Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 281819 - <net-libs/webkit-gtk-1.2.5: "numeric character references" ACE (CVE-2009-1725)
Summary: <net-libs/webkit-gtk-1.2.5: "numeric character references" ACE (CVE-2009-1725)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://support.apple.com/kb/HT3666
Whiteboard: B2 [glsa]
Keywords:
: 340529 (view as bug list)
Depends on:
Blocks: CVE-2009-1725
  Show dependency tree
 
Reported: 2009-08-17 16:19 UTC by Alex Legler (RETIRED)
Modified: 2013-09-12 22:14 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
build.log with test failures (build.log,218.62 KB, text/plain)
2010-12-23 23:47 UTC, Thomas Kahle (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-17 16:19:14 UTC
+++ This bug was initially created as a clone of Bug #281818 +++

CVE-2009-1725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1725):
  WebKit in Apple Safari before 4.0.2 does not properly handle numeric
  character references, which allows remote attackers to execute
  arbitrary code or cause a denial of service (memory corruption and
  application crash) via a crafted HTML document.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-17 16:21:28 UTC
All versions (1.1.7, 1.1.8, 1.1.10, r40220) except r46193 are vulnerable.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-17 16:27:26 UTC
See blocker for a patch.
Comment 3 Gilles Dartiguelongue gentoo-dev 2010-12-23 11:02:34 UTC
webkit-gtk-1.2.5 has the fix from the blocker bug.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2010-12-23 15:38:02 UTC
(In reply to comment #3)
> webkit-gtk-1.2.5 has the fix from the blocker bug.
> 

@gnome, are we ok to stabilize webkit-gtk-1.2.5?
Comment 5 Gilles Dartiguelongue gentoo-dev 2010-12-23 15:52:56 UTC
afaik nothing is holding it. you can go ahead.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2010-12-23 16:51:45 UTC
(In reply to comment #5)
> afaik nothing is holding it. you can go ahead.
> 

Great, thanks.

Arches, please test and mark stable:
=net-libs/webkit-gtk-1.2.5
Target keywords : "alpha amd64 arm ia64 ppc sparc x86"

Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2010-12-23 23:47:46 UTC
Created attachment 257904 [details]
build.log with test failures

Looks OK on x86 but tests do weird things like starting a kded. Is this expected?
Comment 8 Gilles Dartiguelongue gentoo-dev 2010-12-24 10:03:25 UTC
test do weird things indeed, see all currently open bugs against webkit-gtk, you'll see there are other issues, but they are not specific to 1.2.5 and we did not figure out how to fix all of them yet.
Comment 9 Pacho Ramos gentoo-dev 2010-12-24 10:36:02 UTC
Last time I asked upstream about a failing test, they told me tests were checked by them before any release to verify they run ok, then, my suggestion is to try to compile webkit-gtk manually and run tests and, if they still fail, report to upstream. If not... we will need to investigate a bit more ;-)
Comment 10 Thomas Kahle (RETIRED) gentoo-dev 2010-12-24 13:35:29 UTC
(In reply to comment #9)
> Last time I asked upstream about a failing test, they told me tests were
> checked by them before any release to verify they run ok, then, my suggestion
> is to try to compile webkit-gtk manually and run tests and, if they still fail,
> report to upstream. If not... we will need to investigate a bit more ;-)

Yep, also fails for vanilla. x86 stable.

Comment 11 blain 'Doc' Anderson 2010-12-25 16:13:02 UTC
amd64 stable

emerge --info
Portage 2.1.9.25 (default/linux/amd64/10.0/desktop/kde, gcc-4.4.4, glibc-2.11.2-r3, 2.6.36-gentoo-r5 x86_64)
=================================================================
System uname: Linux-2.6.36-gentoo-r5-x86_64-AMD_Phenom-tm-_9650_Quad-Core_Processor-with-gentoo-1.12.14
Timestamp of tree: Sat, 25 Dec 2010 11:30:01 +0000
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11-r1
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=native"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms strict test unknown-features-warn unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://ftp.cc.uoc.gr/mirrors/linux/gentoo/ rsync://mirrors.rit.edu/gentoo/ http://mirror.datapipe.net/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus device-mapper dri dts dvd dvdr emboss encode esd exif extras fam firefox flac fortran gd gdu gif gnutls gpm gtk hardcoded-tables iconv ipv6 jpeg kde kdrive lcms ldap libnotify mad mikmod mmx mmxext mng modules mp3 mp4 mpeg mudflap multilib mysql ncurses nls nptl nptlonly ogg opengl openmp oss pam pango pcre pdf perl png policykit ppds pppd python qt3support qt4 readline reports samba sdl semantic-desktop session sip spell sql sqlite sse sse2 ssl ssse3 startup-notification svg sysfs tcpd threads tiff truetype unicode usb vorbis wav webkit x264 xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia vesa fbdev" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-12-25 16:31:53 UTC
alpha/arm/ia64/sparc stable
Comment 13 Markos Chandras (RETIRED) gentoo-dev 2010-12-26 14:14:35 UTC
amd64 done. Thanks Blain
Comment 14 Pacho Ramos gentoo-dev 2010-12-28 17:41:11 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > Last time I asked upstream about a failing test, they told me tests were
> > checked by them before any release to verify they run ok, then, my suggestion
> > is to try to compile webkit-gtk manually and run tests and, if they still fail,
> > report to upstream. If not... we will need to investigate a bit more ;-)
> 
> Yep, also fails for vanilla. x86 stable.
> 

In that case, feel free to open a bug report here and provide a link to upstream bug report for allowing us to track. Thanks again :-)
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 22:21:43 UTC
*** Bug 340529 has been marked as a duplicate of this bug. ***
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 22:23:43 UTC
From our ChangeLog.

*webkit-gtk-1.2.5 (11 Oct 2010)
 	
 	11 Oct 2010; Pacho Ramos <pacho@gentoo.org> -webkit-gtk-1.2.1.ebuild,
 	-files/webkit-gtk-1.2.1-icu-4.4.patch, +webkit-gtk-1.2.5.ebuild,
 	metadata.xml:
 	Version bump: fixes for CVE-2010-1780 CVE-2010-3113 CVE-2010-1814
 	CVE-2010-1812 CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114
 	CVE-2010-3116 CVE-2010-3257 CVE-2010-3259 CVE-2010-1781 CVE-2010-1782
 	CVE-2010-1784 CVE-2010-1785 CVE-2010-1786 CVE-2010-1787 CVE-2010-1788
 	CVE-2010-1790 CVE-2010-1792 CVE-2010-1793 CVE-2010-2648 CVE-2010-2647. 

We'll need to look at these CVEs before writing a GLSA.
Comment 17 Brent Baude (RETIRED) gentoo-dev 2011-01-09 14:26:34 UTC
ppc done
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2011-01-09 16:39:22 UTC
Thanks, everyone. GLSA with 271861.
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-12 22:14:55 UTC
No GLSA for you.