DSA-1950-1: New webkit packages fix several vulnerabilities
Posted on: 12/12/2009 11:15 AM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1950 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
December 12, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : webkit
Vulnerability : several
Problem type : remote (local)
Debian-specific: no
CVE Id : CVE-2009-0945 CVE-2009-1687 CVE-2009-1690 CVE-2009-1698
CVE-2009-1711 CVE-2009-1712 CVE-2009-1725 CVE-2009-1714
CVE-2009-1710 CVE-2009-1697 CVE-2009-1695 CVE-2009-1693
CVE-2009-1694 CVE-2009-1681 CVE-2009-1684 CVE-2009-1692
Debian Bug : 532724 532725 534946 535793 538346


Several vulnerabilities have been discovered in webkit, a Web content engine
library for Gtk+. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2009-0945

Array index error in the insertItemBefore method in WebKit, allows remote
attackers to execute arbitrary code via a document with a SVGPathList data
structure containing a negative index in the SVGTransformList, SVGStringList,
SVGNumberList, SVGPathSegList, SVGPointList, or SVGLengthList SVGList object,
which triggers memory corruption.


CVE-2009-1687

The JavaScript garbage collector in WebKit does not properly handle allocation
failures, which allows remote attackers to execute arbitrary code or cause a
denial of service (memory corruption and application crash) via a crafted HTML
document that triggers write access to an "offset of a NULL pointer."


CVE-2009-1690

Use-after-free vulnerability in WebKit, allows remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) by setting an unspecified property of an HTML tag that causes child
elements to be freed and later accessed when an HTML error occurs, related to
"recursion in certain DOM event handlers."


CVE-2009-1698

WebKit does not initialize a pointer during handling of a Cascading Style Sheets
(CSS) attr function call with a large numerical argument, which allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption and application crash) via a crafted HTML document.


CVE-2009-1711

WebKit does not properly initialize memory for Attr DOM objects, which allows
remote attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted HTML document.


CVE-2009-1712

WebKit does not prevent remote loading of local Java applets, which allows
remote attackers to execute arbitrary code, gain privileges, or obtain sensitive
information via an APPLET or OBJECT element.


CVE-2009-1725

WebKit do not properly handle numeric character references, which allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption and application crash) via a crafted HTML document.


CVE-2009-1714

Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit allows
user-assisted remote attackers to inject arbitrary web script or HTML, and read
local files, via vectors related to the improper escaping of HTML attributes.


CVE-2009-1710

WebKit allows remote attackers to spoof the browser's display of the host name,
security indicators, and unspecified other UI elements via a custom cursor in
conjunction with a modified CSS3 hotspot property.


CVE-2009-1697

CRLF injection vulnerability in WebKit allows remote attackers to inject HTTP
headers and bypass the Same Origin Policy via a crafted HTML document, related
to cross-site scripting (XSS) attacks that depend on communication with
arbitrary web sites on the same server through use of XMLHttpRequest without a
Host header.


CVE-2009-1695

Cross-site scripting (XSS) vulnerability in WebKit allows remote attackers to
inject arbitrary web script or HTML via vectors involving access to frame
contents after completion of a page transition.


CVE-2009-1693

WebKit allows remote attackers to read images from arbitrary web sites via a
CANVAS element with an SVG image, related to a "cross-site image capture issue."


CVE-2009-1694

WebKit does not properly handle redirects, which allows remote attackers to read
images from arbitrary web sites via vectors involving a CANVAS element and
redirection, related to a "cross-site image capture issue."


CVE-2009-1681

WebKit does not prevent web sites from loading third-party content into a
subframe, which allows remote attackers to bypass the Same Origin Policy and
conduct "clickjacking" attacks via a crafted HTML document.


CVE-2009-1684

Cross-site scripting (XSS) vulnerability in WebKit allows remote attackers to
inject arbitrary web script or HTML via an event handler that triggers script
execution in the context of the next loaded document.


CVE-2009-1692

WebKit allows remote attackers to cause a denial of service (memory consumption
or device reset) via a web page containing an HTMLSelectElement object with a
large length attribute, related to the length property of a Select object.



For the stable distribution (lenny), these problems has been fixed in
version 1.0.1-4+lenny2.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1.1.16-1.


We recommend that you upgrade your webkit package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/w/webkit/webkit_1.0.1.orig.tar.gz
Size/MD5 checksum: 13418752 4de68a5773998bea14e8939aa341c466

http://security.debian.org/pool/updates/main/w/webkit/webkit_1.0.1-4+lenny2.diff.gz
Size/MD5 checksum: 35369 506c8f2fef73a9fc856264f11a3ad27e
http://security.debian.org/pool/updates/main/w/webkit/webkit_1.0.1-4+lenny2.dsc
Size/MD5 checksum: 1447 b5f01d6428f01d79bfe18338064452ab

Architecture independent packages:


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-dev_1.0.1-4+lenny2_all.deb
Size/MD5 checksum: 35164 df682bbcd13389c2f50002c2aaf7347b

alpha architecture (DEC Alpha)


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_alpha.deb
Size/MD5 checksum: 65193740 fc8b613c9c41ef0f0d3856e7ee3deeae

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_alpha.deb
Size/MD5 checksum: 4254938 252b95b962bda11c000f9c0543673c1b

amd64 architecture (AMD x86_64 (AMD64))


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_amd64.deb
Size/MD5 checksum: 3502994 4a96cad1e302e7303d41d6f866215da4

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_amd64.deb
Size/MD5 checksum: 62518476 d723a8c76b373026752b6f68e5fc4950

arm architecture (ARM)


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_arm.deb
Size/MD5 checksum: 2721324 1fac2f59ffa9e3d7b8697aae262f09e4

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_arm.deb
Size/MD5 checksum: 61478724 260faea7d5ba766268faad888b3e61ff

armel architecture (ARM EABI)


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_armel.deb
Size/MD5 checksum: 2770654 5b88754e9804d9290537afdf6127643a

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_armel.deb
Size/MD5 checksum: 59892062 99c8f13257a054f42686ab9c6329d490

hppa architecture (HP PA RISC)


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_hppa.deb
Size/MD5 checksum: 3869020 c61be734b6511788e8cc235a5d672eab

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_hppa.deb
Size/MD5 checksum: 63935342 f1db2bd7b5c22e257c74100798017f30

i386 architecture (Intel ia32)


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb
Size/MD5 checksum: 62161744 f89fc6ac6d1110cabe47dd9184c9a9ca

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb
Size/MD5 checksum: 3016584 b854f5294527adac80e9776efed37cd7

ia64 architecture (Intel ia64)


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_ia64.deb
Size/MD5 checksum: 5547624 2bd2100a345089282117317a9ab2e7d1

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_ia64.deb
Size/MD5 checksum: 62685224 5eaff5d431cf4a85beeaa0b66c91958c

mips architecture (MIPS (Big Endian))


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_mips.deb
Size/MD5 checksum: 3109134 a680a8f105a19bf1b21a5034c14c4822

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_mips.deb
Size/MD5 checksum: 64547832 dd440891a1861262bc92deb0a1ead013

mipsel architecture (MIPS (Little Endian))


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_mipsel.deb
Size/MD5 checksum: 2992848 952d643be475c35e253a8757075cd41b

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_mipsel.deb
Size/MD5 checksum: 62135970 7cd635047e3f9bd000ff4547a47eaaec

s390 architecture (IBM S/390)


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_s390.deb
Size/MD5 checksum: 3456914 6fc856a50b3f899c36381ed8d51af44e

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_s390.deb
Size/MD5 checksum: 64385860 98ded86952a2c6714ceba76a4a98c35b

sparc architecture (Sun SPARC/UltraSPARC)


http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_sparc.deb
Size/MD5 checksum: 63621854 f0dd17453bc09fdc05c119faf2212d70

http://security.debian.org/pool/updates/main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_sparc.deb
Size/MD5 checksum: 3499170 3f2084d6416459ce1416bd6f6f2845e3


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksjbAYACgkQNxpp46476aqm7wCaAk6WARfBzzrdYYoxAUKA5weL
V5YAmwRkz4XNwdcqnPzdeDzoakljqf1s
=DBEQ
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1950_1_new_webkit_packages_fix_several_vulnerabilities.html)