Off-by-one error in the toAlphabetic function in rendering/RenderListMarker.cpp in WebCore in WebKit before r59950, as used in Google Chrome before 5.0.375.70, allows remote attackers to obtain sensitive information, cause a denial of service (memory corruption and application crash), or possibly execute arbitrary code via vectors related to list markers for HTML lists, aka rdar problem 8009118.

Various bugs in webkit have been fixed. The CVE id's are :

CVE-2009-0945, CVE-2009-1681, CVE-2009-1684, CVE-2009-1685, CVE-2009-1686, CVE-2009-1687, CVE-2009-1688, CVE-2009-1689, CVE-2009-1691, CVE-2009-1690, CVE-2009-1692, CVE-2009-1693, CVE-2009-1694, CVE-2009-1695, CVE-2009-1696, CVE-2009-1697, CVE-2009-1698, CVE-2009-1699, CVE-2009-1700, CVE-2009-1701, CVE-2009-1702, CVE-2009-1703, CVE-2009-1709, CVE-2009-1710, CVE-2009-1711, CVE-2009-1712, CVE-2009-1713, CVE-2009-1714, CVE-2009-1715, CVE-2009-1718, CVE-2009-1724, CVE-2009-1725, CVE-2009-2195, CVE-2009-2199, CVE-2009-2200, CVE-2009-2419, CVE-2009-2797, CVE-2009-2816, CVE-2009-2841, CVE-2009-3272, CVE-2009-3384, CVE-2009-3933, CVE-2009-3934, CVE-2010-0046, CVE-2010-0047, CVE-2010-0048, CVE-2010-0049, CVE-2010-0050, CVE-2010-0052, CVE-2010-0053, CVE-2010-0054, CVE-2010-0315, CVE-2010-0647, CVE-2010-0051, CVE-2010-0650, CVE-2010-0651, CVE-2010-0656, CVE-2010-0659, CVE-2010-0661, CVE-2010-1029, CVE-2010-1126, CVE-2010-1233, CVE-2010-1236, CVE-2010-1386, CVE-2010-1387, CVE-2010-1388, CVE-2010-1389, CVE-2010-1390, CVE-2010-1391, CVE-2010-1392, CVE-2010-1393, CVE-2010-1394, CVE-2010-1395, CVE-2010-1396, CVE-2010-1397, CVE-2010-1398, CVE-2010-1399, CVE-2010-1400, CVE-2010-1401, CVE-2010-1402, CVE-2010-1403, CVE-2010-1404, CVE-2010-1405, CVE-2010-1406, CVE-2010-1407, CVE-2010-1408, CVE-2010-1409, CVE-2010-1410, CVE-2010-1412, CVE-2010-1413, CVE-2010-1414, CVE-2010-1415, CVE-2010-1416, CVE-2010-1417, CVE-2010-1418, CVE-2010-1419, CVE-2010-1421, CVE-2010-1422, CVE-2010-1729, CVE-2010-1749, CVE-2010-1757, CVE-2010-1758, CVE-2010-1759, CVE-2010-1760, CVE-2010-1761, CVE-2010-1762, CVE-2010-1763, CVE-2010-1764, CVE-2010-1766, CVE-2010-1767, CVE-2010-1769, CVE-2010-1770, CVE-2010-1771, CVE-2010-1772, CVE-2010-1773, CVE-2010-1774, CVE-2010-1780, CVE-2010-1781, CVE-2010-1782, CVE-2010-1783, CVE-2010-1784, CVE-2010-1785, CVE-2010-1786, CVE-2010-1787, CVE-2010-1788, CVE-2010-1789, CVE-2010-1790, CVE-2010-1791, CVE-2010-1792, CVE-2010-1793, CVE-2010-1807, CVE-2010-1812, CVE-2010-1813, CVE-2010-1814, CVE-2010-1815, CVE-2010-1822, CVE-2010-1823, CVE-2010-1824, CVE-2010-1825, CVE-2010-2264, CVE-2010-2295, CVE-2010-2297, CVE-2010-2300, CVE-2010-2301, CVE-2010-2302, CVE-2010-2441, CVE-2010-3116, CVE-2010-3257, CVE-2010-3259, CVE-2010-3312, CVE-2010-3803, CVE-2010-3804, CVE-2010-3805, CVE-2010-3808, CVE-2010-3809, CVE-2010-3810, CVE-2010-3811, CVE-2010-3812, CVE-2010-3813, CVE-2010-3816, CVE-2010-3817, CVE-2010-3818, CVE-2010-3819, CVE-2010-3820, CVE-2010-3821, CVE-2010-3822, CVE-2010-3823, CVE-2010-3824, CVE-2010-3826, CVE-2010-3829, CVE-2010-3900, CVE-2010-4040

The libwebkit browser engine version 1.2.3 fixes several security relevant bugs

(CVE-2010-1386, CVE-2010-1392, CVE-2010-1405, CVE-2010-1407, CVE-2010-1416, CVE-2010-1417, CVE-2010-1665, CVE-2010-1418, CVE-2010-1421, CVE-2010-1422, CVE-2010-1501, CVE-2010-1767, CVE-2010-1664, CVE-2010-1758, CVE-2010-1759, CVE-2010-1760, CVE-2010-1761, CVE-2010-1762, CVE-2010-1770, CVE-2010-1771, CVE-2010-1772, CVE-2010-1773, CVE-2010-1774)

Multiple cross-site scripting, denial of service and arbitrary code execution security flaws were discovered in webkit.

Please consult the CVE web links for further information.

The updated packages have been upgraded to the latest version (1.2.7) to correct these issues.

A large number of security issues were discovered in the WebKit browser and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Please consult the bug listed at the top of this advisory to get the exact list of CVE numbers fixed for each release.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 1.2.4 which fixes: CVE-2010-1780 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785 CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790 CVE-2010-1792 CVE-2010-1793 CVE-2010-2648

Update to 1.2.3 which fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407 CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418 CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767 CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760 CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771 CVE-2010-1772 CVE-2010-1773 CVE-2010-1774 CVE-2010-2264

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 1.2.4 which fixes: CVE-2010-1780 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785 CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790 CVE-2010-1792 CVE-2010-1793 CVE-2010-2648 Update to 1.2.3 which fixes:
CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407 CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418 CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767 CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760 CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771 CVE-2010-1772 CVE-2010-1773 CVE-2010-1774 CVE-2010-2264

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Gustavo Noronha reports :

Debian's Michael Gilbert has done a great job going through all CVEs released about WebKit, and including patches in the Debian package.
1.2.3 includes all of the commits from trunk to fix those, too.

This is an update to the latest stable bugfix qt release, including several security fixes related to qtwebkit. For details, see also:
http://qt.nokia.com/about/news/nokia-releases-qt-4.6.3 http://qt.nokia.com/developer/changes/changes-4.6.3

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is an update to the latest stable bugfix qt release, including several security fixes related to qtwebkit. For details see also:
http://qt.nokia.com/about/news/nokia-releases-qt-4.6.3 http://qt.nokia.com/developer/changes/changes-4.6.3

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Google Chrome installed on the remote host is earlier than 5.0.375.70.  As such, it is reportedly affected by multiple vulnerabilities :

  - A cross-origin keystroke redirection vulnerability.
    (Issue #15766)

  - A cross-origin bypass in DOM methods. (Issue #39985)

  - A memory error exists in table layout. (Issue #42723)

  - It is possible to escape the sandbox in Linux.
    (Issue #43304)

  - A stale pointer exists in bitmap. (Issue #43307)

  - A memory corruption vulnerability exists in DOM node     normalization. (Issue #43315)

  - A memory corruption vulnerability exists in text     transforms. (Issue #43487)

  - A cross-site scripting vulnerability exists in the     innerHTML property of textarea. (Issue #43902)

  - A memory corruption vulnerability exists in font     handling. (Issue #44740)

  - Geolocation events fire after document deletion.
    (Issue #44868)

  - A memory corruption vulnerability exists in the     rendering of list markers. (Issue #44955)

Versions of Google Chrome earlier than 5.0.375.70 are potentially affected by multiple vulnerabilities :

  - A cross-origin keystroke redirection vulnerability. (Bug 15766)

  - A cross-origin bypass in DOM methods. (Bug 39985)

  - A memory error exists in table layout. (Bug 42723)

  - It is possible to escape the sandbox in Linux. (Bug 43304)

  - A stale pointer exists in bitmap. (Bug 43307)  - A memory corruption vulnerability exists in DOM mode normalization. (Bug 43315)

  - A memory corruption vulnerability exists in text transforms. (Bug 43487)

  - A cross-site scripting vulnerability exists in the innerHTML property of textarea. (Bug 43902)

  - A memory corruption vulnerability exists in font handling. (Bug 44740)

  - Geolocation events fire after document deletion. (Bug 44868)

  - A memory corruption vulnerability exists in the rendering of list markers. (44955)

ID	Name	Product	Family	Severity
75629	openSUSE Security Update : libwebkit (openSUSE-SU-2011:0024-1)	Nessus	SuSE Local Security Checks	critical
75627	openSUSE Security Update : libwebkit (openSUSE-SU-2010:0458-1)	Nessus	SuSE Local Security Checks	critical
53764	openSUSE Security Update : libwebkit (openSUSE-SU-2011:0024-1)	Nessus	SuSE Local Security Checks	critical
52523	Mandriva Linux Security Advisory : webkit (MDVSA-2011:039)	Nessus	Mandriva Local Security Checks	critical
50046	Ubuntu 9.10 / 10.04 LTS / 10.10 : webkit vulnerabilities (USN-1006-1)	Nessus	Ubuntu Local Security Checks	critical
49295	Fedora 12 : webkitgtk-1.2.4-1.fc12 (2010-14419)	Nessus	Fedora Local Security Checks	high
49246	Fedora 13 : webkitgtk-1.2.4-1.fc13 (2010-14409)	Nessus	Fedora Local Security Checks	high
47751	FreeBSD : webkit-gtk2 -- Multiple vulnerabilities (19419b3b-92bd-11df-b140-0015f2db7bde)	Nessus	FreeBSD Local Security Checks	critical
47724	Fedora 12 : qt-4.6.3-8.fc12 (2010-11020)	Nessus	Fedora Local Security Checks	high
47723	Fedora 13 : qt-4.6.3-8.fc13 (2010-11011)	Nessus	Fedora Local Security Checks	high
46850	Google Chrome < 5.0.375.70 Multiple Vulnerabilities	Nessus	Windows	high
800928	Google Chrome < 5.0.375.70 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2010-1773

high

Tenable Plugins

critical

critical

critical

critical

critical

high

high

critical

high

high

high

high