Bug 570349 (CVE-2010-0046, CVE-2010-0047, CVE-2010-0048, CVE-2010-0049, CVE-2010-0050, CVE-2010-0052, CVE-2010-0053, CVE-2010-0054)

Summary: CVE-2010-0046, CVE-2010-0047, CVE-2010-0048, CVE-2010-0049, CVE-2010-0050, CVE-2010-0052, CVE-2010-0053, CVE-2010-0054 qt, webkitgtk: multiple security vulnerabilities in WebKit
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: desktop-bugs, jreznik, security-response-team, stransky, tpelka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,source=upstream,reported=20100204,public=20100311
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-20 13:40:08 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 572753, 572756, 572757, 572758, 574798, 589165, 589169    
Bug Blocks:    

Description Vincent Danen 2010-03-03 18:25:20 EST
A number of security vulnerabilities were reported in WebKit:

CVE-2010-0046: CSS format() argument memory corruption
https://bugs.webkit.org/show_bug.cgi?id=31815
http://trac.webkit.org/changeset/51727

CSS format() arguments were always treated as strings, which could result
in a crash or arbitrary code execution if an integer or other unexpected
type was used instead.


CVE-2010-0047: Call-after-free in HTMLObjectElement::renderFallBackContent (ZDI-CAN-579)
https://bugs.webkit.org/show_bug.cgi?id=31277
http://trac.webkit.org/changeset/50698

Changes to the style of an OBJECT element resulted in the creation of a new
frame, instead of re-using the existing frame. The existing frame would
then be prematurely destroyed, which could result in a crash or arbitrary
code execution.


CVE-2010-0048: Crash in XMLTokenizer::popCurrentNode if window.close() is called during parsing
https://bugs.webkit.org/show_bug.cgi?id=31576
http://trac.webkit.org/changeset/51962

The lifetime of an XML parser context was previously tied to its owning
document, which could result in a crash or arbitrary code execution if the
document is destroyed during parsing.


CVE-2010-0049: Use of free()d line boxes in mixed LTR/RTL text
https://bugs.webkit.org/show_bug.cgi?id=32749
http://trac.webkit.org/changeset/52527

When removing an empty text run, a linked list of text boxes may be
prematurely destroyed, which could result in a crash or arbitrary code
execution.


CVE-2010-0050: Crash at HTMLParser::popOneBlockCommon() after handling misnested residual style tags
https://bugs.webkit.org/show_bug.cgi?id=32567
http://trac.webkit.org/changeset/52073

A reference counting issue in the handling of incorrectly nested style tags
could result in a crash or arbitrary code execution.


CVE-2010-0052: Navigating to a cached page can result in accessing a destroyed HTMLInputElement
https://bugs.webkit.org/show_bug.cgi?id=32293
http://trac.webkit.org/changeset/51877

Returning to a page using Back/Forward navigation could result in a crash
or arbitrary code execution, if the page in question has a form element
with autocomplete disabled, then re-enables autocomplete for that form and
removes it from the page.


CVE-2010-0053: Crash due to double-destroy related to CSS run-in property
https://bugs.webkit.org/show_bug.cgi?id=31034
http://trac.webkit.org/changeset/50466

Continuations were destroyed before their anonymous children in some cases,
which could result in a crash or arbitrary code execution.


CVE-2010-0054: Use of stale HTMLImageElement pointer in JSHTMLFormElement::nameGetter
https://bugs.webkit.org/show_bug.cgi?id=34076
http://trac.webkit.org/changeset/53812
http://trac.webkit.org/changeset/53813
http://trac.webkit.org/changeset/54242


The destructor for HTML image input elements attempted to manipulate the
DOM of the containing document, which could result in a crash or arbitrary
code execution.
Comment 3 Vincent Danen 2010-03-11 17:42:20 EST
The Apple release of Safari 4.0.5 is public now: APPLE-SA-2010-03-11-1 http://support.apple.com/kb/HT4070

Unfortunately, they reference CVE-2010-0051 which is the same flaw as CVE-2010-0651, which was previously corrected in Google Chrome.

These flaws may affect QtWebKit (in qt) and webkitgtk.
Comment 8 Jaroslav Reznik 2010-03-16 12:21:45 EDT
CVE-2010-0047, CVE-2010-0048 and CVE-2010-0053 do not affect QtWebKit as found in Fedora 11, 12 (Qt 4.5, Qt 4.6).

CVE-2010-0046, CVE-2010-0049 through 0052 and CVE-2010-0054 affects QtWebKit, issues will be fixed with next update to Qt.
Comment 11 Fedora Update System 2010-03-18 11:45:24 EDT
qt-4.6.2-8.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/qt-4.6.2-8.fc11
Comment 12 Fedora Update System 2010-03-18 11:45:55 EDT
qt-4.6.2-8.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/qt-4.6.2-8.fc13
Comment 13 Fedora Update System 2010-03-18 11:46:04 EDT
qt-4.6.2-8.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/qt-4.6.2-8.fc12
Comment 14 Fedora Update System 2010-03-22 22:09:50 EDT
qt-4.6.2-8.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2010-03-22 22:23:57 EDT
qt-4.6.2-8.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2010-03-22 22:24:12 EDT
qt-4.6.2-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2010-05-11 02:21:20 EDT
qt-4.6.2-17.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/qt-4.6.2-17.fc11
Comment 24 Fedora Update System 2010-05-11 02:21:26 EDT
qt-4.6.2-17.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/qt-4.6.2-17.fc12
Comment 25 Fedora Update System 2010-05-11 02:22:46 EDT
qt-4.6.2-17.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/qt-4.6.2-17.fc13
Comment 26 Fedora Update System 2010-05-15 16:17:22 EDT
qt-4.6.2-17.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2010-05-15 16:33:26 EDT
qt-4.6.2-17.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2010-05-15 16:35:01 EDT
qt-4.6.2-17.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2011-11-20 18:56:15 EST
kdelibs-4.7.3-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.