Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 271865 (CVE-2009-1233) - <net-libs/webkit-gtk-1.1.10: XML nested A infinite loop (CVE-2009-1233)
Summary: <net-libs/webkit-gtk-1.1.10: XML nested A infinite loop (CVE-2009-1233)
Alias: CVE-2009-1233
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 287494
  Show dependency tree
Reported: 2009-05-30 11:36 UTC by Robert Buchholz (RETIRED)
Modified: 2013-09-12 22:20 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-30 11:36:15 UTC
CVE-2009-1233 (
  Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to
  cause a denial of service (application crash) via an XML document
  containing many nested A elements.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-30 11:37:53 UTC
could reproduce an infinite loop on 0_p42162.
Comment 2 Mart Raudsepp gentoo-dev 2009-06-30 13:06:56 UTC
Does this happen with more recent versions as well with the reproduction case (e.g 1.1.10 or 1.1.9)?

I hope we can get libproxy stabilized soon now, and be able to start stabilizing webkit-gtk-1.1.7 and (preferably) newer soon.
Comment 3 Mart Raudsepp gentoo-dev 2009-06-30 13:29:07 UTC
I was able to find an exploit from the link above:

Happened to have webkit-gtk-1.1.8 installed, and that exploit seems to cause no crashes to midori with that newer webkit version, just seeing an empty white page and can navigate elsewhere on the same tab fine
Comment 4 Mart Raudsepp gentoo-dev 2009-09-28 00:37:48 UTC
Please stabilize the following to finally get a somewhat more secure webkit-gtk version to the stable tree:

gnome-base/gnome-keyring-2.22.3-r2 alpha amd64 ppc x86
net-libs/libsoup-gnome-2.26.3-r1   alpha amd64 ppc x86
net-libs/libsoup-2.26.3-r3         alpha amd64 ppc x86
net-libs/libproxy-0.2.3-r2                     ppc
net-libs/webkit-gtk-1.1.10         alpha amd64 ppc x86

gnome-keyring-2.22.3-r2 is exactly the same as the previous stable 2.22.3-r1, but adds a patch from 2.26 that fixes the public headers to be usable from C++ code (webkit-gtk[gnome-keyring]), so you can ignore any test failures on this if -r1 fails the same way - I noticed some problems compiling the tests with my gnutls version, I might have newer than current latest stable though.

>=libsoup-2.26 is a required dep of webkit-gtk-1.1.10 that is safe to stable before the rest of GNOME-2.26.

libsoup-gnome is a new package that is the libsoup-gnome library split out of the tarball to a separate package. This is a new library included in libsoup tarball since 2.26, and so for stable users there should be no migration concerns, as they haven't had a libsoup-gnome library before.
One revision earlier libsoup than requested here included libsoup-gnome still in the same package, but we need to stabilize the split work earlier than 30 days to avoid stable users needing a migration when libsoup-gnome split would otherwise go stable later on, and to avoid a circular dependency problem in certain USE flag combinations that could otherwise happen with this newer webkit-gtk version involved (bug 269747).

security@: I tested the exploit covered here against webkit-gtk-1.1.10 and found it to not crash anymore indeed; only the closing of the tab that navigated to the running exploit code took a few dozen seconds, but no crash.
Comment 5 Olivier Crete (RETIRED) gentoo-dev 2009-09-28 01:54:48 UTC
I added virtualx for the tests, they dont pass without it.
Comment 6 Olivier Crete (RETIRED) gentoo-dev 2009-09-28 02:11:44 UTC
amd64 done
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-28 14:35:43 UTC
x86 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2009-09-28 19:42:56 UTC
Stabilized the relevant four on alpha.
Comment 9 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-10-02 15:58:06 UTC
ppc done

The bug is ready to be fixed by the security team.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2009-10-03 13:06:44 UTC
Ready to vote, I vote NO as it's just an application crash.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-10-03 15:09:16 UTC
This will get a GLSA along with the other webkit bugs.
Comment 12 Xake 2010-10-21 10:57:19 UTC
the oldest version of webkit in portage is version so this should maybe be marked fixed?
Comment 13 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-12 22:20:58 UTC
Presumably all affected versions are gone from tree. Closing as discussed with keytoaster. No GLSA for you.