WebKit contains a use-after-free error in the 'RenderBlock::markSiblingsWithFloatsForLayout' function in WebCore/rendering/RenderBlock.cpp when handling intruding floats. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.

It has been reported that this issue has been fixed. Upgrade to version 1.8.2, or higher, to address this vulnerability.

Upgrade to Google Chrome version 18.0.1025.168 or higher, Apple Safari version 6 or higher, and Apple iOS version 6 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1027001
• OVAL ID: 15592
• CVE ID: 2011-3081 (see also: NVD)
• Secunia Advisory ID: 48992 49075 49175 50058 50586 50618 51070
• Related OSVDB ID: 81643 81644 81645 81646
• Vendor Specific News/Changelog Entry: http://code.google.com/p/chromium/issues/detail?id=121899
  http://googlechromereleases.blogspot.com/2012/04/stable-channel-update_30.html
  http://www.gentoo.org/security/en/glsa/glsa-201205-01.xml
  http://www.ubuntu.com/usn/usn-1617-1/
  https://bugs.webkit.org/show_bug.cgi?id=83301 [ Auth Req'd ]
  https://hermes.opensuse.org/messages/14565591
• Mail List Post: http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html
• Vendor Specific Advisory URL: http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
  http://support.apple.com/kb/HT5400
  http://support.apple.com/kb/HT5503
• Vendor Specific Solution URL: http://trac.webkit.org/changeset/113825

• miaubiz