Summary: | <net-libs/webkit-gtk-1.1.10: XML nested A infinite loop (CVE-2009-1233) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | esigra, gnome, jokey, kanelxake |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 287494 | ||
Bug Blocks: |
Description
Robert Buchholz (RETIRED)
2009-05-30 11:36:15 UTC
could reproduce an infinite loop on 0_p42162. Does this happen with more recent versions as well with the reproduction case (e.g 1.1.10 or 1.1.9)? I hope we can get libproxy stabilized soon now, and be able to start stabilizing webkit-gtk-1.1.7 and (preferably) newer soon. I was able to find an exploit from the link above: http://www.milw0rm.com/exploits/8325 Happened to have webkit-gtk-1.1.8 installed, and that exploit seems to cause no crashes to midori with that newer webkit version, just seeing an empty white page and can navigate elsewhere on the same tab fine Please stabilize the following to finally get a somewhat more secure webkit-gtk version to the stable tree: gnome-base/gnome-keyring-2.22.3-r2 alpha amd64 ppc x86 net-libs/libsoup-gnome-2.26.3-r1 alpha amd64 ppc x86 net-libs/libsoup-2.26.3-r3 alpha amd64 ppc x86 net-libs/libproxy-0.2.3-r2 ppc net-libs/webkit-gtk-1.1.10 alpha amd64 ppc x86 gnome-keyring-2.22.3-r2 is exactly the same as the previous stable 2.22.3-r1, but adds a patch from 2.26 that fixes the public headers to be usable from C++ code (webkit-gtk[gnome-keyring]), so you can ignore any test failures on this if -r1 fails the same way - I noticed some problems compiling the tests with my gnutls version, I might have newer than current latest stable though. >=libsoup-2.26 is a required dep of webkit-gtk-1.1.10 that is safe to stable before the rest of GNOME-2.26. libsoup-gnome is a new package that is the libsoup-gnome library split out of the tarball to a separate package. This is a new library included in libsoup tarball since 2.26, and so for stable users there should be no migration concerns, as they haven't had a libsoup-gnome library before. One revision earlier libsoup than requested here included libsoup-gnome still in the same package, but we need to stabilize the split work earlier than 30 days to avoid stable users needing a migration when libsoup-gnome split would otherwise go stable later on, and to avoid a circular dependency problem in certain USE flag combinations that could otherwise happen with this newer webkit-gtk version involved (bug 269747). security@: I tested the exploit covered here against webkit-gtk-1.1.10 and found it to not crash anymore indeed; only the closing of the tab that navigated to the running exploit code took a few dozen seconds, but no crash. I added virtualx for the tests, they dont pass without it. amd64 done x86 stable Stabilized the relevant four on alpha. ppc done The bug is ready to be fixed by the security team. Ready to vote, I vote NO as it's just an application crash. This will get a GLSA along with the other webkit bugs. the oldest version of webkit in portage is version 1.1.15.4 so this should maybe be marked fixed? Presumably all affected versions are gone from tree. Closing as discussed with keytoaster. No GLSA for you. |