OSVDB ID: 78547

Title: WebKit contextElementForInsertion Function Adjacent HTML Insertion Memory Corruption

Info

Disclosure

Jan 09, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Jan 09, 2012

Description

WebKit contains a flaw in the 'contextElementForInsertion' function in html/HTMLElement.cpp that is triggered when handling the 'insertAdjacentHTML' method. With a specially crafted web page, a context-dependent attacker can corrupt memory to cause a denial of service or potentially execute arbitrary code.

Classification

Location: Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: PoC Public
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

The vendor has released a patch to address this vulnerability. There are no known workarounds or upgrades to correct this issue. Check the vendor advisory, changelog, or solution in the references section for details. Upgrade to Google Chrome version 16.0.912.77 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Google, Inc.

Chrome

16.0.912.75

The WebKitGTK+ Team

WebKitGTK+

Unspecified

References

Security Tracker: 1026569
CVE ID: 2011-3926 (see also: NVD)
SCIP VulDB ID: 4572
Secunia Advisory ID: 47694 47717 50058 50586 50618
Related OSVDB ID: 78543 78544 78545 78546
Vendor Specific News/Changelog Entry: http://code.google.com/p/chromium/issues/detail?id=109556
http://googlechromereleases.blogspot.com/2012/01/stable-channel-update_23.html
http://security.gentoo.org/glsa/glsa-201201-17.xml
https://bugs.webkit.org/show_bug.cgi?id=75826
Mail List Post: http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html
Vendor Specific Advisory URL: http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
http://support.apple.com/kb/HT5400
http://support.apple.com/kb/HT5503
Vendor Specific Solution URL: http://trac.webkit.org/changeset/104441

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/78547