Bug 438531 (CVE-2008-1011)

Summary:

CVE-2008-1011 WebKit Cross Site Scripting

Product:

[Other] Security Response

Reporter:

Lubomir Kundrak <lkundrak>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

low

Docs Contact:

Priority:

low

Version:

unspecified

CC:

mtasaka, peter

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

URL:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1011

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2008-05-04 02:51:15 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

438537

Bug Blocks:

Attachments:

Description	Flags
screenshot of midori 0.0.17-2.fc8	none
screenshot of midori 0.0.17-3.fc8	none
gdb log of midori	none
screenshot of midori with WebKit r32012	none

Description Lubomir Kundrak 2008-03-21 14:36:32 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1011 to the following vulnerability:

Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame.

References:

http://lists.apple.com/archives/security-announce/2008/Mar/msg00000.html

Comment 2 Lubomir Kundrak 2008-03-21 14:41:30 UTC

I created tracking bugs only for devel, as I believe WebKit, though present, is
not used by anything -- is it?

Comment 3 Peter Gordon 2008-03-21 19:01:07 UTC

It is used my Midori and I believe recent Kazahakase builds also make use of it
(though Mamoru Tasaka would be the one to ask about that ^_^).

Comment 4 Mamoru TASAKA 2008-04-13 04:22:14 UTC

kazehakase uses Webkit on F-8/F-7 so rebuild of kazehakase is needed on F-8/7,
too (so would you rebuild new Webkit on F-8/7 and ask rel-eng team to add
the new Webkit to buildroot?)

Also if you want to rebuild Midori against new Webkit on F-9, you also have
to ask rel-eng team to add new Midori to F-9 buildroot as dist-f9 buildroot is
now frozen.

For devel I have a trouble of bug 402641 and for now devel kazehakase is
not installable (and rawhide kazehakase does not support Webkit for now)

Comment 5 Mamoru TASAKA 2008-04-14 15:27:49 UTC

Rebuild of kazehakase-0.5.4-2.fc8 against WebKit-1.0.0-0.8.svn31787.fc8
is done

Comment 6 Peter Gordon 2008-04-15 04:00:06 UTC

(In reply to comment #5)
> Rebuild of kazehakase-0.5.4-2.fc8 against WebKit-1.0.0-0.8.svn31787.fc8
> is done

Thanks, I just pushed an update request for these three packages (Midori,
Kazehakase, and WebKit) in F8. F7 builds coming soon...

Comment 7 Mamoru TASAKA 2008-04-15 13:52:15 UTC

Rebuild of kazehakase-0.5.4-2.fc7.1 against WebKit-1.0.0-0.8.svn31787.fc7
is done.

Comment 8 Fedora Update System 2008-04-16 00:41:12 UTC

midori-0.0.17-3.fc7,kazehakase-0.5.4-2.fc7.1,WebKit-1.0.0-0.8.svn31787.fc7 has been submitted as an update for Fedora 7

Comment 9 Mamoru TASAKA 2008-04-16 15:33:21 UTC

Created attachment 302622 [details]
screenshot of midori 0.0.17-2.fc8

Comment 10 Mamoru TASAKA 2008-04-16 15:37:40 UTC

Created attachment 302624 [details]
screenshot of midori 0.0.17-3.fc8

Screenshot of 0.0.17-3.fc8 (i.e. with WebKit-gtk-1.0.0-0.8.svn31787.fc8)

- it seems that WebKit-gtk-1.0.0-0.8.svn31787 has serious regression
- Also the soversion of libQtWebKit.so is strange.

Comment 11 Peter Gordon 2008-04-17 01:49:57 UTC

(In reply to comment #10)
> Screenshot of 0.0.17-3.fc8 (i.e. with WebKit-gtk-1.0.0-0.8.svn31787.fc8)
> 
> - it seems that WebKit-gtk-1.0.0-0.8.svn31787 has serious regression

Unfortunately I'm not seeing that on my F8 installation. I updated it this
morning to WebKit-1.0.0-0.8.svn31787.fc8 (and midori-0.0.17-3.fc8), exported
LC_ALL=ja LANG=ja and ran Midori, and Google's Japanese homepage loaded and
appeared to render properly:
http://thecodergeek.com/images/midori-webkitgtk31787.png

Maybe there's an environment something that I'm not setting? I'll try logging in
entirely in Japanese and see if that changes it.

> - Also the soversion of libQtWebKit.so is strange.

It has always been unversioned, and therefore a bit odd. I didn't want to break
it needlessly by forcing a so-name.

Thanks.

Comment 12 Peter Gordon 2008-04-17 02:02:37 UTC

(In reply to comment #11)
> Maybe there's an environment something that I'm not setting? I'll try logging in
> entirely in Japanese and see if that changes it.


I just logged out, changed my language to Japanese from GDM, and logged in. The
result is the same: Midori renders the page as expected, rather than as your
screenshot shows.

Comment 13 Mamoru TASAKA 2008-04-17 02:39:01 UTC

Created attachment 302691 [details]
gdb log of midori

Moreover, on rawhide midori (actually WebKit-gtk) simply crashes
(also on kazehakase)...

Comment 14 Kevin Kofler 2008-04-17 20:09:14 UTC

> exported LC_ALL=ja LANG=ja

Tried ja_JP.UTF-8 already? And maybe other Japanese charsets, like 
ja_JP.ISO-2022-JP, ja_JP.EUC-JP or ja_JP.SHIFT_JIS? This bug sounds 
charset-dependent.

Comment 15 Peter Gordon 2008-04-18 02:39:46 UTC

(In reply to comment #14)
> > exported LC_ALL=ja LANG=ja
> 
> Tried ja_JP.UTF-8 already? And maybe other Japanese charsets, like 
> ja_JP.ISO-2022-JP, ja_JP.EUC-JP or ja_JP.SHIFT_JIS? This bug sounds 
> charset-dependent.

I've tried all of those, with no luck. It renders properly for me with each. :-/

Comment 16 Mamoru TASAKA 2008-04-18 17:15:00 UTC

WebKit svn32012 seems happy with midori and kazehakase on rawhide.

dist-f9 scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=572401
http://koji.fedoraproject.org/scratch/mtasaka/task_572401/

Now trying dist-f8-updates-candidate build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=572457

Comment 17 Mamoru TASAKA 2008-04-18 17:23:45 UTC

Created attachment 302906 [details]
screenshot of midori with WebKit r32012

Comment 18 Peter Gordon 2008-04-20 03:06:39 UTC

Mock is building an updated snapshot for this, which should be done by the time
CVS finishes branching and whatnot. (No API/ABI changes according to upstream,
so no worries about rebuilding packages.)

Thanks for the testing!

Comment 19 Fedora Update System 2008-04-22 22:35:41 UTC

WebKit-1.0.0-0.8.svn31787.fc8, midori-0.0.17-3.fc8, kazehakase-0.5.4-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Mamoru TASAKA 2008-04-24 05:55:22 UTC

WebKit r32416 scratch build:

dist-f8-updates-candidate:
http://koji.fedoraproject.org/koji/taskinfo?taskID=580074
http://koji.fedoraproject.org/scratch/mtasaka/task_580074/

dist-f9:
http://koji.fedoraproject.org/koji/taskinfo?taskID=580048
http://koji.fedoraproject.org/scratch/mtasaka/task_580048/

With this revision, midori/kazehakase don't crash.

Comment 21 Fedora Update System 2008-04-29 21:01:00 UTC

midori-0.0.17-3.fc7, WebKit-1.0.0-0.8.svn31787.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Peter Gordon 2008-05-04 02:51:15 UTC

I believe this has been sufficiently fixed with recent updates (noted by the
Bodhi comments); so closing as ERRATA. Please feel free to re-open this bug with
more details if the issue persists. Thanks.