Bug 438531 (CVE-2008-1011) - CVE-2008-1011 WebKit Cross Site Scripting
Summary: CVE-2008-1011 WebKit Cross Site Scripting
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1011
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On: 438537
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-21 14:36 UTC by Lubomir Kundrak
Modified: 2008-05-04 02:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-04 02:51:15 UTC
Embargoed:


Attachments (Terms of Use)
screenshot of midori 0.0.17-2.fc8 (98.98 KB, image/png)
2008-04-16 15:33 UTC, Mamoru TASAKA
no flags Details
screenshot of midori 0.0.17-3.fc8 (78.45 KB, image/png)
2008-04-16 15:37 UTC, Mamoru TASAKA
no flags Details
gdb log of midori (6.88 KB, text/plain)
2008-04-17 02:39 UTC, Mamoru TASAKA
no flags Details
screenshot of midori with WebKit r32012 (424.37 KB, image/png)
2008-04-18 17:23 UTC, Mamoru TASAKA
no flags Details

Description Lubomir Kundrak 2008-03-21 14:36:32 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1011 to the following vulnerability:

Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame.

References:

http://lists.apple.com/archives/security-announce/2008/Mar/msg00000.html

Comment 2 Lubomir Kundrak 2008-03-21 14:41:30 UTC
I created tracking bugs only for devel, as I believe WebKit, though present, is
not used by anything -- is it?

Comment 3 Peter Gordon 2008-03-21 19:01:07 UTC
It is used my Midori and I believe recent Kazahakase builds also make use of it
(though Mamoru Tasaka would be the one to ask about that ^_^). 



Comment 4 Mamoru TASAKA 2008-04-13 04:22:14 UTC
kazehakase uses Webkit on F-8/F-7 so rebuild of kazehakase is needed on F-8/7,
too (so would you rebuild new Webkit on F-8/7 and ask rel-eng team to add
the new Webkit to buildroot?)

Also if you want to rebuild Midori against new Webkit on F-9, you also have
to ask rel-eng team to add new Midori to F-9 buildroot as dist-f9 buildroot is
now frozen.

For devel I have a trouble of bug 402641 and for now devel kazehakase is
not installable (and rawhide kazehakase does not support Webkit for now)

Comment 5 Mamoru TASAKA 2008-04-14 15:27:49 UTC
Rebuild of kazehakase-0.5.4-2.fc8 against WebKit-1.0.0-0.8.svn31787.fc8
is done

Comment 6 Peter Gordon 2008-04-15 04:00:06 UTC
(In reply to comment #5)
> Rebuild of kazehakase-0.5.4-2.fc8 against WebKit-1.0.0-0.8.svn31787.fc8
> is done

Thanks, I just pushed an update request for these three packages (Midori,
Kazehakase, and WebKit) in F8. F7 builds coming soon...

Comment 7 Mamoru TASAKA 2008-04-15 13:52:15 UTC
Rebuild of kazehakase-0.5.4-2.fc7.1 against WebKit-1.0.0-0.8.svn31787.fc7
is done.

Comment 8 Fedora Update System 2008-04-16 00:41:12 UTC
midori-0.0.17-3.fc7,kazehakase-0.5.4-2.fc7.1,WebKit-1.0.0-0.8.svn31787.fc7 has been submitted as an update for Fedora 7

Comment 9 Mamoru TASAKA 2008-04-16 15:33:21 UTC
Created attachment 302622 [details]
screenshot of midori 0.0.17-2.fc8

Comment 10 Mamoru TASAKA 2008-04-16 15:37:40 UTC
Created attachment 302624 [details]
screenshot of midori 0.0.17-3.fc8

Screenshot of 0.0.17-3.fc8 (i.e. with WebKit-gtk-1.0.0-0.8.svn31787.fc8)

- it seems that WebKit-gtk-1.0.0-0.8.svn31787 has serious regression
- Also the soversion of libQtWebKit.so is strange.

Comment 11 Peter Gordon 2008-04-17 01:49:57 UTC
(In reply to comment #10)
> Screenshot of 0.0.17-3.fc8 (i.e. with WebKit-gtk-1.0.0-0.8.svn31787.fc8)
> 
> - it seems that WebKit-gtk-1.0.0-0.8.svn31787 has serious regression

Unfortunately I'm not seeing that on my F8 installation. I updated it this
morning to WebKit-1.0.0-0.8.svn31787.fc8 (and midori-0.0.17-3.fc8), exported
LC_ALL=ja LANG=ja and ran Midori, and Google's Japanese homepage loaded and
appeared to render properly:
http://thecodergeek.com/images/midori-webkitgtk31787.png

Maybe there's an environment something that I'm not setting? I'll try logging in
entirely in Japanese and see if that changes it.

> - Also the soversion of libQtWebKit.so is strange.

It has always been unversioned, and therefore a bit odd. I didn't want to break
it needlessly by forcing a so-name.

Thanks. 


Comment 12 Peter Gordon 2008-04-17 02:02:37 UTC
(In reply to comment #11)
> Maybe there's an environment something that I'm not setting? I'll try logging in
> entirely in Japanese and see if that changes it.


I just logged out, changed my language to Japanese from GDM, and logged in. The
result is the same: Midori renders the page as expected, rather than as your
screenshot shows. 

Comment 13 Mamoru TASAKA 2008-04-17 02:39:01 UTC
Created attachment 302691 [details]
gdb log of midori

Moreover, on rawhide midori (actually WebKit-gtk) simply crashes
(also on kazehakase)...

Comment 14 Kevin Kofler 2008-04-17 20:09:14 UTC
> exported LC_ALL=ja LANG=ja

Tried ja_JP.UTF-8 already? And maybe other Japanese charsets, like 
ja_JP.ISO-2022-JP, ja_JP.EUC-JP or ja_JP.SHIFT_JIS? This bug sounds 
charset-dependent.

Comment 15 Peter Gordon 2008-04-18 02:39:46 UTC
(In reply to comment #14)
> > exported LC_ALL=ja LANG=ja
> 
> Tried ja_JP.UTF-8 already? And maybe other Japanese charsets, like 
> ja_JP.ISO-2022-JP, ja_JP.EUC-JP or ja_JP.SHIFT_JIS? This bug sounds 
> charset-dependent.

I've tried all of those, with no luck. It renders properly for me with each. :-/

Comment 16 Mamoru TASAKA 2008-04-18 17:15:00 UTC
WebKit svn32012 seems happy with midori and kazehakase on rawhide.

dist-f9 scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=572401
http://koji.fedoraproject.org/scratch/mtasaka/task_572401/

Now trying dist-f8-updates-candidate build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=572457

Comment 17 Mamoru TASAKA 2008-04-18 17:23:45 UTC
Created attachment 302906 [details]
screenshot of midori with WebKit r32012

Comment 18 Peter Gordon 2008-04-20 03:06:39 UTC
Mock is building an updated snapshot for this, which should be done by the time
CVS finishes branching and whatnot. (No API/ABI changes according to upstream,
so no worries about rebuilding packages.)

Thanks for the testing!

Comment 19 Fedora Update System 2008-04-22 22:35:41 UTC
WebKit-1.0.0-0.8.svn31787.fc8, midori-0.0.17-3.fc8, kazehakase-0.5.4-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Mamoru TASAKA 2008-04-24 05:55:22 UTC
WebKit r32416 scratch build:

dist-f8-updates-candidate:
http://koji.fedoraproject.org/koji/taskinfo?taskID=580074
http://koji.fedoraproject.org/scratch/mtasaka/task_580074/

dist-f9:
http://koji.fedoraproject.org/koji/taskinfo?taskID=580048
http://koji.fedoraproject.org/scratch/mtasaka/task_580048/

With this revision, midori/kazehakase don't crash.

Comment 21 Fedora Update System 2008-04-29 21:01:00 UTC
midori-0.0.17-3.fc7, WebKit-1.0.0-0.8.svn31787.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Peter Gordon 2008-05-04 02:51:15 UTC
I believe this has been sufficiently fixed with recent updates (noted by the
Bodhi comments); so closing as ERRATA. Please feel free to re-open this bug with
more details if the issue persists. Thanks.


Note You need to log in before you can comment on or make changes to this bug.