Debian Bug report logs - #561762
kde4libs: many webkit vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: kde4libs: many webkit vulnerabilities

Date: Sat, 19 Dec 2009 23:49:05 -0500

Package: kde4libs
Version: 4:4.3.4-1
Severity: serious
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) ids were
published for webkit.  webkit was forked from khtml, so these
issues very like apply to this package as well.  Since there are so
many problems, I have not had time to check whether the vulnerable code
is present or has an impact. Please check this and keep either myself
or the security team informed of the affected/not-affected issues.
Thank you very much for looking into this.

CVE-2006-2783[0]:
| Mozilla Firefox and Thunderbird before 1.5.0.4 strip the Unicode
| Byte-order-Mark (BOM) from a UTF-8 page before the page is passed to
| the parser, which allows remote attackers to conduct cross-site
| scripting (XSS) attacks via a BOM sequence in the middle of a
| dangerous tag such as SCRIPT.

CVE-2008-0298[1]:
| KHTML WebKit as used in Apple Safari 2.x allows remote attackers to
| cause a denial of service (browser crash) via a crafted web page,
| possibly involving a STYLE attribute of a DIV element.

CVE-2008-1588[2]:
| Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows
| remote attackers to spoof the address bar via Unicode ideographic
| spaces in the URL.

CVE-2008-2307[3]:
| Unspecified vulnerability in WebKit in Apple Safari before 3.1.2, as
| distributed in Mac OS X before 10.5.4, and standalone for Windows and
| Mac OS X 10.4, allows remote attackers to cause a denial of service
| (application crash) or execute arbitrary code via vectors involving
| JavaScript arrays that trigger memory corruption.

CVE-2008-2320[4]:
| Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11
| and 10.5.4, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows context-dependent attackers to execute
| arbitrary code or cause a denial of service (application crash) via a
| long filename to the file management API.

CVE-2008-3632[5]:
| Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
| 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
| execute arbitrary code or cause a denial of service (application
| crash) via a web page with crafted Cascading Style Sheets (CSS) import
| statements.

CVE-2008-4231[6]:
| Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch
| 1.1 through 2.1 does not properly handle HTML TABLE elements, which
| allows remote attackers to execute arbitrary code or cause a denial of
| service (memory corruption and application crash) via a crafted HTML
| document.

CVE-2008-4724[7]:
| Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome
| 0.2.149.30 allow remote attackers to inject arbitrary web script or
| HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF,
| or (3) TXT file.  NOTE: the provenance of this information is unknown;
| the details are obtained solely from third party information.

CVE-2009-1681[8]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites
| from loading third-party content into a subframe, which allows remote
| attackers to bypass the Same Origin Policy and conduct "clickjacking"
| attacks via a crafted HTML document.

CVE-2009-1684[9]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via an event handler that triggers script execution in
| the context of the next loaded document.

CVE-2009-1685[10]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML by overwriting the document.implementation property of
| (1) an embedded document or (2) a parent document.

CVE-2009-1686[11]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
| constant (aka const) declarations in a type-conversion operation
| during JavaScript exception handling, which allows remote attackers to
| execute arbitrary code or cause a denial of service (memory corruption
| and application crash) via a crafted HTML document.

CVE-2009-1688[12]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors related to determining a security context
| through an approach that is not the "HTML 5 standard method."

CVE-2009-1689[13]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors involving submission of a form to the
| about:blank URL, leading to security-context replacement.

CVE-2009-1691[14]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors related to insufficient access control for
| standard JavaScript prototypes in other domains.

CVE-2009-1692[15]:
| WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1,
| iPhone OS for iPod touch 1.1 through 2.2.1, Safari, and other
| software, allows remote attackers to cause a denial of service (memory
| consumption or device reset) via a web page containing an
| HTMLSelectElement object with a large length attribute, related to the
| length property of a Select object.

CVE-2009-1693[16]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
| read images from arbitrary web sites via a CANVAS element with an SVG
| image, related to a "cross-site image capture issue."

CVE-2009-1694[17]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
| redirects, which allows remote attackers to read images from arbitrary
| web sites via vectors involving a CANVAS element and redirection,
| related to a "cross-site image capture issue."

CVE-2009-1695[18]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors involving access to frame contents after
| completion of a page transition.

CVE-2009-1696[19]:
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 uses predictable random
| numbers in JavaScript applications, which makes it easier for remote
| web servers to track the behavior of a Safari user during a session.

CVE-2009-1697[20]:
| CRLF injection vulnerability in WebKit in Apple Safari before 4.0,
| iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
| 2.2.1 allows remote attackers to inject HTTP headers and bypass the
| Same Origin Policy via a crafted HTML document, related to cross-site
| scripting (XSS) attacks that depend on communication with arbitrary
| web sites on the same server through use of XMLHttpRequest without a
| Host header.

CVE-2009-1699[21]:
| The XSL stylesheet implementation in WebKit in Apple Safari before
| 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1
| through 2.2.1 does not properly handle XML external entities, which
| allows remote attackers to read arbitrary files via a crafted DTD, as
| demonstrated by a file:///etc/passwd URL in an entity declaration,
| related to an "XXE attack."

CVE-2009-1700[22]:
| The XSLT implementation in WebKit in Apple Safari before 4.0, iPhone
| OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1
| does not properly handle redirects, which allows remote attackers to
| read XML content from arbitrary web pages via a crafted document.

CVE-2009-1701[23]:
| Use-after-free vulnerability in the JavaScript DOM implementation in
| WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
| iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
| execute arbitrary code or cause a denial of service (application
| crash) by destroying a document.body element that has an unspecified
| XML container with elements that support the dir attribute.

CVE-2009-1702[24]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
| 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
| script or HTML via vectors related to improper handling of Location
| and History objects.

CVE-2009-1703[25]:
| WebKit in Apple Safari before 4.0 does not prevent references to file:
| URLs within (1) audio and (2) video elements, which allows remote
| attackers to determine the existence of arbitrary files via a crafted
| HTML document.

CVE-2009-1710[26]:
| WebKit in Apple Safari before 4.0 allows remote attackers to spoof the
| browser's display of (1) the host name, (2) security indicators, and
| unspecified other UI elements via a custom cursor in conjunction with
| a modified CSS3 hotspot property.

CVE-2009-1711[27]:
| WebKit in Apple Safari before 4.0 does not properly initialize memory
| for Attr DOM objects, which allows remote attackers to execute
| arbitrary code or cause a denial of service (application crash) via a
| crafted HTML document.

CVE-2009-1712[28]:
| WebKit in Apple Safari before 4.0 does not prevent remote loading of
| local Java applets, which allows remote attackers to execute arbitrary
| code, gain privileges, or obtain sensitive information via an APPLET
| or OBJECT element.

CVE-2009-1713[29]:
| The XSLT functionality in WebKit in Apple Safari before 4.0 does not
| properly implement the document function, which allows remote
| attackers to read (1) arbitrary local files and (2) files from
| different security zones via unspecified vectors.

CVE-2009-1714[30]:
| Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
| Apple Safari before 4.0 allows user-assisted remote attackers to
| inject arbitrary web script or HTML, and read local files, via vectors
| related to the improper escaping of HTML attributes.

CVE-2009-1715[31]:
| Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
| Apple Safari before 4.0 allows user-assisted remote attackers to
| inject arbitrary web script or HTML, and read local files, via vectors
| related to script execution with incorrect privileges.

CVE-2009-1718[32]:
| WebKit in Apple Safari before 4.0 allows user-assisted remote
| attackers to obtain sensitive information via vectors involving drag
| events and the dragging of content over a crafted web page.

CVE-2009-1724[33]:
| Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
| before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1
| for iPod touch, and other platforms, allows remote attackers to inject
| arbitrary web script or HTML via vectors related to parent and top
| objects.

CVE-2009-2195[34]:
| Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote
| attackers to execute arbitrary code or cause a denial of service
| (application crash) via crafted floating-point numbers.

CVE-2009-2419[35]:
| Use-after-free vulnerability in the servePendingRequests function in
| WebCore in WebKit in Apple Safari 4.0 and 4.0.1 allows remote
| attackers to cause a denial of service (application crash) or possibly
| execute arbitrary code via a crafted HTML document that references a
| zero-length .js file and the JavaScript reload function.  NOTE: some of
| these details are obtained from third party information.

CVE-2009-2797[36]:
| The WebKit component in Safari in Apple iPhone OS before 3.1, and
| iPhone OS before 3.1.1 for iPod touch, does not remove usernames and
| passwords from URLs sent in Referer headers, which allows remote
| attackers to obtain sensitive information by reading Referer logs on a
| web server.

CVE-2009-2816[37]:
| The implementation of Cross-Origin Resource Sharing (CORS) in WebKit,
| as used in Apple Safari before 4.0.4 and Google Chrome before
| 3.0.195.33, includes certain custom HTTP headers in the OPTIONS
| request during cross-origin operations with preflight, which makes it
| easier for remote attackers to conduct cross-site request forgery
| (CSRF) attacks via a crafted web page.

CVE-2009-2841[38]:
| WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform the
| expected callbacks for HTML 5 media elements that have external URLs
| for media resources, which allows remote attackers to trigger requests
| to arbitrary web sites via a crafted HTML document, as demonstrated by
| an HTML e-mail message that uses a media element for
| X-Confirm-Reading-To functionality.

CVE-2009-2953[39]:
| Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote
| attackers to cause a denial of service (CPU consumption) via
| JavaScript code with a long string value for the hash property (aka
| location.hash), a related issue to CVE-2008-5715.

CVE-2009-3384[40]:
| Multiple unspecified vulnerabilities in WebKit in Apple Safari before
| 4.0.4 on Windows allow remote FTP servers to execute arbitrary code,
| cause a denial of service (application crash), or obtain sensitive
| information via a crafted directory listing in a reply.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2783
    http://security-tracker.debian.org/tracker/CVE-2006-2783
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0298
    http://security-tracker.debian.org/tracker/CVE-2008-0298
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1588
    http://security-tracker.debian.org/tracker/CVE-2008-1588
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2307
    http://security-tracker.debian.org/tracker/CVE-2008-2307
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2320
    http://security-tracker.debian.org/tracker/CVE-2008-2320
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3632
    http://security-tracker.debian.org/tracker/CVE-2008-3632
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4231
    http://security-tracker.debian.org/tracker/CVE-2008-4231
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4724
    http://security-tracker.debian.org/tracker/CVE-2008-4724
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1681
    http://security-tracker.debian.org/tracker/CVE-2009-1681
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1684
    http://security-tracker.debian.org/tracker/CVE-2009-1684
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1685
    http://security-tracker.debian.org/tracker/CVE-2009-1685
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1686
    http://security-tracker.debian.org/tracker/CVE-2009-1686
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1688
    http://security-tracker.debian.org/tracker/CVE-2009-1688
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1689
    http://security-tracker.debian.org/tracker/CVE-2009-1689
[14] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1691
    http://security-tracker.debian.org/tracker/CVE-2009-1691
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1692
    http://security-tracker.debian.org/tracker/CVE-2009-1692
[16] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1693
    http://security-tracker.debian.org/tracker/CVE-2009-1693
[17] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1694
    http://security-tracker.debian.org/tracker/CVE-2009-1694
[18] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1695
    http://security-tracker.debian.org/tracker/CVE-2009-1695
[19] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1696
    http://security-tracker.debian.org/tracker/CVE-2009-1696
[20] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1697
    http://security-tracker.debian.org/tracker/CVE-2009-1697
[21] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1699
    http://security-tracker.debian.org/tracker/CVE-2009-1699
[22] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1700
    http://security-tracker.debian.org/tracker/CVE-2009-1700
[23] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1701
    http://security-tracker.debian.org/tracker/CVE-2009-1701
[24] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1702
    http://security-tracker.debian.org/tracker/CVE-2009-1702
[25] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1703
    http://security-tracker.debian.org/tracker/CVE-2009-1703
[26] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1710
    http://security-tracker.debian.org/tracker/CVE-2009-1710
[27] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1711
    http://security-tracker.debian.org/tracker/CVE-2009-1711
[28] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1712
    http://security-tracker.debian.org/tracker/CVE-2009-1712
[29] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1713
    http://security-tracker.debian.org/tracker/CVE-2009-1713
[30] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1714
    http://security-tracker.debian.org/tracker/CVE-2009-1714
[31] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1715
    http://security-tracker.debian.org/tracker/CVE-2009-1715
[32] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1718
    http://security-tracker.debian.org/tracker/CVE-2009-1718
[33] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1724
    http://security-tracker.debian.org/tracker/CVE-2009-1724
[34] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2195
    http://security-tracker.debian.org/tracker/CVE-2009-2195
[35] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2419
    http://security-tracker.debian.org/tracker/CVE-2009-2419
[36] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2797
    http://security-tracker.debian.org/tracker/CVE-2009-2797
[37] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2816
    http://security-tracker.debian.org/tracker/CVE-2009-2816
[38] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2841
    http://security-tracker.debian.org/tracker/CVE-2009-2841
[39] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2953
    http://security-tracker.debian.org/tracker/CVE-2009-2953
[40] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3384
    http://security-tracker.debian.org/tracker/CVE-2009-3384

Message #12 received at 561762@bugs.debian.org (full text, mbox, reply):

From: Eckhart Wörner <ewoerner@kde.org>

To: 561762@bugs.debian.org, 561762-submitter@bugs.debian.org

Subject: Re: kde4libs: many webkit vulnerabilities

Date: Sat, 13 Mar 2010 01:28:04 +0100

block 561762 by 537931
thanks

The bug report mentions CVE-2009-1692 which has its konqueror/khtml 
counterpart at CVE-2009-2537, tracked at http://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=537931

Message #22 received at 561762@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Michael Gilbert <michael.s.gilbert@gmail.com>

Cc: 561762@bugs.debian.org

Subject: Re: kde4libs: many webkit vulnerabilities

Date: Sat, 3 Apr 2010 16:32:20 +0200

Michael Gilbert wrote:
> Package: kde4libs
> Version: 4:4.3.4-1
> Severity: serious
> Tags: security
> 
> Hi,
> 
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published for webkit.  webkit was forked from khtml, so these
> issues very like apply to this package as well.  Since there are so
> many problems, I have not had time to check whether the vulnerable code
> is present or has an impact. Please check this and keep either myself
> or the security team informed of the affected/not-affected issues.
> Thank you very much for looking into this.

My checks were made against the version in experimental, since the
upload of 4.4 is mostly blocked by ongoing transitions and Squeeze
will provide KDE 4.4.
 
> CVE-2006-2783[0]:
> | Mozilla Firefox and Thunderbird before 1.5.0.4 strip the Unicode
> | Byte-order-Mark (BOM) from a UTF-8 page before the page is passed to
> | the parser, which allows remote attackers to conduct cross-site
> | scripting (XSS) attacks via a BOM sequence in the middle of a
> | dangerous tag such as SCRIPT.

This one is a bit unclear, but doesn't seem to affect kde4libs.
 
> CVE-2008-0298[1]:
> | KHTML WebKit as used in Apple Safari 2.x allows remote attackers to
> | cause a denial of service (browser crash) via a crafted web page,
> | possibly involving a STYLE attribute of a DIV element.

Browser crashes w/o code injection are not treated as security issues,
didn't check.
 
> CVE-2008-1588[2]:
> | Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows
> | remote attackers to spoof the address bar via Unicode ideographic
> | spaces in the URL.

This one is MacOSX-specific.
 
> CVE-2008-2307[3]:
> | Unspecified vulnerability in WebKit in Apple Safari before 3.1.2, as
> | distributed in Mac OS X before 10.5.4, and standalone for Windows and
> | Mac OS X 10.4, allows remote attackers to cause a denial of service
> | (application crash) or execute arbitrary code via vectors involving
> | JavaScript arrays that trigger memory corruption.

This is apparently unfixed in 4.4.1, I'll report this to security@kde.org
 
> CVE-2008-2320[4]:
> | Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11
> | and 10.5.4, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows context-dependent attackers to execute
> | arbitrary code or cause a denial of service (application crash) via a
> | long filename to the file management API.

This doesn't affect webkit at all.
 
> CVE-2008-3632[5]:
> | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
> | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
> | execute arbitrary code or cause a denial of service (application
> | crash) via a web page with crafted Cascading Style Sheets (CSS) import
> | statements.

This doesn't affect kde4libs.
 
> CVE-2008-4231[6]:
> | Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch
> | 1.1 through 2.1 does not properly handle HTML TABLE elements, which
> | allows remote attackers to execute arbitrary code or cause a denial of
> | service (memory corruption and application crash) via a crafted HTML
> | document.

This doesn't affect webkit or kdelibs. 

> CVE-2008-4724[7]:
> | Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome
> | 0.2.149.30 allow remote attackers to inject arbitrary web script or
> | HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF,
> | or (3) TXT file.  NOTE: the provenance of this information is unknown;
> | the details are obtained solely from third party information.

This doesn't affect kde4libs.
 
> CVE-2009-1681[8]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites
> | from loading third-party content into a subframe, which allows remote
> | attackers to bypass the Same Origin Policy and conduct "clickjacking"
> | attacks via a crafted HTML document.

I'm unsure about this, this might be fixed differently, I'll contact
security@kde.org
 
> CVE-2009-1684[9]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via an event handler that triggers script execution in
> | the context of the next loaded document.

This doesn't affect kde4libs.
 
> CVE-2009-1685[10]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML by overwriting the document.implementation property of
> | (1) an embedded document or (2) a parent document.

This is apparently unfixed in 4.4.1, I'll report this to security@kde.org
 
> CVE-2009-1686[11]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
> | constant (aka const) declarations in a type-conversion operation
> | during JavaScript exception handling, which allows remote attackers to
> | execute arbitrary code or cause a denial of service (memory corruption
> | and application crash) via a crafted HTML document.

This doesn't affect kde4libs.
 
> CVE-2009-1688[12]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to determining a security context
> | through an approach that is not the "HTML 5 standard method."

This doesn't affect kde4libs.
 
> CVE-2009-1689[13]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors involving submission of a form to the
> | about:blank URL, leading to security-context replacement.

This doesn't affect kde4libs.
 
> CVE-2009-1691[14]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to insufficient access control for
> | standard JavaScript prototypes in other domains.

This doesn't affect kde4libs.
 
> CVE-2009-1692[15]:
> | WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1,
> | iPhone OS for iPod touch 1.1 through 2.2.1, Safari, and other
> | software, allows remote attackers to cause a denial of service (memory
> | consumption or device reset) via a web page containing an
> | HTMLSelectElement object with a large length attribute, related to the
> | length property of a Select object.

Browser crashes w/o code injection are not treated as security issues,
didn't check.
 
> CVE-2009-1693[16]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
> | read images from arbitrary web sites via a CANVAS element with an SVG
> | image, related to a "cross-site image capture issue."

This doesn't affect kde4libs.

> CVE-2009-1694[17]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
> | redirects, which allows remote attackers to read images from arbitrary
> | web sites via vectors involving a CANVAS element and redirection,
> | related to a "cross-site image capture issue."

This doesn't affect kde4libs.

> CVE-2009-1695[18]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors involving access to frame contents after
> | completion of a page transition.

This doesn't affect kde4libs.

> CVE-2009-1696[19]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 uses predictable random
> | numbers in JavaScript applications, which makes it easier for remote
> | web servers to track the behavior of a Safari user during a session.

This doesn't affect kde4libs.

> CVE-2009-1697[20]:
> | CRLF injection vulnerability in WebKit in Apple Safari before 4.0,
> | iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
> | 2.2.1 allows remote attackers to inject HTTP headers and bypass the
> | Same Origin Policy via a crafted HTML document, related to cross-site
> | scripting (XSS) attacks that depend on communication with arbitrary
> | web sites on the same server through use of XMLHttpRequest without a
> | Host header.

This doesn't affect kde4libs.

> CVE-2009-1699[21]:
> | The XSL stylesheet implementation in WebKit in Apple Safari before
> | 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1
> | through 2.2.1 does not properly handle XML external entities, which
> | allows remote attackers to read arbitrary files via a crafted DTD, as
> | demonstrated by a file:///etc/passwd URL in an entity declaration,
> | related to an "XXE attack."

This doesn't affect kde4libs.

> CVE-2009-1700[22]:
> | The XSLT implementation in WebKit in Apple Safari before 4.0, iPhone
> | OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1
> | does not properly handle redirects, which allows remote attackers to
> | read XML content from arbitrary web pages via a crafted document.

This doesn't affect kde4libs.

> CVE-2009-1701[23]:
> | Use-after-free vulnerability in the JavaScript DOM implementation in
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
> | execute arbitrary code or cause a denial of service (application
> | crash) by destroying a document.body element that has an unspecified
> | XML container with elements that support the dir attribute.

This might be unfixed in 4.4.1, but the code is quite different, I'll 
report this to security@kde.org
 
> CVE-2009-1702[24]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to improper handling of Location
> | and History objects.

This doesn't affect kde4libs.

> CVE-2009-1703[25]:
> | WebKit in Apple Safari before 4.0 does not prevent references to file:
> | URLs within (1) audio and (2) video elements, which allows remote
> | attackers to determine the existence of arbitrary files via a crafted
> | HTML document.

This doesn't affect kde4libs (and even if, the impact is negligable)

> CVE-2009-1710[26]:
> | WebKit in Apple Safari before 4.0 allows remote attackers to spoof the
> | browser's display of (1) the host name, (2) security indicators, and
> | unspecified other UI elements via a custom cursor in conjunction with
> | a modified CSS3 hotspot property.

This doesn't affect kde4libs.

> CVE-2009-1711[27]:
> | WebKit in Apple Safari before 4.0 does not properly initialize memory
> | for Attr DOM objects, which allows remote attackers to execute
> | arbitrary code or cause a denial of service (application crash) via a
> | crafted HTML document.

This might be unfixed in 4.4.1, but the code is quite different, I'll 
report this to security@kde.org
 
> CVE-2009-1712[28]:
> | WebKit in Apple Safari before 4.0 does not prevent remote loading of
> | local Java applets, which allows remote attackers to execute arbitrary
> | code, gain privileges, or obtain sensitive information via an APPLET
> | or OBJECT element.

This doesn't affect kde4libs.

> CVE-2009-1713[29]:
> | The XSLT functionality in WebKit in Apple Safari before 4.0 does not
> | properly implement the document function, which allows remote
> | attackers to read (1) arbitrary local files and (2) files from
> | different security zones via unspecified vectors.

This doesn't affect kde4libs.

> CVE-2009-1714[30]:
> | Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
> | Apple Safari before 4.0 allows user-assisted remote attackers to
> | inject arbitrary web script or HTML, and read local files, via vectors
> | related to the improper escaping of HTML attributes.

This doesn't affect kde4libs.

> CVE-2009-1715[31]:
> | Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
> | Apple Safari before 4.0 allows user-assisted remote attackers to
> | inject arbitrary web script or HTML, and read local files, via vectors
> | related to script execution with incorrect privileges.

This doesn't affect kde4libs.

> CVE-2009-1718[32]:
> | WebKit in Apple Safari before 4.0 allows user-assisted remote
> | attackers to obtain sensitive information via vectors involving drag
> | events and the dragging of content over a crafted web page.

This doesn't affect kde4libs.

> CVE-2009-1724[33]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1
> | for iPod touch, and other platforms, allows remote attackers to inject
> | arbitrary web script or HTML via vectors related to parent and top
> | objects.

This doesn't affect kde4libs.

> CVE-2009-2195[34]:
> | Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote
> | attackers to execute arbitrary code or cause a denial of service
> | (application crash) via crafted floating-point numbers.

This doesn't affect kde4libs.

> CVE-2009-2419[35]:
> | Use-after-free vulnerability in the servePendingRequests function in
> | WebCore in WebKit in Apple Safari 4.0 and 4.0.1 allows remote
> | attackers to cause a denial of service (application crash) or possibly
> | execute arbitrary code via a crafted HTML document that references a
> | zero-length .js file and the JavaScript reload function.  NOTE: some of
> | these details are obtained from third party information.

This doesn't affect kde4libs.

> CVE-2009-2797[36]:
> | The WebKit component in Safari in Apple iPhone OS before 3.1, and
> | iPhone OS before 3.1.1 for iPod touch, does not remove usernames and
> | passwords from URLs sent in Referer headers, which allows remote
> | attackers to obtain sensitive information by reading Referer logs on a
> | web server.

This doesn't affect kde4libs.
 
> CVE-2009-2816[37]:
> | The implementation of Cross-Origin Resource Sharing (CORS) in WebKit,
> | as used in Apple Safari before 4.0.4 and Google Chrome before
> | 3.0.195.33, includes certain custom HTTP headers in the OPTIONS
> | request during cross-origin operations with preflight, which makes it
> | easier for remote attackers to conduct cross-site request forgery
> | (CSRF) attacks via a crafted web page.

This doesn't affect kde4libs.

> CVE-2009-2841
> | WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform the
> | expected callbacks for HTML 5 media elements that have external URLs
> | for media resources, which allows remote attackers to trigger requests
> | to arbitrary web sites via a crafted HTML document, as demonstrated by
> | an HTML e-mail message that uses a media element for
> | X-Confirm-Reading-To functionality.

This might be unfixed in 4.4.1, but the code is quite different, I'll 
report this to security@kde.org
 
> CVE-2009-2953[39]:
> | Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote
> | attackers to cause a denial of service (CPU consumption) via
> | JavaScript code with a long string value for the hash property (aka
> | location.hash), a related issue to CVE-2008-5715.

Browser crashes w/o code injection are not treated as security issues,
didn't check.

> CVE-2009-3384[40]:
> | Multiple unspecified vulnerabilities in WebKit in Apple Safari before
> | 4.0.4 on Windows allow remote FTP servers to execute arbitrary code,
> | cause a denial of service (application crash), or obtain sensitive
> | information via a crafted directory listing in a reply.

This is Windows-specific.

I'll report CVE-2008-2307, CVE-2009-1681, CVE-2009-1685, CVE-2009-1701,
CVE-2009-1711 and CVE-2009-2841 upstream.

Cheers,
        Moritz

Message #27 received at 561762@bugs.debian.org (full text, mbox, reply):

From: Eckhart Wörner <ewoerner@kde.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 561762@bugs.debian.org

Subject: Re: Bug#561762: kde4libs: many webkit vulnerabilities

Date: Sun, 4 Apr 2010 02:34:32 +0200

> > CVE-2009-1703[25]:
> > | WebKit in Apple Safari before 4.0 does not prevent references to file:
> > | URLs within (1) audio and (2) video elements, which allows remote
> > | attackers to determine the existence of arbitrary files via a crafted
> > | HTML document.
> 
> This doesn't affect kde4libs (and even if, the impact is negligable)

Konqueror loads local videos from an http context here.

Message #32 received at 561762@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Eckhart Wörner <ewoerner@kde.org>

Cc: 561762@bugs.debian.org

Subject: Re: Bug#561762: kde4libs: many webkit vulnerabilities

Date: Sun, 25 Apr 2010 22:43:03 +0200

Hi Eckhart,

On Sun, Apr 04, 2010 at 02:34:32AM +0200, Eckhart Wörner wrote:
> > > CVE-2009-1703[25]:
> > > | WebKit in Apple Safari before 4.0 does not prevent references to file:
> > > | URLs within (1) audio and (2) video elements, which allows remote
> > > | attackers to determine the existence of arbitrary files via a crafted
> > > | HTML document.
> > 
> > This doesn't affect kde4libs (and even if, the impact is negligable)
> 
> Konqueror loads local videos from an http context here.

Since you're writing with a @kde.org address: My mail to security@kde.org 
was left unanswered. Do you have a suggestion who to contact instead?

Cheers,
        Moritz

Message #37 received at 561762@bugs.debian.org (full text, mbox, reply):

From: Eckhart Wörner <ewoerner@kde.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 561762@bugs.debian.org

Subject: Re: Bug#561762: kde4libs: many webkit vulnerabilities

Date: Sun, 25 Apr 2010 23:05:09 +0200

Hi Moritz,

> Since you're writing with a @kde.org address: My mail to security@kde.org
> was left unanswered. Do you have a suggestion who to contact instead?

security@kde.org is the right place and several people have probably read your 
mail, however, there has been some problem in March with a mail left 
unanswered, discussed on kde-core-devel: 
http://thread.gmane.org/gmane.comp.kde.devel.core/64220
I suggest you either ping security again or ask at kde-core-devel@kde.org 
about the status.

Eckhart

Message #42 received at 561762@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Eckhart Wörner <ewoerner@kde.org>

Cc: 561762@bugs.debian.org

Subject: Re: Bug#561762: kde4libs: many webkit vulnerabilities

Date: Wed, 28 Apr 2010 21:46:44 +0200

On Sun, Apr 25, 2010 at 11:05:09PM +0200, Eckhart Wörner wrote:
> Hi Moritz,
> 
> > Since you're writing with a @kde.org address: My mail to security@kde.org
> > was left unanswered. Do you have a suggestion who to contact instead?
> 
> security@kde.org is the right place and several people have probably read your 
> mail, however, there has been some problem in March with a mail left 
> unanswered, discussed on kde-core-devel: 
> http://thread.gmane.org/gmane.comp.kde.devel.core/64220
> I suggest you either ping security again or ask at kde-core-devel@kde.org 
> about the status.

Thanks!

I got a reply in the mean time and the issues are being investigated.

Cheers,
        Moritz

Message #47 received at 561762@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 561762@bugs.debian.org, control@bugs.debian.org

Subject: re: many webkit vulnerabilities

Date: Sat, 7 Aug 2010 21:27:46 -0400

severity 561762 important
thanks

even though kde4libs really needs to be checked against these webkit
issues, it isn't a reason to hold up the release.

mike

Message #54 received at 561762@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Eckhart Wörner <ewoerner@kde.org>, 561762@bugs.debian.org

Subject: Re: Bug#561762: kde4libs: many webkit vulnerabilities

Date: Sun, 5 Sep 2010 17:11:02 +0200

On Wed, Apr 28, 2010 at 09:46:44PM +0200, Moritz Muehlenhoff wrote:
> On Sun, Apr 25, 2010 at 11:05:09PM +0200, Eckhart Wörner wrote:
> > Hi Moritz,
> > 
> > > Since you're writing with a @kde.org address: My mail to security@kde.org
> > > was left unanswered. Do you have a suggestion who to contact instead?
> > 
> > security@kde.org is the right place and several people have probably read your 
> > mail, however, there has been some problem in March with a mail left 
> > unanswered, discussed on kde-core-devel: 
> > http://thread.gmane.org/gmane.comp.kde.devel.core/64220
> > I suggest you either ping security again or ask at kde-core-devel@kde.org 
> > about the status.
> 
> Thanks!
> 
> I got a reply in the mean time and the issues are being investigated.

Dear KDE maintainers,

this has been fixed in SVN r1125019, please merge for Squeeze.

Cheers,
        Moritz

Message #61 received at 561762-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 561762-done@bugs.debian.org

Subject: Re: Bug#561762: kde4libs: many webkit vulnerabilities

Date: Tue, 4 Feb 2014 16:17:49 +0100

On Sat, Dec 19, 2009 at 11:49:05PM -0500, Michael Gilbert wrote:
> Package: kde4libs
> Version: 4:4.3.4-1
> Severity: serious
> Tags: security
> 
> Hi,
> 
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published for webkit.  webkit was forked from khtml, so these
> issues very like apply to this package as well.  Since there are so
> many problems, I have not had time to check whether the vulnerable code
> is present or has an impact. Please check this and keep either myself
> or the security team informed of the affected/not-affected issues.
> Thank you very much for looking into this.

Closing, not security-supported as per release notes.

Cheers,
        Moritz

Send a report that this bug log contains spam.