Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 271861 - <net-libs/webkit-gtk-1.1.7: Array indexing vulnerability (CVE-2009-0945)
Summary: <net-libs/webkit-gtk-1.1.7: Array indexing vulnerability (CVE-2009-0945)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa]
Depends on:
Reported: 2009-05-30 11:29 UTC by Robert Buchholz (RETIRED)
Modified: 2014-06-13 22:27 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

webkit-gtk-CVE-2009-0945.patch (webkit-gtk-CVE-2009-0945.patch,671 bytes, patch)
2009-06-27 09:58 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-30 11:29:40 UTC
CVE-2009-0945 (
  Array index error in the insertItemBefore method in WebKit, as used
  in Safari before 3.2.3 and 4 Public Beta, Google Chrome Stable before, and possibly other products allows remote attackers to
  execute arbitrary code via a document with a SVGPathList data
  structure containing a negative index in the (1) SVGTransformList,
  (2) SVGStringList, (3) SVGNumberList, (4) SVGPathSegList, (5)
  SVGPointList, or (6) SVGLengthList SVGList object, which triggers
  memory corruption.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-30 11:33:19 UTC
The reproducer crashes with 0_p42162, but not with 1.1.7.

 var p = document.createElementNS("","path");
Comment 2 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-05-30 12:37:43 UTC
What do we do here? 1.1.7 has been in portage for barely a week, and the older snapshots are far too old for backporting the fix.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-30 15:29:27 UTC
If it doesn't break API against the existing stable, let's stable 1.1.7.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-06-05 13:15:50 UTC
Comment 5 Mart Raudsepp gentoo-dev 2009-06-05 23:59:09 UTC
Please go ahead. Arch teams should be able to make sure the webkit-gtk using packages on their architecture continue to work. I believe there was an ABI version bump (soname from .so.1 to .so.2 or some such) between latest stable and 1.1.7, btw, but maybe that was with 1.1.8, not sure.
Comment 6 Mart Raudsepp gentoo-dev 2009-06-06 00:09:53 UTC
Sorry, it occurred to me that webkit-gtk-1.1.7 and later currently have a >=gnome-keyring-2.26 dependency with USE=gnome-keyring, and that is not ready for stabilization. I'll need to think what to do, maybe we can make a revision without gnome-keyring USE flag (it currently provides http authentication support), as earlier versions didn't have that feature either. Or maybe to lower the dependency requirement to 2.22 if possible - the requirement when introduced was told to be because only since 2.26 gnome-keyring headers are possible to include from C++ (extern "C" namespacing), but we could patch earlier versions too if that's the only need for so new keyring.

I'll personally have to sleep now, I hope to do something about it after I wake up and have some coffee (poke on IRC please).
Comment 7 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-06-07 03:04:34 UTC
Alright, I checked with upstream webkit-gtk currently uses gnome-keyring only for http basic auth, and this feature wasn't present in the old snapshot so it can be disabled in 1.1.7 with glee.

Doing so now, you can gleefully continue with your security-thingies soon after.
Comment 8 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-06-07 03:18:57 UTC
Alright, I was too optimistic. Libsoup-2.26 is also needed, which will pull in libproxy, and hence a ton of other deps. Stabling webkit-gtk-1.1.7 is NOT an option unless we're willing to wait for gnome-2.26 to go stable too.

So the options we have are:

1. Try to backport the fix(es) for the bug to the last stable version (sounds like a job for... the security team!)
2. Drop webkit support from gimp-2.6.4 (the only stable version depending on webkit). Gimp only uses webkit for it's documentation browser.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-06-07 13:09:54 UTC
(In reply to comment #8)
> 1. Try to backport the fix(es) for the bug to the last stable version (sounds
> like a job for... the security team!)

I think this is the more desirable option, however it means we need to get access to patch information from upstream. We are in contact with Apple, let's hope this progresses as planned.

> 2. Drop webkit support from gimp-2.6.4 (the only stable version depending on
> webkit). Gimp only uses webkit for it's documentation browser.

This would mean to drop stable on WebKit. Let's give this bug some more time and hope for (1).
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-27 09:58:02 UTC
Created attachment 195867 [details, diff]

Backported patch. With that applied, the reproducer does no longer crash.
Comment 11 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-06-27 11:37:44 UTC
Patch added in webkit-gtk-0_p40220-r1

Arches, please proceed with stabilisation
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2009-06-27 12:54:49 UTC
Stable on alpha.
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-06-27 15:50:47 UTC
ppc done
Comment 14 Markus Meier gentoo-dev 2009-06-28 11:58:57 UTC
amd64/x86 stable, all arches done.
Comment 15 Jaak Ristioja 2010-07-23 08:51:48 UTC
<net-libs/webkit-gtk-1.1.7 is no longer in portage.
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:25:08 UTC
GLSA with 287494.
Comment 17 Pacho Ramos gentoo-dev 2014-06-01 11:39:59 UTC
Not sure if has much sense to continue with this (affected versions were fixed and removed so much time ago :/). Well, I guess it will depend on security team policy
Comment 18 Pacho Ramos gentoo-dev 2014-06-01 13:21:36 UTC
Fixed in 1.1.10 that was fixed in bug 271865
Comment 19 Sergey Popov gentoo-dev 2014-06-13 22:27:58 UTC
Closing then