PublicDateAtUSN: 2009-05-13 Candidate: CVE-2009-0945 PublicDate: 2009-05-13 17:30:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0945 http://www.zerodayinitiative.com/advisories/ZDI-09-022/ https://ubuntu.com/security/notices/USN-823-1 https://ubuntu.com/security/notices/USN-822-1 https://ubuntu.com/security/notices/USN-836-1 https://ubuntu.com/security/notices/USN-857-1 Description: Array index error in the insertItemBefore method in WebKit, as used in Apple Safari before 3.2.3 and 4 Public Beta, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome Stable before 1.0.154.65, and possibly other products allows remote attackers to execute arbitrary code via a document with a SVGPathList data structure containing a negative index in the (1) SVGTransformList, (2) SVGStringList, (3) SVGNumberList, (4) SVGPathSegList, (5) SVGPointList, or (6) SVGLengthList SVGList object, which triggers memory corruption. Ubuntu-Description: Notes: mdeslaur> PoC: http://bugs.gentoo.org/show_bug.cgi?id=271863 Bugs: https://bugs.webkit.org/show_bug.cgi?id=24730 (restricted!) http://bugs.gentoo.org/show_bug.cgi?id=271863 https://bugzilla.redhat.com/show_bug.cgi?id=506703 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532718 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532724 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532725 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534917 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534918 Priority: medium Discovered-by: Assigned-to: micahg CVSS: Patches_webkit: upstream: http://trac.webkit.org/changeset/43590 upstream: http://trac.webkit.org/changeset/43795 (revised) upstream_webkit: needs-triage dapper_webkit: DNE hardy_webkit: ignored (reached end-of-life) intrepid_webkit: released (1.0.1-2ubuntu0.2) jaunty_webkit: released (1.0.1-4ubuntu0.1) karmic_webkit: not-affected (1.1.12-1ubuntu1) lucid_webkit: not-affected (1.1.12-1ubuntu1) maverick_webkit: not-affected (1.1.12-1ubuntu1) natty_webkit: not-affected (1.1.12-1ubuntu1) devel_webkit: not-affected (1.1.12-1ubuntu1) Patches_kdegraphics: upstream: http://websvn.kde.org/?view=rev&revision=983306 (incorrectly marked as CVE-2009-1709) vendor: http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.5.5-3etch4.diff.gz vendor: http://release.debian.org/proposed-updates/stable_diffs/kdegraphics_3.5.9-3+lenny2.debdiff upstream_kdegraphics: needs-triage dapper_kdegraphics: ignored (reached end-of-life) hardy_kdegraphics: released (4:3.5.10-0ubuntu1~hardy1.1) intrepid_kdegraphics: not-affected (code not present) jaunty_kdegraphics: not-affected (code not present) karmic_kdegraphics: not-affected (code not present) lucid_kdegraphics: not-affected (code not present) maverick_kdegraphics: not-affected (code not present) natty_kdegraphics: not-affected (code not present) devel_kdegraphics: not-affected (code not present) Patches_kdelibs: upstream_kdelibs: not-affected (code not present) dapper_kdelibs: not-affected (code not present) hardy_kdelibs: not-affected (code not present) intrepid_kdelibs: not-affected (code not present) jaunty_kdelibs: not-affected (code not present) karmic_kdelibs: not-affected (code not present) lucid_kdelibs: not-affected (code not present) maverick_kdelibs: not-affected (code not present) natty_kdelibs: not-affected (code not present) devel_kdelibs: not-affected (code not present) Patches_kde4libs: upstream: http://websvn.kde.org/?view=rev&revision=983302 upstream_kde4libs: needs-triage dapper_kde4libs: DNE hardy_kde4libs: not-affected (code not present) intrepid_kde4libs: not-affected (code not present) jaunty_kde4libs: released (4:4.2.2-0ubuntu5.1) karmic_kde4libs: not-affected (4:4.3.0-0ubuntu6) lucid_kde4libs: not-affected (4:4.3.0-0ubuntu6) maverick_kde4libs: not-affected (4:4.3.0-0ubuntu6) natty_kde4libs: not-affected (4:4.3.0-0ubuntu6) devel_kde4libs: not-affected (4:4.3.0-0ubuntu6) Patches_qt4-x11: upstream: http://websvn.kde.org/?view=rev&revision=983302 upstream_qt4-x11: needs-triage dapper_qt4-x11: not-affected (no webkit) hardy_qt4-x11: not-affected (no webkit) intrepid_qt4-x11: released (4.4.3-0ubuntu1.4) jaunty_qt4-x11: released (4.5.0-0ubuntu4.3) karmic_qt4-x11: not-affected (4.5.2-0ubuntu5) lucid_qt4-x11: not-affected (4.5.2-0ubuntu5) maverick_qt4-x11: not-affected (4.5.2-0ubuntu5) natty_qt4-x11: not-affected (4.5.2-0ubuntu5) devel_qt4-x11: not-affected (4.5.2-0ubuntu5)