Michael Gilbert wrote:
> Package: kde4libs
> Version: 4:4.3.4-1
> Severity: serious
> Tags: security
> 
> Hi,
> 
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published for webkit.  webkit was forked from khtml, so these
> issues very like apply to this package as well.  Since there are so
> many problems, I have not had time to check whether the vulnerable code
> is present or has an impact. Please check this and keep either myself
> or the security team informed of the affected/not-affected issues.
> Thank you very much for looking into this.

My checks were made against the version in experimental, since the
upload of 4.4 is mostly blocked by ongoing transitions and Squeeze
will provide KDE 4.4.
 
> CVE-2006-2783[0]:
> | Mozilla Firefox and Thunderbird before 1.5.0.4 strip the Unicode
> | Byte-order-Mark (BOM) from a UTF-8 page before the page is passed to
> | the parser, which allows remote attackers to conduct cross-site
> | scripting (XSS) attacks via a BOM sequence in the middle of a
> | dangerous tag such as SCRIPT.

This one is a bit unclear, but doesn't seem to affect kde4libs.
 
> CVE-2008-0298[1]:
> | KHTML WebKit as used in Apple Safari 2.x allows remote attackers to
> | cause a denial of service (browser crash) via a crafted web page,
> | possibly involving a STYLE attribute of a DIV element.

Browser crashes w/o code injection are not treated as security issues,
didn't check.
 
> CVE-2008-1588[2]:
> | Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows
> | remote attackers to spoof the address bar via Unicode ideographic
> | spaces in the URL.

This one is MacOSX-specific.
 
> CVE-2008-2307[3]:
> | Unspecified vulnerability in WebKit in Apple Safari before 3.1.2, as
> | distributed in Mac OS X before 10.5.4, and standalone for Windows and
> | Mac OS X 10.4, allows remote attackers to cause a denial of service
> | (application crash) or execute arbitrary code via vectors involving
> | JavaScript arrays that trigger memory corruption.

This is apparently unfixed in 4.4.1, I'll report this to secur...@kde.org
 
> CVE-2008-2320[4]:
> | Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11
> | and 10.5.4, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows context-dependent attackers to execute
> | arbitrary code or cause a denial of service (application crash) via a
> | long filename to the file management API.

This doesn't affect webkit at all.
 
> CVE-2008-3632[5]:
> | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
> | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
> | execute arbitrary code or cause a denial of service (application
> | crash) via a web page with crafted Cascading Style Sheets (CSS) import
> | statements.

This doesn't affect kde4libs.
 
> CVE-2008-4231[6]:
> | Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch
> | 1.1 through 2.1 does not properly handle HTML TABLE elements, which
> | allows remote attackers to execute arbitrary code or cause a denial of
> | service (memory corruption and application crash) via a crafted HTML
> | document.

This doesn't affect webkit or kdelibs. 

> CVE-2008-4724[7]:
> | Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome
> | 0.2.149.30 allow remote attackers to inject arbitrary web script or
> | HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF,
> | or (3) TXT file.  NOTE: the provenance of this information is unknown;
> | the details are obtained solely from third party information.

This doesn't affect kde4libs.
 
> CVE-2009-1681[8]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites
> | from loading third-party content into a subframe, which allows remote
> | attackers to bypass the Same Origin Policy and conduct "clickjacking"
> | attacks via a crafted HTML document.

I'm unsure about this, this might be fixed differently, I'll contact
secur...@kde.org
 
> CVE-2009-1684[9]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via an event handler that triggers script execution in
> | the context of the next loaded document.

This doesn't affect kde4libs.
 
> CVE-2009-1685[10]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML by overwriting the document.implementation property of
> | (1) an embedded document or (2) a parent document.

This is apparently unfixed in 4.4.1, I'll report this to secur...@kde.org
 
> CVE-2009-1686[11]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
> | constant (aka const) declarations in a type-conversion operation
> | during JavaScript exception handling, which allows remote attackers to
> | execute arbitrary code or cause a denial of service (memory corruption
> | and application crash) via a crafted HTML document.

This doesn't affect kde4libs.
 
> CVE-2009-1688[12]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to determining a security context
> | through an approach that is not the "HTML 5 standard method."

This doesn't affect kde4libs.
 
> CVE-2009-1689[13]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors involving submission of a form to the
> | about:blank URL, leading to security-context replacement.

This doesn't affect kde4libs.
 
> CVE-2009-1691[14]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to insufficient access control for
> | standard JavaScript prototypes in other domains.

This doesn't affect kde4libs.
 
> CVE-2009-1692[15]:
> | WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1,
> | iPhone OS for iPod touch 1.1 through 2.2.1, Safari, and other
> | software, allows remote attackers to cause a denial of service (memory
> | consumption or device reset) via a web page containing an
> | HTMLSelectElement object with a large length attribute, related to the
> | length property of a Select object.

Browser crashes w/o code injection are not treated as security issues,
didn't check.
 
> CVE-2009-1693[16]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
> | read images from arbitrary web sites via a CANVAS element with an SVG
> | image, related to a "cross-site image capture issue."

This doesn't affect kde4libs.

> CVE-2009-1694[17]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
> | redirects, which allows remote attackers to read images from arbitrary
> | web sites via vectors involving a CANVAS element and redirection,
> | related to a "cross-site image capture issue."

This doesn't affect kde4libs.

> CVE-2009-1695[18]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors involving access to frame contents after
> | completion of a page transition.

This doesn't affect kde4libs.

> CVE-2009-1696[19]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 uses predictable random
> | numbers in JavaScript applications, which makes it easier for remote
> | web servers to track the behavior of a Safari user during a session.

This doesn't affect kde4libs.

> CVE-2009-1697[20]:
> | CRLF injection vulnerability in WebKit in Apple Safari before 4.0,
> | iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
> | 2.2.1 allows remote attackers to inject HTTP headers and bypass the
> | Same Origin Policy via a crafted HTML document, related to cross-site
> | scripting (XSS) attacks that depend on communication with arbitrary
> | web sites on the same server through use of XMLHttpRequest without a
> | Host header.

This doesn't affect kde4libs.

> CVE-2009-1699[21]:
> | The XSL stylesheet implementation in WebKit in Apple Safari before
> | 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1
> | through 2.2.1 does not properly handle XML external entities, which
> | allows remote attackers to read arbitrary files via a crafted DTD, as
> | demonstrated by a file:///etc/passwd URL in an entity declaration,
> | related to an "XXE attack."

This doesn't affect kde4libs.

> CVE-2009-1700[22]:
> | The XSLT implementation in WebKit in Apple Safari before 4.0, iPhone
> | OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1
> | does not properly handle redirects, which allows remote attackers to
> | read XML content from arbitrary web pages via a crafted document.

This doesn't affect kde4libs.

> CVE-2009-1701[23]:
> | Use-after-free vulnerability in the JavaScript DOM implementation in
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
> | execute arbitrary code or cause a denial of service (application
> | crash) by destroying a document.body element that has an unspecified
> | XML container with elements that support the dir attribute.

This might be unfixed in 4.4.1, but the code is quite different, I'll 
report this to secur...@kde.org
 
> CVE-2009-1702[24]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to improper handling of Location
> | and History objects.

This doesn't affect kde4libs.

> CVE-2009-1703[25]:
> | WebKit in Apple Safari before 4.0 does not prevent references to file:
> | URLs within (1) audio and (2) video elements, which allows remote
> | attackers to determine the existence of arbitrary files via a crafted
> | HTML document.

This doesn't affect kde4libs (and even if, the impact is negligable)

> CVE-2009-1710[26]:
> | WebKit in Apple Safari before 4.0 allows remote attackers to spoof the
> | browser's display of (1) the host name, (2) security indicators, and
> | unspecified other UI elements via a custom cursor in conjunction with
> | a modified CSS3 hotspot property.

This doesn't affect kde4libs.

> CVE-2009-1711[27]:
> | WebKit in Apple Safari before 4.0 does not properly initialize memory
> | for Attr DOM objects, which allows remote attackers to execute
> | arbitrary code or cause a denial of service (application crash) via a
> | crafted HTML document.

This might be unfixed in 4.4.1, but the code is quite different, I'll 
report this to secur...@kde.org
 
> CVE-2009-1712[28]:
> | WebKit in Apple Safari before 4.0 does not prevent remote loading of
> | local Java applets, which allows remote attackers to execute arbitrary
> | code, gain privileges, or obtain sensitive information via an APPLET
> | or OBJECT element.

This doesn't affect kde4libs.

> CVE-2009-1713[29]:
> | The XSLT functionality in WebKit in Apple Safari before 4.0 does not
> | properly implement the document function, which allows remote
> | attackers to read (1) arbitrary local files and (2) files from
> | different security zones via unspecified vectors.

This doesn't affect kde4libs.

> CVE-2009-1714[30]:
> | Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
> | Apple Safari before 4.0 allows user-assisted remote attackers to
> | inject arbitrary web script or HTML, and read local files, via vectors
> | related to the improper escaping of HTML attributes.

This doesn't affect kde4libs.

> CVE-2009-1715[31]:
> | Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
> | Apple Safari before 4.0 allows user-assisted remote attackers to
> | inject arbitrary web script or HTML, and read local files, via vectors
> | related to script execution with incorrect privileges.

This doesn't affect kde4libs.

> CVE-2009-1718[32]:
> | WebKit in Apple Safari before 4.0 allows user-assisted remote
> | attackers to obtain sensitive information via vectors involving drag
> | events and the dragging of content over a crafted web page.

This doesn't affect kde4libs.

> CVE-2009-1724[33]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1
> | for iPod touch, and other platforms, allows remote attackers to inject
> | arbitrary web script or HTML via vectors related to parent and top
> | objects.

This doesn't affect kde4libs.

> CVE-2009-2195[34]:
> | Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote
> | attackers to execute arbitrary code or cause a denial of service
> | (application crash) via crafted floating-point numbers.

This doesn't affect kde4libs.

> CVE-2009-2419[35]:
> | Use-after-free vulnerability in the servePendingRequests function in
> | WebCore in WebKit in Apple Safari 4.0 and 4.0.1 allows remote
> | attackers to cause a denial of service (application crash) or possibly
> | execute arbitrary code via a crafted HTML document that references a
> | zero-length .js file and the JavaScript reload function.  NOTE: some of
> | these details are obtained from third party information.

This doesn't affect kde4libs.

> CVE-2009-2797[36]:
> | The WebKit component in Safari in Apple iPhone OS before 3.1, and
> | iPhone OS before 3.1.1 for iPod touch, does not remove usernames and
> | passwords from URLs sent in Referer headers, which allows remote
> | attackers to obtain sensitive information by reading Referer logs on a
> | web server.

This doesn't affect kde4libs.
 
> CVE-2009-2816[37]:
> | The implementation of Cross-Origin Resource Sharing (CORS) in WebKit,
> | as used in Apple Safari before 4.0.4 and Google Chrome before
> | 3.0.195.33, includes certain custom HTTP headers in the OPTIONS
> | request during cross-origin operations with preflight, which makes it
> | easier for remote attackers to conduct cross-site request forgery
> | (CSRF) attacks via a crafted web page.

This doesn't affect kde4libs.

> CVE-2009-2841
> | WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform the
> | expected callbacks for HTML 5 media elements that have external URLs
> | for media resources, which allows remote attackers to trigger requests
> | to arbitrary web sites via a crafted HTML document, as demonstrated by
> | an HTML e-mail message that uses a media element for
> | X-Confirm-Reading-To functionality.

This might be unfixed in 4.4.1, but the code is quite different, I'll 
report this to secur...@kde.org
 
> CVE-2009-2953[39]:
> | Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote
> | attackers to cause a denial of service (CPU consumption) via
> | JavaScript code with a long string value for the hash property (aka
> | location.hash), a related issue to CVE-2008-5715.

Browser crashes w/o code injection are not treated as security issues,
didn't check.

> CVE-2009-3384[40]:
> | Multiple unspecified vulnerabilities in WebKit in Apple Safari before
> | 4.0.4 on Windows allow remote FTP servers to execute arbitrary code,
> | cause a denial of service (application crash), or obtain sensitive
> | information via a crafted directory listing in a reply.

This is Windows-specific.

I'll report CVE-2008-2307, CVE-2009-1681, CVE-2009-1685, CVE-2009-1701,
CVE-2009-1711 and CVE-2009-2841 upstream.

Cheers,
        Moritz



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to