On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote: > Package: webkit > Severity: grave > Tags: security, patch > Justification: user security hole > > Hi, > the following CVE (Common Vulnerabilities & Exposures) ids were > published for webkit. > > CVE-2008-3950[0]: > | Off-by-one error in the > | _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in > | WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4 > | and 2.0 allows remote attackers to cause a denial of service (browser > | crash) via a JavaScript alert call with an argument that lacks > | breakable characters and has a length that is a multiple of the memory > | page size, leading to an out-of-bounds read. > > CVE-2008-3632[1]: > | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through > | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to > | execute arbitrary code or cause a denial of service (application > | crash) via a web page with crafted Cascading Style Sheets (CSS) import > | statements. > > If you fix the vulnerabilities please also make sure to include the > CVE ids in your changelog entry. > > Please don't get confused by the very Apple-centric descriptions, it affects > webkit. > A fix for CVE-2008-3632 can be found here[2]. I am not sure about > CVE-2008-3950 and it > might not affect the webkit package (I couldn't even find the function > mentioned), but I > thought I'd mention it as well, in case you have more information.
It's also strange, as _web_drawInRect:withFont:ellipsis:alignment:measureOnly doesn't sound remotely related to the javascript alert() call. Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
