WebKit contains an out-of-bounds read flaw in the 'TextIterator::handleTextNodeFirstLetter' function [WebCore/editing/TextIterator.cpp] that is triggered when handling text with a :first-letter selector. With a specially crafted web page, a context-dependent attacker can cause a browser crash and potentially disclose memory.

It has been reported that this issue has been fixed. Upgrade to version 1.8.0 or higher to address this vulnerability.

Upgrade to Google Chrome version 17.0.963.65 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1026759
• CVE ID: 2011-3040 (see also: NVD)
• Secunia Advisory ID: 48265 48419 48527 50058 50586 50618
• Bugtraq ID: 52271
• Related OSVDB ID: 79790 79791 79792 79793 79794 79795 79796 79797 79798 79800 79801 79802 79803
• Vendor Specific News/Changelog Entry: http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html
  http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00012.html
  http://www.gentoo.org/security/en/glsa/glsa-201203-19.xml
  https://bugs.webkit.org/show_bug.cgi?id=78530 [ Auth Req'd ]
• Mail List Post: http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html
• Vendor Specific Advisory URL: http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
  http://support.apple.com/kb/HT5400
  http://support.apple.com/kb/HT5503
  https://code.google.com/p/chromium/issues/detail?id=114054 [ Auth Req'd ]
• Vendor Specific Solution URL: http://trac.webkit.org/changeset/108417
  http://trac.webkit.org/changeset/109385
  https://chromiumcodereview.appspot.com/9566023

• miaubiz