Bug 603237 (CVE-2010-1761)

Summary:	CVE-2010-1761 webkit: use-after-free vulnerability when marking layout root's parent as needing layout
Product:	[Other] Security Response	Reporter:	Vincent Danen <vdanen>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	unspecified	CC:	fedora, itamar, jgrulich, jreznik, kevin, martin.sourada, maxamillion, mtasaka, rdieter, smparrish, stransky, than
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-08-05 08:18:45 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	806808

Description Vincent Danen 2010-06-12 00:19:38 UTC

A use after free issue exists in WebKit's rendering of HTML document
subtrees. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is
addressed through improved rendering of HTML document subtrees.

References:

Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=37760
Trac: http://trac.webkit.org/changeset/59263

Acknowledgements:

Red Hat would like to thank Drew Yao of Apple Product Security for
responsibly reporting this issue. Upstream acknowledges James Robinson of
Google Inc. as the original reporter.

Comment 1 Vincent Danen 2010-06-12 00:33:01 UTC

Based on the code, this looks applicable to webkitgtk (1.2.0, svn r56916) and qt (4.6.2, svn r50154).

The upstream reproducer, however, does not crash webkitgtk or qt.

Comment 4 Rex Dieter 2014-09-23 14:17:12 UTC

Confirmed this is fixed in el6's qtwebkit-2.1.1 and fedora's qtwebkit-2.3.x

Comment 5 Rex Dieter 2014-09-23 14:17:28 UTC

make that epel-6's qtwebkit-2.1.1