package: webkit version: 1.0.1-4 severity: grave tags: security hello,
webkit has recently been hit by a deluge of security issues [1],[2]. i've been trying to figure out the state of these problems and where debian is affected, but apple's security announcements have been notoriously sparse. the only definitive information i can figure out at this point is that webkit is possibly affected by the following CVEs. it is unknown which versions are affected and which versions are fixed. i will start a dialog with upstream to try to start to figure this out. | WebKit | CVE-ID: CVE-2006-2783 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to a cross- | site scripting attack | Description: WebKit ignores Unicode byte order mark sequences when | parsing web pages. Certain websites and web content filters attempt | to sanitize input by blocking specific HTML tags. This approach to | filtering may be bypassed and lead to cross-site scripting when | encountering maliciously-crafted HTML tags containing byte order mark | sequences. This update addresses the issue through improved handling | of byte order mark sequences. Credit to Chris Weber of Casaba | Security, LLC for reporting this issue. | | WebKit | CVE-ID: CVE-2008-1588 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Unicode ideographic spaces may be used to spoof a website | Description: When Safari displays the current URL in the address | bar, Unicode ideographic spaces are rendered. This allows a | maliciously crafted website to direct the user to a spoofed site that | visually appears to be a legitimate domain. This update addresses the | issue by not rendering Unicode ideographic spaces in the address bar. | | WebKit | CVE-ID: CVE-2008-2320 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: A memory corruption issue exists in WebKit's handling | of invalid color strings in CSS. Visiting a maliciously crafted | website may lead to an unexpected application termination or | arbitrary code execution. This update addresses the issue through | improved handling of color strings. Credit to Thomas Raffetseder of | the International Secure Systems Lab for reporting this issue. | | WebKit | CVE-ID: CVE-2008-3632 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: A use-after-free issue exists in WebKit's handling of | '@import' statements within Cascading Style Sheets. Visiting a | maliciously crafted website may lead to an unexpected application | termination or arbitrary code execution. This update addresses the | issue through improved handling of style sheets. Credit to Dean | McNamee of Google Inc. for reporting this issue. | | WebKit | CVE-ID: CVE-2008-4231 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: An uninitialized memory access issue exists in WebKit's | handling of HTML tables. Visiting a maliciously crafted website may | lead to an unexpected application termination or arbitrary code | execution. This update addresses the issue through proper | initialization of the internal representation of HTML tables. Credit | to Haifei Li of Fortinet's FortiGuard Global Security Research Team | for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1681 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Interacting with a maliciously crafted website may result in | unexpected actions on other sites | Description: A design issue exists in the same-origin policy | mechanism used to limit interactions between websites. This policy | allows websites to load pages from third-party websites into a | subframe. This frame may be positioned to entice the user to click a | particular element within the frame, an attack referred to as | "clickjacking". A maliciously crafted website may be able to | manipulate a user into taking an unexpected action, such as | initiating a purchase. This update addresses the issue through | adoption of the industry-standard 'X-Frame-Options' extension header, | that allows individual web pages to opt out of being displayed within | a subframe. | | WebKit | CVE-ID: CVE-2009-1684 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in cross- | site scripting | Description: A cross-site scripting issue exists in the separation | of JavaScript contexts. A maliciously crafted web page may use an | event handler to execute a script in the security context of the next | web page that is loaded in its window or frame. This update addresses | the issue by ensuring that event handlers are not able to directly | affect an in-progress page transition. Credit to Michal Zalewski of | Google Inc. for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1685 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in cross- | site scripting | Description: A cross-site scripting issue exists in the separation | of JavaScript contexts. By enticing a user to visit a maliciously | crafted web page, the attacker may overwrite the | 'document.implementation' of an embedded or parent document served | from a different security zone. This update addresses the issue by | ensuring that changes to 'document.implementation' do not affect | other documents. Credit to Dean McNamee of Google Inc. for reporting | this issue. | | WebKit | CVE-ID: CVE-2009-1686 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to arbitrary | code execution | Description: A type conversion issue exists in WebKit's JavaScript | exception handling. When an attempt is made to assign the exception | to a variable that is declared as a constant, an object is cast to an | invalid type, causing memory corruption. Visiting a maliciously | crafted website may lead to an unexpected application termination or | arbitrary code execution. This update addresses the issue by ensuring | that assignment in a const declaration writes to the variable object. | Credit to Jesse Ruderman of Mozilla Corporation for reporting this | issue. | | WebKit | CVE-ID: CVE-2009-1687 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: A memory corruption issue exists in WebKit's JavaScript | garbage collector. If an allocation fails, a memory write to an | offset of a NULL pointer may result, leading to an unexpected | application termination or arbitrary code execution. This update | addresses the issue by checking for allocation failure. Credit to | SkyLined of Google Inc. for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1688 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in cross- | site scripting | Description: WebKit does not use the HTML 5 standard method to | determine the security context associated with a given script. An | implementation issue in WebKit's method may result in a cross-site | scripting attack under certain conditions. This update addresses the | issue by using the standards-compliant method to determine the | security context associated with a script. Credit to Adam Barth of UC | Berkeley, and Collin Jackson of Stanford University for reporting | this issue. | | WebKit | CVE-ID: CVE-2009-1689 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in a | cross-site scripting attack | Description: A cross-site scripting issue exists in WebKit. A | maliciously crafted website containing a form submitted to | 'about:blank' may synchronously replace the document's security | context, allowing currently-executing scripts to run in the new | security context. This update addresses the issue through improved | handling of cross-site interaction with form submission. Credit to | Adam Barth of UC Berkeley, and Collin Jackson of Stanford University | for reporting this issue. | | Webkit | CVE-ID: CVE-2009-1690 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in an | unexpected application termination or arbitrary code execution | Description: A memory corruption issue exists in WebKit's handling | of recursion in certain DOM event handlers. Visiting a maliciously | crafted website may lead to an unexpected application termination or | arbitrary code execution. This update addresses the issue through | improved memory management. Credit to SkyLined of Google Inc, and | wushi & ling of team509 working with Verisign iDefense VCP for | reporting this issue. | | WebKit | CVE-ID: CVE-2009-1691 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to cross- | site scripting | Description: A cross-site scripting issue in Safari allows a | maliciously crafted website to alter standard JavaScript prototypes | of websites served from a different domain. By enticing a user to | visit a maliciously crafted web page, an attacker may be able to | alter the execution of JavaScript served from other websites. This | update addresses the issue through improved access controls on these | prototypes. | | WebKit | CVE-ID: CVE-2009-1693 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may disclose images | from other sites | Description: A cross-site image capture issue exists in WebKit. By | using a canvas with an SVG image, a maliciously crafted website may | load and capture an image from another website. This update addresses | the issue by restricting the reading of canvases that have images | loaded from other websites. Credit to Chris Evans of Google Inc. for | reporting this issue. | | WebKit | CVE-ID: CVE-2009-1694 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may disclose images | from other sites | Description: A cross-site image capture issue exists in WebKit. By | using a canvas and a redirect, a maliciously crafted website may load | and capture an image from another website. This update addresses the | issue through improved handling of redirects. Credit to Chris Evans | of for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1695 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in a | cross-site scripting attack | Description: An issue in WebKit allows the contents of a frame to be | accessed by an HTML document after a page transition has taken place. | This may allow a maliciously crafted website to perform a cross-site | scripting attack. This update addresses the issue through an improved | domain check. Credit to Feng Qian of Google Inc. for reporting this | issue. | | WebKit | CVE-ID: CVE-2009-1696 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Websites may surreptitiously track users | Description: Safari generates random numbers for JavaScript | applications using a predictable algorithm. This could allow a | website to track a particular Safari session without using cookies, | hidden form elements, IP addresses, or other techniques. This update | addresses the issue by using a better random number generator. Credit | to Amit Klein of Trusteer for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1697 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in a | cross-site scripting attack | Description: A CRLF injection issue exists in the handling of | XMLHttpRequest headers in WebKit. This may allow a maliciously | crafted website to bypass the same-origin policy by issuing an | XMLHttpRequest that does not contain a Host header. XMLHttpRequests | without a Host header may reach other websites on the same server, | and allow attacker-supplied JavaScript to interact with those sites. | This update addresses the issue through improved handling of | XMLHttpRequest headers. Credit to Per von Zweigbergk for reporting | this issue. | | WebKit | CVE-ID: CVE-2009-1698 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Viewing a maliciously crafted web page may lead to an | unexpected application termination or arbitrary code execution | Description: An uninitialized pointer issue exists in the handling | of the CSS 'attr' function. Viewing a maliciously crafted web page | may lead to an unexpected application termination or arbitrary code | execution. This update addresses the issue through additional | validation of CSS elements. Credit to Thierry Zoller working with | TippingPoint's Zero Day Initiative, and Robert Swiecki of the Google | Security Team for reporting this as a security issue. | | WebKit | CVE-ID: CVE-2009-1699 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in an | information disclosure | Description: An XML External Entity issue exists in WebKit's | handling of XML. A maliciously crafted website may be able to read | files from the user's system. This update addresses the issue by not | loading external entities across origins. Credit to Chris Evans of | Google Inc. for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1700 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in the | disclosure of sensitive information | Description: WebKit does not properly handle redirects when | processing Extensible Stylesheet Language Transformations (XSLT). | This allows a maliciously crafted website to retrieve XML content | from pages on other websites, which could result in the disclosure of | sensitive information. This update addresses the issue by ensuring | that documents referenced in transformations are downloaded from the | same domain as the transformation itself. Credit to Chris Evans of | Google for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1701 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: A use-after-free issue exists in WebKit's handling of | the JavaScript DOM. Visiting a maliciously crafted website may lead | to an unexpected application termination or arbitrary code execution. | This update addresses the issue through improved handling of document | elements. Credit to wushi & ling of team509 working with | TippingPoint's Zero Day Initiative for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1702 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to a cross- | site scripting attack | Description: An issue in WebKit's handling of Location and History | objects may result in a cross-site scripting attack when visiting a | maliciously crafted website. This update addresses the issue through | improved handling of Location and History objects. Credit to Adam | Barth and Joel Weinberger of UC Berkeley for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1703 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to | information disclosure | Description: WebKit's handling of audio and video HTML elements | allows a remote website to reference local "file:" URLs. A | maliciously crafted website could perform file existence checking, | which may lead to information disclosure. This update addresses the | issue through improved handling of audio and video elements. Credit | to Dino Dai Zovi for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1709 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: A use-after-free issue exists in WebKit's handling of | SVG animation elements. Visiting a maliciously crafted website may | lead to an unexpected application termination or arbitrary code | execution. This update addresses the issue through improved handling | of caches. Credit to an anonymous researcher working with | TippingPoint's Zero Day Initiative for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1710 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: A maliciously crafted website may spoof browser UI elements | Description: By specifying a large and mostly transparent custom | cursor, and adjusting the CSS3 hotspot property, a maliciously | crafted website may spoof browser UI elements, such as the host name | and security indicators. This update addresses the issue through | additional restriction on custom cursors. Credit to Dean McNamee of | Google for reporting this issue | | WebKit | CVE-ID: CVE-2009-1711 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to an | unexpected application termination or arbitrary code execution | Description: An uninitialized memory access issue exists in WebKit's | handling of Attr DOM objects. Visiting a maliciously crafted website | may lead to an unexpected application termination or arbitrary code | execution. This update addresses the issue through improved | validation of DOM objects. Credit to Feng Qian of Google Inc. for | reporting this issue. | | Webkit | CVE-ID: CVE-2009-1712 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may lead to | information disclosure or arbitrary code execution | Description: WebKit allows remote websites to load Java applets from | the local system. Local applets may not expect to be loaded remotely | and may allow the remote site to execute arbitrary code or otherwise | grant unexpected privileges to the remote site. This update addresses | the issue by preventing remote websites from loading local applets. | | WebKit | CVE-ID: CVE-2009-1713 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Visiting a maliciously crafted website may result in an | information disclosure | Description: An information disclosure issue exists in WebKit's | implementation of the document() function used in XSLT documents. A | maliciously crafted website may be able to read files from other | security zones, including the user's system. This update addresses | the issue by preventing the loading of resources across origins. | Credit to Chris Evans of Google for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1714 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Using Web Inspector on a maliciously crafted website may | result in cross-site scripting | Description: An issue in Web Inspector allows a page being inspected | to run injected script with elevated privileges, including the | ability to read the user's file system. This update addresses the | issue by proper escaping of HTML attributes. Credit to Pengsu Cheng | of Wuhan University for reporting this issue.| | | WebKit | CVE-ID: CVE-2009-1715 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Using Web Inspector on a maliciously crafted website may | result in cross-site scripting | Description: An issue in Web Inspector allows a page being inspected | to run injected script with elevated privileges, including the | ability to read the user's file system. This update addresses the | issue by executing scripts with the privileges of the web page being | inspected. Credit to Collin Jackson of Stanford University, and Adam | Barth of UC Berkeley for reporting this issue. | | WebKit | CVE-ID: CVE-2009-1718 | Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, | Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista | Impact: Dragging content over a maliciously crafted web page may | lead to information disclosure | Description: An issue exists in WebKit's handling of drag events. | This may lead to the disclosure of sensitive information when content | is dragged over a maliciously crafted web page. This update addresses | the issue through improved handling of drag events. Credit to Eric | Seidel of Google, Inc. for reporting this issue. please help the security team (t...@security.debian.org) figure these problems out. [1] http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html [2] http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
