A number of security vulnerabilities were reported in WebKit: CVE-2010-0046: CSS format() argument memory corruption https://bugs.webkit.org/show_bug.cgi?id=31815 http://trac.webkit.org/changeset/51727 CSS format() arguments were always treated as strings, which could result in a crash or arbitrary code execution if an integer or other unexpected type was used instead. CVE-2010-0047: Call-after-free in HTMLObjectElement::renderFallBackContent (ZDI-CAN-579) https://bugs.webkit.org/show_bug.cgi?id=31277 http://trac.webkit.org/changeset/50698 Changes to the style of an OBJECT element resulted in the creation of a new frame, instead of re-using the existing frame. The existing frame would then be prematurely destroyed, which could result in a crash or arbitrary code execution. CVE-2010-0048: Crash in XMLTokenizer::popCurrentNode if window.close() is called during parsing https://bugs.webkit.org/show_bug.cgi?id=31576 http://trac.webkit.org/changeset/51962 The lifetime of an XML parser context was previously tied to its owning document, which could result in a crash or arbitrary code execution if the document is destroyed during parsing. CVE-2010-0049: Use of free()d line boxes in mixed LTR/RTL text https://bugs.webkit.org/show_bug.cgi?id=32749 http://trac.webkit.org/changeset/52527 When removing an empty text run, a linked list of text boxes may be prematurely destroyed, which could result in a crash or arbitrary code execution. CVE-2010-0050: Crash at HTMLParser::popOneBlockCommon() after handling misnested residual style tags https://bugs.webkit.org/show_bug.cgi?id=32567 http://trac.webkit.org/changeset/52073 A reference counting issue in the handling of incorrectly nested style tags could result in a crash or arbitrary code execution. CVE-2010-0052: Navigating to a cached page can result in accessing a destroyed HTMLInputElement https://bugs.webkit.org/show_bug.cgi?id=32293 http://trac.webkit.org/changeset/51877 Returning to a page using Back/Forward navigation could result in a crash or arbitrary code execution, if the page in question has a form element with autocomplete disabled, then re-enables autocomplete for that form and removes it from the page. CVE-2010-0053: Crash due to double-destroy related to CSS run-in property https://bugs.webkit.org/show_bug.cgi?id=31034 http://trac.webkit.org/changeset/50466 Continuations were destroyed before their anonymous children in some cases, which could result in a crash or arbitrary code execution. CVE-2010-0054: Use of stale HTMLImageElement pointer in JSHTMLFormElement::nameGetter https://bugs.webkit.org/show_bug.cgi?id=34076 http://trac.webkit.org/changeset/53812 http://trac.webkit.org/changeset/53813 http://trac.webkit.org/changeset/54242 The destructor for HTML image input elements attempted to manipulate the DOM of the containing document, which could result in a crash or arbitrary code execution.
The Apple release of Safari 4.0.5 is public now: APPLE-SA-2010-03-11-1 http://support.apple.com/kb/HT4070 Unfortunately, they reference CVE-2010-0051 which is the same flaw as CVE-2010-0651, which was previously corrected in Google Chrome. These flaws may affect QtWebKit (in qt) and webkitgtk.
CVE-2010-0047, CVE-2010-0048 and CVE-2010-0053 do not affect QtWebKit as found in Fedora 11, 12 (Qt 4.5, Qt 4.6). CVE-2010-0046, CVE-2010-0049 through 0052 and CVE-2010-0054 affects QtWebKit, issues will be fixed with next update to Qt.
qt-4.6.2-8.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/qt-4.6.2-8.fc11
qt-4.6.2-8.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/qt-4.6.2-8.fc13
qt-4.6.2-8.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/qt-4.6.2-8.fc12
qt-4.6.2-8.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.6.2-8.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.6.2-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.6.2-17.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/qt-4.6.2-17.fc11
qt-4.6.2-17.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/qt-4.6.2-17.fc12
qt-4.6.2-17.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/qt-4.6.2-17.fc13
qt-4.6.2-17.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.6.2-17.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.6.2-17.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs-4.7.3-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.