Bug 517273 (CVE-2009-2195)
| Summary: | CVE-2009-2195 WebKit: buffer overflow in floating point numbers parsing | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | jreznik, kevin, ltinkl, martin.sourada, maxamillion, mtasaka, peter, rdieter, than, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2195 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-09-22 14:56:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 580662 | ||
| Bug Blocks: | |||
|
Description
Tomas Hoger
2009-08-13 10:42:33 UTC
Another two webkit CVEs are covered in HT3733, but all relevant changes are in mac or win specific directories, so do not seem to apply: CVE-2009-2199 http://trac.webkit.org/changeset/45254 CVE-2009-2200 http://trac.webkit.org/changeset/44905 http://trac.webkit.org/changeset/44909 Note: looks like upstream commit 45696 is included in webkitgtk 1.1.11 and later. Any idea whether this also affects KHTML? There's also a version of dtoa.cpp in there, but AFAIK it's somewhat different and might not be affected. Qt 4.5.2's QtWebKit appears to be vulnerable. I do NOT see the changeset with the fix in the JavaScriptCore changelog. We've tested couple of konqueror/KHTML versions with test cases from the above commit, none of the versions misbehaved. i cannot reproduce this issue with kdelibs (3.x in rhelX, 4.x in fedora) and qt-4.5.2. The code is a bit different. Does anything here affect Fedora 12? If so, which versions? IU see webkitkde and webkitgtk, and we have QT as well right? Fedora 12 has QT version 4.5.3 so I am to understand that means it is not vulnerable? What about the others? webkitkde should not contain another webkit copy, but rather only provide KDE "wrapper" / bindings around qtwebkit in qt. Based on comment #2, webkitgtk 1.1.11 and later should have a fix, i.e. F12 should be fine, F11 still has 1.1.10. Having a quick look into qt 4.5 tree git version of the file, it seems quite different, so may not have that commit that introduced this regression. But it seems Kevin had a closer look on qtwebkit version, given the comment #3. Well, I didn't find the fix in 4.5.2, but I don't know if it was vulnerable, and I haven't looked at 4.5.3 at all so far. Following up on this, Fedora 11 still has webkitgtk-1.1.10 so would still be vulnerable. Do we know if qt-4.5.3 corrects this? Current Fedora has 4.6.2, so may not be vulnerable. The upstream fix is included in QtWebKit 4.6.2 (qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/JavaScriptCore/wtf/dtoa.cpp), so Fedora 11+ is ok. Only webkitgtk on Fedora 11 would still be vulnerable to this. I think we need to close this as F11 is already EOL ? No, it's not. The F11 EOL is on June 25. Can we close this now? :) Yes, we can. Thanks. |