Array index error in the insertItemBefore method in WebKit, as used
in Safari before 3.2.3 and 4 Public Beta, Google Chrome Stable before
188.8.131.52, and possibly other products allows remote attackers to
execute arbitrary code via a document with a SVGPathList data
structure containing a negative index in the (1) SVGTransformList,
(2) SVGStringList, (3) SVGNumberList, (4) SVGPathSegList, (5)
SVGPointList, or (6) SVGLengthList SVGList object, which triggers
The reproducer crashes with 4.4.2-r1, haven't tried 4.5.1.
var p = document.createElementNS("http://www.w3.org/2000/svg","path");
According to https://bugzilla.redhat.com/show_bug.cgi?id=506703#c15 this has been fixed in Qt 4.5.2. The oldest version of qt-webkit in portage is 4.5.3.
Please don't close security bugs; even the really old ones. Added to existing GLSA request.
This issue has been fixed since Oct 11, 2009. No GLSA will be issued.