On Tue, 23 Sep 2008 03:11:34 am Mike Hommey wrote: > On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote: > > Package: webkit > > Severity: grave > > Tags: security, patch > > Justification: user security hole > > > > Hi, > > the following CVE (Common Vulnerabilities & Exposures) ids were > > published for webkit. > > > > CVE-2008-3950[0]: > > | Off-by-one error in the > > | _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in > > | WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4 > > | and 2.0 allows remote attackers to cause a denial of service (browser > > | crash) via a JavaScript alert call with an argument that lacks > > | breakable characters and has a length that is a multiple of the memory > > | page size, leading to an out-of-bounds read. > > > > CVE-2008-3632[1]: > > | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through > > | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to > > | execute arbitrary code or cause a denial of service (application > > | crash) via a web page with crafted Cascading Style Sheets (CSS) import > > | statements. > > > > If you fix the vulnerabilities please also make sure to include the > > CVE ids in your changelog entry. > > > > Please don't get confused by the very Apple-centric descriptions, it > > affects webkit. A fix for CVE-2008-3632 can be found here[2]. I am not > > sure about CVE-2008-3950 and it might not affect the webkit package (I > > couldn't even find the function mentioned), but I thought I'd mention it > > as well, in case you have more information. > > It's also strange, as > _web_drawInRect:withFont:ellipsis:alignment:measureOnly doesn't sound > remotely related to the javascript alert() call. I've had a look again and I don't see, how this CVE affects our debian packages. This leaves us with only one issue for webkit, did you consider the other patch yet? I didn't see an obvious problem with it, but didn't test anything yet. Did you intend to get 1.0.1-3 into lenny? I guess it would be good to go through unstable with fixing the last CVE, what do you think?
Cheers Steffen
signature.asc
Description: This is a digitally signed message part.
