Višestruki sigurnosni nedostaci programskog paketa webkitgtk

U radu programskog paketa webkitgtk, na operacijskom sustavu Fedora 13, uočeni su i ispravljeni višestruki sigurnosni nedostaci. Riječ je o mehanizmu prilagođenom GTK+ platformi, koji web preglednicima omogućuje prikaz web stranica. Neki od nedostataka javljaju se zbog tzv. "use-after-free" ranjivosti kod prikaza SVG animacija, nepravilne obrade posebno oblikovanih slika u GIF formatu te neispravne pretvorbe objekata neodređenih varijabli kod obrade SVG elemenata. Većinu nedostataka udaljeni napadači mogu iskoristiti za pokretanje napada uskraćivanja usluge. Svim se korisnicima savjetuje primjena rješenja koja ispravljaju opisane nedostatke.

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-1224
2011-02-09 19:50:02
--------------------------------------------------------------------------------

Name        : webkitgtk
Product     : Fedora 13
Version     : 1.2.7
Release     : 1.fc13
URL         : http://www.webkitgtk.org/
Summary     : GTK+ Web content engine library
Description :
WebKitGTK+ is the port of the portable web rendering engine WebKit to the
GTK+ platform.

--------------------------------------------------------------------------------
Update Information:

* Fixes the following CVEs: CVE-2010-4492 CVE-2010-4493 CVE-2011-0482
CVE-2010-4199 CVE-2010-4578 CVE-2010-4040 CVE-2011-0778 CVE-2010-2901
CVE-2010-4042

* Fixes a regression caused by earlier fix for CVE-2010-1791. This caused
webkitgtk to crash on certain sites with javascript.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb  9 2011 Huzaifa Sidhpurwala <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.7
- Update to 1.2.7
* Tue Jan 25 2011 Huzaifa Sidhpurwala <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.6-2
- Fix regression from the earlier security fix
- Fixes rhbz #670142
* Tue Jan  4 2011 Huzaifa Sidhpurwala <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.6-1
- Update to 1.2.6.
- Fixes CVE-2010-4198 CVE-2010-4197 CVE-2010-4204 CVE-2010-4206
- Fixes CVE-2010-1791 CVE-2010-3812 CVE-2010-3813
- Document fix for CVE-2010-3255 CVE-2010-3119
* Mon Oct  4 2010 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.5-1
- Update to 1.2.5. 
- Fixes: CVE-2010-3113 CVE-2010-1814 CVE-2010-1812
- Fixes: CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114
- Fixes: CVE-2010-3116 CVE-2010-3257 CVE-2010-3259
* Wed Sep  8 2010 Kevin Fenzi <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.4-1
- Update to 1.2.4 which fixes: 
- Fixes: CVE-2010-1780 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
- Update to 1.2.3 which fixes: 
- Fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
- Fixes: CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
- Fixes: CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
- Fixes: CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
- Fixes: CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
- Fixes: CVE-2010-1772 CVE-2010-1773 CVE-2010-1774 CVE-2010-2264
- Fixes bugs: 606303 606304 615728 615729 631583
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #676201 - CVE-2010-4492 WebKit: Use-after-free vulnerability in SVG
animations
        https://bugzilla.redhat.com/show_bug.cgi?id=676201
  [ 2 ] Bug #676202 - CVE-2010-4493 WebKit: Use-after-free vulnerability
related to handling of mouse dragging events.
        https://bugzilla.redhat.com/show_bug.cgi?id=676202
  [ 3 ] Bug #676203 - CVE-2011-0482 WebKit: Bad cast during handling of anchors
causes crash via crafted HTML documents
        https://bugzilla.redhat.com/show_bug.cgi?id=676203
  [ 4 ] Bug #656122 - CVE-2010-4199 WebKit: Improper cast of an unspecified
variable during processing of an SVG use element
        https://bugzilla.redhat.com/show_bug.cgi?id=656122
  [ 5 ] Bug #676207 - CVE-2010-4578 WebKit: Stale SVG pointer in Cursors DOM
        https://bugzilla.redhat.com/show_bug.cgi?id=676207
  [ 6 ] Bug #657101 - CVE-2010-4040 WebKit: crafted animated GIF image could
cause DoS (memory corruption)
        https://bugzilla.redhat.com/show_bug.cgi?id=657101
  [ 7 ] Bug #676209 - CVE-2011-0778 WebKit: restrict cross-origin drag+drop in
WebKit
        https://bugzilla.redhat.com/show_bug.cgi?id=676209
  [ 8 ] Bug #676210 - CVE-2010-2901 WebKit: Memory corruption with crash in
RenderObject::containingBlock()
        https://bugzilla.redhat.com/show_bug.cgi?id=676210
  [ 9 ] Bug #676212 - CVE-2010-4042 WebKit: Stale elements in an element map
causes webkit to crash
        https://bugzilla.redhat.com/show_bug.cgi?id=676212
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update webkitgtk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Višestruki sigurnosni nedostaci programskog paketa webkitgtk

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti