.4 strip the Unicode
| Byte-order-Mark (BOM) from a UTF-8 page before the page is passed to
| the parser, which allows remote attackers to conduct cross-site
| scripting (XSS) attacks via a BOM sequence in the middle of a
| dangerous tag such as SCRIPT.
CVE-2008-0298[1]:
| KHTML WebKit as used in Apple Safari 2.x allows remote attackers to
| cause a denial of service (browser crash) via a crafted web page,
| possibly involving a STYLE attribute of a DIV element.
CVE-2008-1588[2]:
| Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows
| remote attackers to spoof the address bar via Unicode ideographic
| spaces in the URL.
CVE-2008-2307[3]:
| Unspecified vulnerability in WebKit in Apple Safari before 3.1.2, as
| distributed in Mac OS X before 10.5.4, and standalone for Windows and
| Mac OS X 10.4, allows remote attackers to cause a denial of service
| (application crash) or execute arbitrary code via vectors involving
| JavaScript arrays that trigger memory corruption.
CVE-2008-2320[4]:
| Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11
| and 10.5.4, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows context-dependent attackers to execute
| arbitrary code or cause a denial of service (application crash) via a
| long filename to the file management API.
CVE-2008-3632[5]:
| Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
| 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
| execute arbitrary code or cause a denial of service (application
| crash) via a web page with crafted Cascading Style Sheets (CSS) import
| statements.
CVE-2008-4231[6]:
| Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch
| 1.1 through 2.1 does not properly handle HTML TABLE elements, which
| allows remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) via a crafted HTML
| document.
CVE-2008-4724[7]:
| Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome
| 0.2.149.30 allow remote attackers to inject arbitrary web script or
| HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF,
| or (3) TXT file. NOTE: the provenance of this information is unknown;
| the details are obtained solely from third party information.
CVE-2009-1681[8]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites
| from loading third-party content into a subframe, which allows remote
| attackers to bypass the Same Origin Policy and conduct "clickjacking"
| attacks via a crafted HTML document.
CVE-2009-1684[9]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via an event handler that triggers script execution in
| the context of the next loaded document.
CVE-2009-1685[10]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML by overwriting the document.implementation property of
| (1) an embedded document or (2) a parent document.
CVE-2009-1686[11]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
| constant (aka const) declarations in a type-conversion operation
| during JavaScript exception handling, which allows remote attackers to
| execute arbitrary code or cause a denial of service (memory corruption
| and application crash) via a crafted HTML document.
CVE-2009-1688[12]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors related to determining a security context
| through an approach that is not the "HTML 5 standard method."
CVE-2009-1689[13]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors involving submission of a form to the
| about:blank URL, leading to security-context replacement.
CVE-2009-1691[14]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors related to insufficient access control for
| standard JavaScript prototypes in other domains.
CVE-2009-1692[15]:
| WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1,
| iPhone OS for iPod touch 1.1 through 2.2.1, Safari, and other
| software, allows remote attackers to cause a denial of service (memory
| consumption or device reset) via a web page containing an
| HTMLSelectElement object with a large length attribute, related to the
| length property of a Select object.
CVE-2009-1693[16]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
| read images from arbitrary web sites via a CANVAS element with an SVG
| image, related to a "cross-site image capture issue."
CVE-2009-1694[17]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
| redirects, which allows remote attackers to read images from arbitrary
| web sites via vectors involving a CANVAS element and redirection,
| related to a "cross-site image capture issue."
CVE-2009-1695[18]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors involving access to frame contents after
| completion of a page transition.
CVE-2009-1696[19]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 uses predictable random
| numbers in JavaScript applications, which makes it easier for remote
| web servers to track the behavior of a Safari user during a session.
CVE-2009-1697[20]:
| CRLF injection vulnerability in WebKit in Apple Safari before 4.0,
| iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
| 2.2.1 allows remote attackers to inject HTTP headers and bypass the
| Same Origin Policy via a crafted HTML document, related to cross-site
| scripting (XSS) attacks that depend on communication with arbitrary
| web sites on the same server through use of XMLHttpRequest without a
| Host header.
CVE-2009-1699[21]:
| The XSL stylesheet implementation in WebKit in Apple Safari before
| 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1
| through 2.2.1 does not properly handle XML external entities, which
| allows remote attackers to read arbitrary files via a crafted DTD, as
| demonstrated by a file:///etc/passwd URL in an entity declaration,
| related to an "XXE attack."
CVE-2009-1700[22]:
| The XSLT implementation in WebKit in Apple Safari before 4.0, iPhone
| OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1
| does not properly handle redirects, which allows remote attackers to
| read XML content from arbitrary web pages via a crafted document.
CVE-2009-1701[23]:
| Use-after-free vulnerability in the JavaScript DOM implementation in
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
| execute arbitrary code or cause a denial of service (application
| crash) by destroying a document.body element that has an unspecified
| XML container with elements that support the dir attribute.
CVE-2009-1702[24]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors related to improper handling of Location
| and History objects.
CVE-2009-1703[25]:
| WebKit in Apple Safari before 4.0 does not prevent references to file:
| URLs within (1) audio and (2) video elements, which allows remote
| attackers to determine the existence of arbitrary files via a crafted
| HTML document.
CVE-2009-1710[26]:
| WebKit in Apple Safari before 4.0 allows remote attackers to spoof the
| browser's display of (1) the host name, (2) security indicators, and
| unspecified other UI elements via a custom cursor in conjunction with
| a modified CSS3 hotspot property.
CVE-2009-1711[27]:
| WebKit in Apple Safari before 4.0 does not properly initialize memory
| for Attr DOM objects, which allows remote attackers to execute
| arbitrary code or cause a denial of service (application crash) via a
| crafted HTML document.
CVE-2009-1712[28]:
| WebKit in Apple Safari before 4.0 does not prevent remote loading of
| local Java applets, which allows remote attackers to execute arbitrary
| code, gain privileges, or obtain sensitive information via an APPLET
| or OBJECT element.
CVE-2009-1713[29]:
| The XSLT functionality in WebKit in Apple Safari before 4.0 does not
| properly implement the document function, which allows remote
| attackers to read (1) arbitrary local files and (2) files from
| different security zones via unspecified vectors.
CVE-2009-1714[30]:
| Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
| Apple Safari before 4.0 allows user-assisted remote attackers to
| inject arbitrary web script or HTML, and read local files, via vectors
| related to the improper escaping of HTML attributes.
CVE-2009-1715[31]:
| Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
| Apple Safari before 4.0 allows user-assisted remote attackers to
| inject arbitrary web script or HTML, and read local files, via vectors
| related to script execution with incorrect privileges.
CVE-2009-1718[32]:
| WebKit in Apple Safari before 4.0 allows user-assisted remote
| attackers to obtain sensitive information via vectors involving drag
| events and the dragging of content over a crafted web page.
CVE-2009-1724[33]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1
| for iPod touch, and other platforms, allows remote attackers to inject
| arbitrary web script or HTML via vectors related to parent and top
| objects.
CVE-2009-2195[34]:
| Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote
| attackers to execute arbitrary code or cause a denial of service
| (application crash) via crafted floating-point numbers.
CVE-2009-2419[35]:
| Use-after-free vulnerability in the servePendingRequests function in
| WebCore in WebKit in Apple Safari 4.0 and 4.0.1 allows remote
| attackers to cause a denial of service (application crash) or possibly
| execute arbitrary code via a crafted HTML document that references a
| zero-length .js file and the JavaScript reload function. NOTE: some of
| these details are obtained from third party information.
CVE-2009-2797[36]:
| The WebKit component in Safari in Apple iPhone OS before 3.1, and
| iPhone OS before 3.1.1 for iPod touch, does not remove usernames and
| passwords from URLs sent in Referer headers, which allows remote
| attackers to obtain sensitive information by reading Referer logs on a
| web server.
CVE-2009-2816[37]:
| The implementation of Cross-Origin Resource Sharing (CORS) in WebKit,
| as used in Apple Safari before 4.0.4 and Google Chrome before
| 3.0.195.33, includes certain custom HTTP headers in the OPTIONS
| request during cross-origin operations with preflight, which makes it
| easier for remote attackers to conduct cross-site request forgery
| (CSRF) attacks via a crafted web page.
CVE-2009-2841[38]:
| WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform the
| expected callbacks for HTML 5 media elements that have external URLs
| for media resources, which allows remote attackers to trigger requests
| to arbitrary web sites via a crafted HTML document, as demonstrated by
| an HTML e-mail message that uses a media element for
| X-Confirm-Reading-To functionality.
CVE-2009-2953[39]:
| Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote
| attackers to cause a denial of service (CPU consumption) via
| JavaScript code with a long string value for the hash property (aka
| location.hash), a related issue to CVE-2008-5715.
CVE-2009-3384[40]:
| Multiple unspecified vulnerabilities in WebKit in Apple Safari before
| 4.0.4 on Windows allow remote FTP servers to execute arbitrary code,
| cause a denial of service (application crash), or obtain sensitive
| information via a crafted directory listing in a reply.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2783
http://security-tracker.debian.org/tracker/CVE-2006-2783
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0298
http://security-tracker.debian.org/tracker/CVE-2008-0298
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1588
http://security-tracker.debian.org/tracker/CVE-2008-1588
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2307
http://security-tracker.debian.org/tracker/CVE-2008-2307
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2320
http://security-tracker.debian.org/tracker/CVE-2008-2320
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3632
http://security-tracker.debian.org/tracker/CVE-2008-3632
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4231
http://security-tracker.debian.org/tracker/CVE-2008-4231
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4724
http://security-tracker.debian.org/tracker/CVE-2008-4724
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1681
http://security-tracker.debian.org/tracker/CVE-2009-1681
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1684
http://security-tracker.debian.org/tracker/CVE-2009-1684
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1685
http://security-tracker.debian.org/tracker/CVE-2009-1685
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1686
http://security-tracker.debian.org/tracker/CVE-2009-1686
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1688
http://security-tracker.debian.org/tracker/CVE-2009-1688
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1689
http://security-tracker.debian.org/tracker/CVE-2009-1689
[14] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1691
http://security-tracker.debian.org/tracker/CVE-2009-1691
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1692
http://security-tracker.debian.org/tracker/CVE-2009-1692
[16] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1693
http://security-tracker.debian.org/tracker/CVE-2009-1693
[17] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1694
http://security-tracker.debian.org/tracker/CVE-2009-1694
[18] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1695
http://security-tracker.debian.org/tracker/CVE-2009-1695
[19] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1696
http://security-tracker.debian.org/tracker/CVE-2009-1696
[20] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1697
http://security-tracker.debian.org/tracker/CVE-2009-1697
[21] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1699
http://security-tracker.debian.org/tracker/CVE-2009-1699
[22] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1700
http://security-tracker.debian.org/tracker/CVE-2009-1700
[23] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1701
http://security-tracker.debian.org/tracker/CVE-2009-1701
[24] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1702
http://security-tracker.debian.org/tracker/CVE-2009-1702
[25] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1703
http://security-tracker.debian.org/tracker/CVE-2009-1703
[26] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1710
http://security-tracker.debian.org/tracker/CVE-2009-1710
[27] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1711
http://security-tracker.debian.org/tracker/CVE-2009-1711
[28] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1712
http://security-tracker.debian.org/tracker/CVE-2009-1712
[29] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1713
http://security-tracker.debian.org/tracker/CVE-2009-1713
[30] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1714
http://security-tracker.debian.org/tracker/CVE-2009-1714
[31] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1715
http://security-tracker.debian.org/tracker/CVE-2009-1715
[32] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1718
http://security-tracker.debian.org/tracker/CVE-2009-1718
[33] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1724
http://security-tracker.debian.org/tracker/CVE-2009-1724
[34] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2195
http://security-tracker.debian.org/tracker/CVE-2009-2195
[35] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2419
http://security-tracker.debian.org/tracker/CVE-2009-2419
[36] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2797
http://security-tracker.debian.org/tracker/CVE-2009-2797
[37] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2816
http://security-tracker.debian.org/tracker/CVE-2009-2816
[38] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2841
http://security-tracker.debian.org/tracker/CVE-2009-2841
[39] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2953
http://security-tracker.debian.org/tracker/CVE-2009-2953
[40] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3384
http://security-tracker.debian.org/tracker/CVE-2009-3384
Reply to: