Bug 596498 (CVE-2010-1772)

Summary: CVE-2010-1772 WebKit: use-after-free vulnerability in handling of geolocation events
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: jgrulich, jreznik, security-response-team, stransky, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-05 08:18:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 538236, 606304    
Bug Blocks: 806808    

Description Vincent Danen 2010-05-26 20:10:12 UTC 
A use after free issue exists in WebKit's handling of geolocation events. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handing of geolocation events.

References:

Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=39388
Trac: http://trac.webkit.org/changeset/59859

Acknowledgements:

Red Hat would like to thank Drew Yao of Apple Product Security for responsibly reporting this issue. Upstream acknowledges Justin Schuh as the original reporter.
Comment 3 Vincent Danen 2010-05-28 21:06:28 UTC 
Upstream indicates this is a regression probably caused here (via https://bugs.webkit.org/show_bug.cgi?id=37815#c60):

"Reverted r59693 for reason:

Broke GTK Release

Committed r59727: <http://trac.webkit.org/changeset/59727>"

It looks like webkitgtk 1.2.0 is using r56916 based on the ChangeLog entries.  If that is the case, then this would not affect webkitgtk (as we provide it) at all.
Comment 4 Vincent Danen 2010-05-28 21:08:29 UTC 
Geolocation is not supported by Konqueror.
Comment 5 Vincent Danen 2010-06-28 17:39:08 UTC 
This is being made public now, we've been given the go-ahead from upstream to do so.
Comment 6 Vincent Danen 2010-06-28 17:49:03 UTC 
Created webkitgtk tracking bugs for this issue

Affects: fedora-all [bug 606304]
Comment 7 Vincent Danen 2010-06-28 17:49:05 UTC 
Created qt tracking bugs for this issue

Affects: fedora-all [bug 538236]
Comment 8 Fedora Update System 2010-07-13 07:39:04 UTC 
qt-4.6.3-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-07-13 07:42:44 UTC 
qt-4.6.3-8.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.