rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome
before 11.0.696.65 does not properly perform a cast of an unspecified
variable during an attempt to handle a block child, which allows remote
attackers to cause a denial of service (application crash) or possibly have
unknown other impact via a crafted text element in an SVG document.
{"id": "UB:CVE-2011-1798", "vendorId": null, "type": "ubuntucve", "bulletinFamily": "info", "title": "CVE-2011-1798", "description": "rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome\nbefore 11.0.696.65 does not properly perform a cast of an unspecified\nvariable during an attempt to handle a block child, which allows remote\nattackers to cause a denial of service (application crash) or possibly have\nunknown other impact via a crafted text element in an SVG document.", "published": "2014-12-26T00:00:00", "modified": "2014-12-26T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {}, "href": "https://ubuntu.com/security/CVE-2011-1798", "reporter": "ubuntu.com", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1798", "http://trac.webkit.org/changeset/84085", "http://launchpad.net/bugs/778822", "http://crbug.com/79595", "https://nvd.nist.gov/vuln/detail/CVE-2011-1798", "https://launchpad.net/bugs/cve/CVE-2011-1798", "https://security-tracker.debian.org/tracker/CVE-2011-1798"], "cvelist": ["CVE-2011-1798"], "immutableFields": [], "lastseen": "2022-08-04T14:18:23", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-1798"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2011-1798"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805406", "OPENVAS:1361412562310805407", "OPENVAS:1361412562310805408"]}], "rev": 4}, "score": {"value": 6.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2011-1798"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2011-1798"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805406", "OPENVAS:1361412562310805407", "OPENVAS:1361412562310805408"]}]}, "exploitation": null, "vulnersScore": 6.1}, "_state": {"dependencies": 1659904375, "score": 1659843777}, "_internal": {"score_hash": "b2dbe0b67523e0cdb4aff5dc2e09ceb1"}, "affectedPackage": [{"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "11.0.696.65", "packageFilename": "UNKNOWN", "operator": "lt", "status": "released", "packageName": "chromium-browser"}, {"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needs triage", "packageName": "oxide-qt"}], "bugs": []}
{"debiancve": [{"lastseen": "2021-12-14T17:47:11", "description": "rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown other impact via a crafted text element in an SVG document.", "cvss3": {}, "published": "2014-12-26T02:59:00", "type": "debiancve", "title": "CVE-2011-1798", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1798"], "modified": "2014-12-26T02:59:00", "id": "DEBIANCVE:CVE-2011-1798", "href": "https://security-tracker.debian.org/tracker/CVE-2011-1798", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T11:59:25", "description": "rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown other impact via a crafted text element in an SVG document.", "cvss3": {}, "published": "2014-12-26T02:59:00", "type": "cve", "title": "CVE-2011-1798", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1798"], "modified": "2014-12-29T22:46:00", "cpe": ["cpe:/a:google:chrome:11.0.696.64"], "id": "CVE-2011-1798", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1798", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:google:chrome:11.0.696.64:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-04-22T17:02:34", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2015-01-02T00:00:00", "type": "openvas", "title": "Google Chrome Multiple Vulnerabilities - Jan15 (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-1793", "CVE-2011-1794", "CVE-2011-1795", "CVE-2011-1798", "CVE-2011-1796"], "modified": "2020-04-20T00:00:00", "id": "OPENVAS:1361412562310805406", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805406", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Multiple Vulnerabilities - Jan15 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805406\");\n script_version(\"2020-04-20T09:38:23+0000\");\n script_cve_id(\"CVE-2011-1798\", \"CVE-2011-1796\", \"CVE-2011-1795\", \"CVE-2011-1794\",\n \"CVE-2011-1793\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-20 09:38:23 +0000 (Mon, 20 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-01-02 14:21:05 +0530 (Fri, 02 Jan 2015)\");\n script_name(\"Google Chrome Multiple Vulnerabilities - Jan15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple Flaws are due to,\n\n - Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout\n function in page/FrameView.cpp script within WebCore in WebKit.\n\n - Integer underflow in the HTMLFormElement::removeFormElement function in\n html/HTMLFormElement.cpp script within WebCore in WebKit.\n\n - Integer overflow in the FilterEffect::copyImageBytes function in\n platform/graphics/filters/FilterEffect.cpp script within WebCore in WebKit.\n\n - Integer overflow in the FilterEffect.\n\n - Two unspecified errors in rendering/svg/RenderSVGText.cpp script within\n WebCore in WebKit.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service (application crash) or possibly have\n unspecified other impacts.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to\n 11.0.696.65 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 11.0.696.65 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://trac.webkit.org/changeset/85406\");\n script_xref(name:\"URL\", value:\"https://code.google.com/p/chromium/issues/detail?id=67923\");\n script_xref(name:\"URL\", value:\"https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/778822\");\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_portable_win.nasl\");\n script_mandatory_keys(\"GoogleChrome/Win/Ver\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!chromeVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:chromeVer, test_version:\"11.0.696.65\"))\n{\n report = report_fixed_ver(installed_version:chromeVer, fixed_version:\"11.0.696.65\");\n security_message(port: 0, data: report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-22T17:01:05", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2015-01-02T00:00:00", "type": "openvas", "title": "Google Chrome Multiple Vulnerabilities - Jan15 (Mac OS X)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-1793", "CVE-2011-1794", "CVE-2011-1795", "CVE-2011-1798", "CVE-2011-1796"], "modified": "2020-04-20T00:00:00", "id": "OPENVAS:1361412562310805408", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805408", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Multiple Vulnerabilities - Jan15 (Mac OS X)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805408\");\n script_version(\"2020-04-20T09:38:23+0000\");\n script_cve_id(\"CVE-2011-1798\", \"CVE-2011-1796\", \"CVE-2011-1795\", \"CVE-2011-1794\",\n \"CVE-2011-1793\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-20 09:38:23 +0000 (Mon, 20 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-01-02 12:58:34 +0530 (Fri, 02 Jan 2015)\");\n script_name(\"Google Chrome Multiple Vulnerabilities - Jan15 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple Flaws are due to,\n\n - Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout\n function in page/FrameView.cpp script within WebCore in WebKit.\n\n - Integer underflow in the HTMLFormElement::removeFormElement function in\n html/HTMLFormElement.cpp script within WebCore in WebKit.\n\n - Integer overflow in the FilterEffect::copyImageBytes function in\n platform/graphics/filters/FilterEffect.cpp script within WebCore in WebKit.\n\n - Integer overflow in the FilterEffect.\n\n - Two unspecified errors in rendering/svg/RenderSVGText.cpp script within\n WebCore in WebKit.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service (application crash) or possibly have\n unspecified other impacts.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to\n 11.0.696.65 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 11.0.696.65 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://trac.webkit.org/changeset/85406\");\n script_xref(name:\"URL\", value:\"https://code.google.com/p/chromium/issues/detail?id=67923\");\n script_xref(name:\"URL\", value:\"https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/778822\");\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"GoogleChrome/MacOSX/Version\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!chromeVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:chromeVer, test_version:\"11.0.696.65\"))\n{\n report = report_fixed_ver(installed_version:chromeVer, fixed_version:\"11.0.696.65\");\n security_message(port: 0, data: report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-22T17:02:20", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2015-01-02T00:00:00", "type": "openvas", "title": "Google Chrome Multiple Vulnerabilities - Jan15 (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-1793", "CVE-2011-1794", "CVE-2011-1795", "CVE-2011-1798", "CVE-2011-1796"], "modified": "2020-04-20T00:00:00", "id": "OPENVAS:1361412562310805407", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805407", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Multiple Vulnerabilities - Jan15 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805407\");\n script_version(\"2020-04-20T09:38:23+0000\");\n script_cve_id(\"CVE-2011-1798\", \"CVE-2011-1796\", \"CVE-2011-1795\", \"CVE-2011-1794\",\n \"CVE-2011-1793\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-20 09:38:23 +0000 (Mon, 20 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-01-02 12:27:49 +0530 (Fri, 02 Jan 2015)\");\n script_name(\"Google Chrome Multiple Vulnerabilities - Jan15 (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple Flaws are due to,\n\n - Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout\n function in page/FrameView.cpp script within WebCore in WebKit.\n\n - Integer underflow in the HTMLFormElement::removeFormElement function in\n html/HTMLFormElement.cpp script within WebCore in WebKit.\n\n - Integer overflow in the FilterEffect::copyImageBytes function in\n platform/graphics/filters/FilterEffect.cpp script within WebCore in WebKit.\n\n - Integer overflow in the FilterEffect.\n\n - Two unspecified errors in rendering/svg/RenderSVGText.cpp script within\n WebCore in WebKit.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service (application crash) or possibly have\n unspecified other impacts.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to\n 11.0.696.65 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 11.0.696.65 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://trac.webkit.org/changeset/85406\");\n script_xref(name:\"URL\", value:\"https://code.google.com/p/chromium/issues/detail?id=67923\");\n script_xref(name:\"URL\", value:\"https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/778822\");\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"Google-Chrome/Linux/Ver\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!chromeVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:chromeVer, test_version:\"11.0.696.65\"))\n{\n report = report_fixed_ver(installed_version:chromeVer, fixed_version:\"11.0.696.65\");\n security_message(port: 0, data: report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2011-1798
