CVE-2009-0945
Published: 13 May 2009
Array index error in the insertItemBefore method in WebKit, as used in Apple Safari before 3.2.3 and 4 Public Beta, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome Stable before 1.0.154.65, and possibly other products allows remote attackers to execute arbitrary code via a document with a SVGPathList data structure containing a negative index in the (1) SVGTransformList, (2) SVGStringList, (3) SVGNumberList, (4) SVGPathSegList, (5) SVGPointList, or (6) SVGLengthList SVGList object, which triggers memory corruption.
Notes
Author | Note |
---|---|
mdeslaur | PoC: http://bugs.gentoo.org/show_bug.cgi?id=271863 |
Priority
Status
Package | Release | Status |
---|---|---|
kde4libs Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Not vulnerable
(code not present)
|
|
intrepid |
Not vulnerable
(code not present)
|
|
jaunty |
Released
(4:4.2.2-0ubuntu5.1)
|
|
karmic |
Not vulnerable
(4:4.3.0-0ubuntu6)
|
|
lucid |
Not vulnerable
(4:4.3.0-0ubuntu6)
|
|
maverick |
Not vulnerable
(4:4.3.0-0ubuntu6)
|
|
natty |
Not vulnerable
(4:4.3.0-0ubuntu6)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://websvn.kde.org/?view=rev&revision=983302 |
||
kdegraphics Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
hardy |
Released
(4:3.5.10-0ubuntu1~hardy1.1)
|
|
intrepid |
Not vulnerable
(code not present)
|
|
jaunty |
Not vulnerable
(code not present)
|
|
karmic |
Not vulnerable
(code not present)
|
|
lucid |
Not vulnerable
(code not present)
|
|
maverick |
Not vulnerable
(code not present)
|
|
natty |
Not vulnerable
(code not present)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://websvn.kde.org/?view=rev&revision=983306 (incorrectly marked as CVE-2009-1709) vendor: http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.5.5-3etch4.diff.gz vendor: http://release.debian.org/proposed-updates/stable_diffs/kdegraphics_3.5.9-3+lenny2.debdiff |
||
kdelibs Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(code not present)
|
hardy |
Not vulnerable
(code not present)
|
|
intrepid |
Not vulnerable
(code not present)
|
|
jaunty |
Not vulnerable
(code not present)
|
|
karmic |
Not vulnerable
(code not present)
|
|
lucid |
Not vulnerable
(code not present)
|
|
maverick |
Not vulnerable
(code not present)
|
|
natty |
Not vulnerable
(code not present)
|
|
upstream |
Not vulnerable
(code not present)
|
|
qt4-x11 Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(no webkit)
|
hardy |
Not vulnerable
(no webkit)
|
|
intrepid |
Released
(4.4.3-0ubuntu1.4)
|
|
jaunty |
Released
(4.5.0-0ubuntu4.3)
|
|
karmic |
Not vulnerable
(4.5.2-0ubuntu5)
|
|
lucid |
Not vulnerable
(4.5.2-0ubuntu5)
|
|
maverick |
Not vulnerable
(4.5.2-0ubuntu5)
|
|
natty |
Not vulnerable
(4.5.2-0ubuntu5)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://websvn.kde.org/?view=rev&revision=983302 |
||
webkit Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Released
(1.0.1-2ubuntu0.2)
|
|
jaunty |
Released
(1.0.1-4ubuntu0.1)
|
|
karmic |
Not vulnerable
(1.1.12-1ubuntu1)
|
|
lucid |
Not vulnerable
(1.1.12-1ubuntu1)
|
|
maverick |
Not vulnerable
(1.1.12-1ubuntu1)
|
|
natty |
Not vulnerable
(1.1.12-1ubuntu1)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://trac.webkit.org/changeset/43590 upstream: http://trac.webkit.org/changeset/43795 (revised) |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0945
- http://www.zerodayinitiative.com/advisories/ZDI-09-022/
- https://ubuntu.com/security/notices/USN-823-1
- https://ubuntu.com/security/notices/USN-822-1
- https://ubuntu.com/security/notices/USN-836-1
- https://ubuntu.com/security/notices/USN-857-1
- NVD
- Launchpad
- Debian
Bugs
- https://bugs.webkit.org/show_bug.cgi?id=24730 (restricted!)
- http://bugs.gentoo.org/show_bug.cgi?id=271863
- https://bugzilla.redhat.com/show_bug.cgi?id=506703
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532718
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532724
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532725
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534917
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534918