A use after free issue exists in WebKit's handling of drag and drop when the window acting as a source of a drag operation is closed before the drag operation is completed. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. References: Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=37618 Trac: http://trac.webkit.org/changeset/58616 Acknowledgements: Red Hat would like to thank Drew Yao of Apple Product Security for responsibly reporting this issue. Upstream acknowledges kuzzcc, and Skylined of Google Chrome Security Team, as the original reporters.
Is this the same thing as? [41469] Medium Memory error with drag + drop. Credit to kuzzcc. http://code.google.com/p/chromium/issues/detail?id=41469 http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html (chromium bug is not public at the moment)
Yes, this is the same thing (upstream bug references this bug).
Public via: [1] http://support.apple.com/kb/HT419