Bug 578119 (CVE-2010-1100)
Summary: | CVE-2010-1100 Arora: Intended port restrictions bypass due integer overflow | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jreznik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://vimeo.com/10302434 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-04-26 08:24:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 578133 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2010-03-30 09:59:18 UTC
This issue is NOT reproducible with QtWebKit as found in latest Fedora updates (Qt 4.6.2). There's a check in QUrl code. Arora output while trying to connect to http://localhost:65561/ QUrl::setPort: Out of range Other WebKit implementations could be still vulnerable. webkitgtk-1.1.15.4-1.fc12 with midori gives: (midori:17258): libsoup-CRITICAL **: soup_address_new: assertion `SOUP_ADDRESS_PORT_IS_VALID (port)' failed (midori:17258): libsoup-CRITICAL **: soup_socket_connect_async: assertion `priv->remote_addr != NULL' failed where soup defines: #define SOUP_ADDRESS_PORT_IS_VALID(port) (port >= 0 && port <= 65535) Konqueror (KHTML based) is not vulnerable to port overflow but does not check port 25 at all. I'm closing this. The summary of findings: - arora using QTWebKit - Port number integer overflow is caught as mentioned in comment #2. However, arora/QTWebKit does not use port blacklisting. - webkitgtk - Port number integer overflow is caught by libsoup network backend (see comment #3). Port 25 itself is blocked. - konqueror/khtml - Port number integer overflow is caught, default of 80 is used when out-of-range number is specified. As with arora/QTWebKit, there's no port blacklising in use at all. |