Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1011 to the following vulnerability: Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame. References: http://lists.apple.com/archives/security-announce/2008/Mar/msg00000.html
I created tracking bugs only for devel, as I believe WebKit, though present, is not used by anything -- is it?
It is used my Midori and I believe recent Kazahakase builds also make use of it (though Mamoru Tasaka would be the one to ask about that ^_^).
kazehakase uses Webkit on F-8/F-7 so rebuild of kazehakase is needed on F-8/7, too (so would you rebuild new Webkit on F-8/7 and ask rel-eng team to add the new Webkit to buildroot?) Also if you want to rebuild Midori against new Webkit on F-9, you also have to ask rel-eng team to add new Midori to F-9 buildroot as dist-f9 buildroot is now frozen. For devel I have a trouble of bug 402641 and for now devel kazehakase is not installable (and rawhide kazehakase does not support Webkit for now)
Rebuild of kazehakase-0.5.4-2.fc8 against WebKit-1.0.0-0.8.svn31787.fc8 is done
(In reply to comment #5) > Rebuild of kazehakase-0.5.4-2.fc8 against WebKit-1.0.0-0.8.svn31787.fc8 > is done Thanks, I just pushed an update request for these three packages (Midori, Kazehakase, and WebKit) in F8. F7 builds coming soon...
Rebuild of kazehakase-0.5.4-2.fc7.1 against WebKit-1.0.0-0.8.svn31787.fc7 is done.
midori-0.0.17-3.fc7,kazehakase-0.5.4-2.fc7.1,WebKit-1.0.0-0.8.svn31787.fc7 has been submitted as an update for Fedora 7
Created attachment 302622 [details] screenshot of midori 0.0.17-2.fc8
Created attachment 302624 [details] screenshot of midori 0.0.17-3.fc8 Screenshot of 0.0.17-3.fc8 (i.e. with WebKit-gtk-1.0.0-0.8.svn31787.fc8) - it seems that WebKit-gtk-1.0.0-0.8.svn31787 has serious regression - Also the soversion of libQtWebKit.so is strange.
(In reply to comment #10) > Screenshot of 0.0.17-3.fc8 (i.e. with WebKit-gtk-1.0.0-0.8.svn31787.fc8) > > - it seems that WebKit-gtk-1.0.0-0.8.svn31787 has serious regression Unfortunately I'm not seeing that on my F8 installation. I updated it this morning to WebKit-1.0.0-0.8.svn31787.fc8 (and midori-0.0.17-3.fc8), exported LC_ALL=ja LANG=ja and ran Midori, and Google's Japanese homepage loaded and appeared to render properly: http://thecodergeek.com/images/midori-webkitgtk31787.png Maybe there's an environment something that I'm not setting? I'll try logging in entirely in Japanese and see if that changes it. > - Also the soversion of libQtWebKit.so is strange. It has always been unversioned, and therefore a bit odd. I didn't want to break it needlessly by forcing a so-name. Thanks.
(In reply to comment #11) > Maybe there's an environment something that I'm not setting? I'll try logging in > entirely in Japanese and see if that changes it. I just logged out, changed my language to Japanese from GDM, and logged in. The result is the same: Midori renders the page as expected, rather than as your screenshot shows.
Created attachment 302691 [details] gdb log of midori Moreover, on rawhide midori (actually WebKit-gtk) simply crashes (also on kazehakase)...
> exported LC_ALL=ja LANG=ja Tried ja_JP.UTF-8 already? And maybe other Japanese charsets, like ja_JP.ISO-2022-JP, ja_JP.EUC-JP or ja_JP.SHIFT_JIS? This bug sounds charset-dependent.
(In reply to comment #14) > > exported LC_ALL=ja LANG=ja > > Tried ja_JP.UTF-8 already? And maybe other Japanese charsets, like > ja_JP.ISO-2022-JP, ja_JP.EUC-JP or ja_JP.SHIFT_JIS? This bug sounds > charset-dependent. I've tried all of those, with no luck. It renders properly for me with each. :-/
WebKit svn32012 seems happy with midori and kazehakase on rawhide. dist-f9 scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=572401 http://koji.fedoraproject.org/scratch/mtasaka/task_572401/ Now trying dist-f8-updates-candidate build: http://koji.fedoraproject.org/koji/taskinfo?taskID=572457
Created attachment 302906 [details] screenshot of midori with WebKit r32012
Mock is building an updated snapshot for this, which should be done by the time CVS finishes branching and whatnot. (No API/ABI changes according to upstream, so no worries about rebuilding packages.) Thanks for the testing!
WebKit-1.0.0-0.8.svn31787.fc8, midori-0.0.17-3.fc8, kazehakase-0.5.4-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
WebKit r32416 scratch build: dist-f8-updates-candidate: http://koji.fedoraproject.org/koji/taskinfo?taskID=580074 http://koji.fedoraproject.org/scratch/mtasaka/task_580074/ dist-f9: http://koji.fedoraproject.org/koji/taskinfo?taskID=580048 http://koji.fedoraproject.org/scratch/mtasaka/task_580048/ With this revision, midori/kazehakase don't crash.
midori-0.0.17-3.fc7, WebKit-1.0.0-0.8.svn31787.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
I believe this has been sufficiently fixed with recent updates (noted by the Bodhi comments); so closing as ERRATA. Please feel free to re-open this bug with more details if the issue persists. Thanks.