A use after free issue exists in WebKit's rendering of HTML document subtrees. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved rendering of HTML document subtrees. References: Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=37760 Trac: http://trac.webkit.org/changeset/59263 Acknowledgements: Red Hat would like to thank Drew Yao of Apple Product Security for responsibly reporting this issue. Upstream acknowledges James Robinson of Google Inc. as the original reporter.
Based on the code, this looks applicable to webkitgtk (1.2.0, svn r56916) and qt (4.6.2, svn r50154). The upstream reproducer, however, does not crash webkitgtk or qt.
Confirmed this is fixed in el6's qtwebkit-2.1.1 and fedora's qtwebkit-2.3.x
make that epel-6's qtwebkit-2.1.1