CVE-2009-1690
Published: 10 June 2009
Use-after-free vulnerability in WebKit, as used in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by setting an unspecified property of an HTML tag that causes child elements to be freed and later accessed when an HTML error occurs, related to "recursion in certain DOM event handlers."
Notes
Author | Note |
---|---|
jdstrand | webkit is a fork of khtml from kdelibs. kdelibs5 is farther from it, while qt4-x11 attempts to unify khtml and webkit |
mdeslaur | PoC: http://trac.webkit.org/browser/trunk/LayoutTests/fast/parser/head-content-after-head-removal.html?format=txt (need to add the <html> tags) |
Priority
Status
Package | Release | Status |
---|---|---|
kde4libs Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Released
(4:4.1.4-0ubuntu1~intrepid1.2)
|
|
jaunty |
Released
(4:4.2.2-0ubuntu5.1)
|
|
karmic |
Not vulnerable
(4:4.3.0-0ubuntu6)
|
|
lucid |
Not vulnerable
(4:4.3.0-0ubuntu6)
|
|
maverick |
Not vulnerable
(4:4.3.0-0ubuntu6)
|
|
natty |
Not vulnerable
(4:4.3.0-0ubuntu6)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://websvn.kde.org/?view=rev&revision=983316 |
||
kdelibs Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
hardy |
Released
(4:3.5.10-0ubuntu1~hardy1.2)
|
|
intrepid |
Released
(4:3.5.10-0ubuntu6.1)
|
|
jaunty |
Released
(4:3.5.10.dfsg.1-1ubuntu8.1)
|
|
karmic |
Released
(4:3.5.10.dfsg.1-2ubuntu5)
|
|
lucid |
Released
(4:3.5.10.dfsg.1-2ubuntu5)
|
|
maverick |
Released
(4:3.5.10.dfsg.1-2ubuntu5)
|
|
natty |
Released
(4:3.5.10.dfsg.1-2ubuntu5)
|
|
upstream |
Needs triage
|
|
Patches: vendor: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-0lenny2.diff.gz |
||
qt4-x11 Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(no webkit)
|
hardy |
Not vulnerable
(no webkit)
|
|
intrepid |
Released
(4.4.3-0ubuntu1.4)
|
|
jaunty |
Released
(4.5.0-0ubuntu4.3)
|
|
karmic |
Not vulnerable
(4.5.2-0ubuntu5)
|
|
lucid |
Not vulnerable
(4.5.2-0ubuntu5)
|
|
maverick |
Not vulnerable
(4.5.2-0ubuntu5)
|
|
natty |
Not vulnerable
(4.5.2-0ubuntu5)
|
|
upstream |
Needs triage
|
|
webkit Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Released
(1.0.1-2ubuntu0.2)
|
|
jaunty |
Released
(1.0.1-4ubuntu0.1)
|
|
karmic |
Not vulnerable
(1.1.12-1ubuntu1)
|
|
lucid |
Not vulnerable
(1.1.12-1ubuntu1)
|
|
maverick |
Not vulnerable
(1.1.12-1ubuntu1)
|
|
natty |
Not vulnerable
(1.1.12-1ubuntu1)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://trac.webkit.org/changeset/42532 |