Pardus: Qt: Webkit: Multiple Vulnerabilities - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Advisory Watch: February 5th, 2010

Linux Security Week: February 1st, 2010

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Pardus: Qt: Webkit: Multiple Vulnerabilities

User Rating:

How can I rate this item?

Posted by Benjamin D. Thomas

Description ========== * CVE-2009-3384: Multiple security flaws (integer underflow, invalid pointer dereference, buffer underflow and a denial of service) were found in the way WebKit's FTP parser used to process remote FTP directory listings. If a remote FTP server issued a specially-crafted FTP command, it could lead to disclosure of sensitive information, denial of service (application crash) or, potentially to execution of arbitrary code, once the command was parsed.


------------------------------------------------------------------------
Pardus Linux Security Advisory 2009-187           security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2009-11-19
  Severity: 3
      Type: Remote
------------------------------------------------------------------------

Summary
======
Multiple vulnerabilities were found in Webkit, which can be exploited by
malicious people to cause denial of service or potentially to execution
of arbitrary code.

Description
==========
* CVE-2009-3384:
Multiple security flaws (integer underflow, invalid pointer dereference,
buffer underflow and a denial of service) were found in the way WebKit's
FTP parser used to process remote FTP directory listings. If  a  remote
FTP server issued a specially-crafted FTP command,  it  could  lead  to
disclosure of sensitive information,  denial  of  service  (application
crash) or, potentially to execution of arbitrary code, once the command
was parsed.

* CVE-2009-2816:
Before allowing a page from one origin to access a resource in  another
origin, WebKit sends a preflight request, to determine  if  the  origin
server for the resource being accessed will allow the  resource  to  be
shared. WebKit includes custom HTTP headers specified by the requesting
page in the preflight request. This can result  in  unexpected  actions
being initiated on the cross-origin site  without  user  consent.  This
issue is addressed by  dropping  custom  HTTP  headers  from  preflight
requests.


Affected packages:

  Pardus 2009:
    qt, all before 4.5.3-72-16


Resolution
=========
There are update(s) for qt. You can update them via Package Manager  or
with a single command from console:

    pisi up qt

References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id546
  * http://bugs.pardus.org.tr/show_bug.cgi?id545
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3384
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2816
  * https://bugs.webkit.org/show_bug.cgi?id(446
  * https://bugs.webkit.org/show_bug.cgi?id)294

< Prev		Next >

Partner:

Latest Features

Hacks From Pax: Network Server Monitoring With Nmap

Review: Mod-Security 2.5 by Magnus Mischel

Review: Googling Security: How Much Does Google Know About You

A Secure Nagios Server

Never Installed a Firewall on Ubuntu? Try Firestarter

Review: Hacking Exposed Linux, Third Edition

Security Features of Firefox 3.0

Yesterday's Edition

Mozilla Removes Two Malicious Firefox Add-Ons

When is a 0day not a 0day? Fake OpenSSh exploit, again

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
Security Projects , Latest News , Newsletters , SELinux , Privacy , Home,
Hardening , About Us, Advertise, Legal Notice, RSS, Guardian Digital