CVE-2009-1698

Description

WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not initialize a pointer during handling of a Cascading Style Sheets (CSS) attr function call with a large numerical argument, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document.

How to fix CVE-2009-1698

To remediate CVE-2009-1698, upgrade the affected package to a fixed version below.

• Debian/kde4libs—upgrade to 4:4.3.0-1 or later

Is CVE-2009-1698 being exploited?

Moderate — EPSS is 7.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 4:4.3.0-1

References (34)

• ADVISORYblog.zoller.lu/2009/05/advisory-apple-safari-remote-code.html
• ADVISORYsecunia.com/advisories/35379
• ADVISORYsecunia.com/advisories/35588
• ADVISORYsecunia.com/advisories/36057
• ADVISORYsecunia.com/advisories/36062