1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
PublicDateAtUSN: 2009-05-13
Candidate: CVE-2009-0945
PublicDate: 2009-05-13
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0945
http://www.zerodayinitiative.com/advisories/ZDI-09-022/
http://www.ubuntu.com/usn/usn-823-1
http://www.ubuntu.com/usn/usn-822-1
http://www.ubuntu.com/usn/usn-836-1
http://www.ubuntu.com/usn/usn-857-1
Description:
Array index error in the insertItemBefore method in WebKit, as used in
Apple Safari before 3.2.3 and 4 Public Beta, iPhone OS 1.0 through 2.2.1,
iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome Stable before
1.0.154.65, and possibly other products allows remote attackers to execute
arbitrary code via a document with a SVGPathList data structure containing
a negative index in the (1) SVGTransformList, (2) SVGStringList, (3)
SVGNumberList, (4) SVGPathSegList, (5) SVGPointList, or (6) SVGLengthList
SVGList object, which triggers memory corruption.
Ubuntu-Description:
Notes:
mdeslaur> PoC: http://bugs.gentoo.org/show_bug.cgi?id=271863
Bugs:
https://bugs.webkit.org/show_bug.cgi?id=24730 (restricted!)
http://bugs.gentoo.org/show_bug.cgi?id=271863
https://bugzilla.redhat.com/show_bug.cgi?id=506703
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532718
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532724
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532725
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534917
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534918
Priority: medium
Discovered-by:
Assigned-to: micahg
Patches_webkit:
upstream: http://trac.webkit.org/changeset/43590
upstream: http://trac.webkit.org/changeset/43795 (revised)
upstream_webkit: needs-triage
dapper_webkit: DNE
hardy_webkit: ignored (reached end-of-life)
intrepid_webkit: released (1.0.1-2ubuntu0.2)
jaunty_webkit: released (1.0.1-4ubuntu0.1)
karmic_webkit: not-affected (1.1.12-1ubuntu1)
lucid_webkit: not-affected (1.1.12-1ubuntu1)
maverick_webkit: not-affected (1.1.12-1ubuntu1)
natty_webkit: not-affected (1.1.12-1ubuntu1)
devel_webkit: not-affected (1.1.12-1ubuntu1)
Patches_kdegraphics:
upstream: http://websvn.kde.org/?view=rev&revision=983306 (incorrectly marked as CVE-2009-1709)
vendor: http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.5.5-3etch4.diff.gz
vendor: http://release.debian.org/proposed-updates/stable_diffs/kdegraphics_3.5.9-3+lenny2.debdiff
upstream_kdegraphics: needs-triage
dapper_kdegraphics: ignored (reached end-of-life)
hardy_kdegraphics: released (4:3.5.10-0ubuntu1~hardy1.1)
intrepid_kdegraphics: not-affected (code not present)
jaunty_kdegraphics: not-affected (code not present)
karmic_kdegraphics: not-affected (code not present)
lucid_kdegraphics: not-affected (code not present)
maverick_kdegraphics: not-affected (code not present)
natty_kdegraphics: not-affected (code not present)
devel_kdegraphics: not-affected (code not present)
Patches_kdelibs:
upstream_kdelibs: not-affected (code not present)
dapper_kdelibs: not-affected (code not present)
hardy_kdelibs: not-affected (code not present)
intrepid_kdelibs: not-affected (code not present)
jaunty_kdelibs: not-affected (code not present)
karmic_kdelibs: not-affected (code not present)
lucid_kdelibs: not-affected (code not present)
maverick_kdelibs: not-affected (code not present)
natty_kdelibs: not-affected (code not present)
devel_kdelibs: not-affected (code not present)
Patches_kde4libs:
upstream: http://websvn.kde.org/?view=rev&revision=983302
upstream_kde4libs: needs-triage
dapper_kde4libs: DNE
hardy_kde4libs: not-affected (code not present)
intrepid_kde4libs: not-affected (code not present)
jaunty_kde4libs: released (4:4.2.2-0ubuntu5.1)
karmic_kde4libs: not-affected (4:4.3.0-0ubuntu6)
lucid_kde4libs: not-affected (4:4.3.0-0ubuntu6)
maverick_kde4libs: not-affected (4:4.3.0-0ubuntu6)
natty_kde4libs: not-affected (4:4.3.0-0ubuntu6)
devel_kde4libs: not-affected (4:4.3.0-0ubuntu6)
Patches_qt4-x11:
upstream: http://websvn.kde.org/?view=rev&revision=983302
upstream_qt4-x11: needs-triage
dapper_qt4-x11: not-affected (no webkit)
hardy_qt4-x11: not-affected (no webkit)
intrepid_qt4-x11: released (4.4.3-0ubuntu1.4)
jaunty_qt4-x11: released (4.5.0-0ubuntu4.3)
karmic_qt4-x11: not-affected (4.5.2-0ubuntu5)
lucid_qt4-x11: not-affected (4.5.2-0ubuntu5)
maverick_qt4-x11: not-affected (4.5.2-0ubuntu5)
natty_qt4-x11: not-affected (4.5.2-0ubuntu5)
devel_qt4-x11: not-affected (4.5.2-0ubuntu5)
|