Bug 438531 - (CVE-2008-1011) CVE-2008-1011 WebKit Cross Site Scripting
CVE-2008-1011 WebKit Cross Site Scripting
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
: Security
Depends On: 438537
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-21 10:36 EDT by Lubomir Kundrak
Modified: 2008-05-03 22:51 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-03 22:51:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
screenshot of midori 0.0.17-2.fc8 (98.98 KB, image/png)
2008-04-16 11:33 EDT, Mamoru TASAKA
no flags Details
screenshot of midori 0.0.17-3.fc8 (78.45 KB, image/png)
2008-04-16 11:37 EDT, Mamoru TASAKA
no flags Details
gdb log of midori (6.88 KB, text/plain)
2008-04-16 22:39 EDT, Mamoru TASAKA
no flags Details
screenshot of midori with WebKit r32012 (424.37 KB, image/png)
2008-04-18 13:23 EDT, Mamoru TASAKA
no flags Details

  None (edit)
Description Lubomir Kundrak 2008-03-21 10:36:32 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1011 to the following vulnerability:

Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame.

References:

http://lists.apple.com/archives/security-announce/2008/Mar/msg00000.html
Comment 2 Lubomir Kundrak 2008-03-21 10:41:30 EDT
I created tracking bugs only for devel, as I believe WebKit, though present, is
not used by anything -- is it?
Comment 3 Peter Gordon 2008-03-21 15:01:07 EDT
It is used my Midori and I believe recent Kazahakase builds also make use of it
(though Mamoru Tasaka would be the one to ask about that ^_^). 

Comment 4 Mamoru TASAKA 2008-04-13 00:22:14 EDT
kazehakase uses Webkit on F-8/F-7 so rebuild of kazehakase is needed on F-8/7,
too (so would you rebuild new Webkit on F-8/7 and ask rel-eng team to add
the new Webkit to buildroot?)

Also if you want to rebuild Midori against new Webkit on F-9, you also have
to ask rel-eng team to add new Midori to F-9 buildroot as dist-f9 buildroot is
now frozen.

For devel I have a trouble of bug 402641 and for now devel kazehakase is
not installable (and rawhide kazehakase does not support Webkit for now)
Comment 5 Mamoru TASAKA 2008-04-14 11:27:49 EDT
Rebuild of kazehakase-0.5.4-2.fc8 against WebKit-1.0.0-0.8.svn31787.fc8
is done
Comment 6 Peter Gordon 2008-04-15 00:00:06 EDT
(In reply to comment #5)
> Rebuild of kazehakase-0.5.4-2.fc8 against WebKit-1.0.0-0.8.svn31787.fc8
> is done

Thanks, I just pushed an update request for these three packages (Midori,
Kazehakase, and WebKit) in F8. F7 builds coming soon...
Comment 7 Mamoru TASAKA 2008-04-15 09:52:15 EDT
Rebuild of kazehakase-0.5.4-2.fc7.1 against WebKit-1.0.0-0.8.svn31787.fc7
is done.
Comment 8 Fedora Update System 2008-04-15 20:41:12 EDT
midori-0.0.17-3.fc7,kazehakase-0.5.4-2.fc7.1,WebKit-1.0.0-0.8.svn31787.fc7 has been submitted as an update for Fedora 7
Comment 9 Mamoru TASAKA 2008-04-16 11:33:21 EDT
Created attachment 302622 [details]
screenshot of midori 0.0.17-2.fc8
Comment 10 Mamoru TASAKA 2008-04-16 11:37:40 EDT
Created attachment 302624 [details]
screenshot of midori 0.0.17-3.fc8

Screenshot of 0.0.17-3.fc8 (i.e. with WebKit-gtk-1.0.0-0.8.svn31787.fc8)

- it seems that WebKit-gtk-1.0.0-0.8.svn31787 has serious regression
- Also the soversion of libQtWebKit.so is strange.
Comment 11 Peter Gordon 2008-04-16 21:49:57 EDT
(In reply to comment #10)
> Screenshot of 0.0.17-3.fc8 (i.e. with WebKit-gtk-1.0.0-0.8.svn31787.fc8)
> 
> - it seems that WebKit-gtk-1.0.0-0.8.svn31787 has serious regression

Unfortunately I'm not seeing that on my F8 installation. I updated it this
morning to WebKit-1.0.0-0.8.svn31787.fc8 (and midori-0.0.17-3.fc8), exported
LC_ALL=ja LANG=ja and ran Midori, and Google's Japanese homepage loaded and
appeared to render properly:
http://thecodergeek.com/images/midori-webkitgtk31787.png

Maybe there's an environment something that I'm not setting? I'll try logging in
entirely in Japanese and see if that changes it.

> - Also the soversion of libQtWebKit.so is strange.

It has always been unversioned, and therefore a bit odd. I didn't want to break
it needlessly by forcing a so-name.

Thanks. 
Comment 12 Peter Gordon 2008-04-16 22:02:37 EDT
(In reply to comment #11)
> Maybe there's an environment something that I'm not setting? I'll try logging in
> entirely in Japanese and see if that changes it.


I just logged out, changed my language to Japanese from GDM, and logged in. The
result is the same: Midori renders the page as expected, rather than as your
screenshot shows. 
Comment 13 Mamoru TASAKA 2008-04-16 22:39:01 EDT
Created attachment 302691 [details]
gdb log of midori

Moreover, on rawhide midori (actually WebKit-gtk) simply crashes
(also on kazehakase)...
Comment 14 Kevin Kofler 2008-04-17 16:09:14 EDT
> exported LC_ALL=ja LANG=ja

Tried ja_JP.UTF-8 already? And maybe other Japanese charsets, like 
ja_JP.ISO-2022-JP, ja_JP.EUC-JP or ja_JP.SHIFT_JIS? This bug sounds 
charset-dependent.
Comment 15 Peter Gordon 2008-04-17 22:39:46 EDT
(In reply to comment #14)
> > exported LC_ALL=ja LANG=ja
> 
> Tried ja_JP.UTF-8 already? And maybe other Japanese charsets, like 
> ja_JP.ISO-2022-JP, ja_JP.EUC-JP or ja_JP.SHIFT_JIS? This bug sounds 
> charset-dependent.

I've tried all of those, with no luck. It renders properly for me with each. :-/
Comment 16 Mamoru TASAKA 2008-04-18 13:15:00 EDT
WebKit svn32012 seems happy with midori and kazehakase on rawhide.

dist-f9 scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=572401
http://koji.fedoraproject.org/scratch/mtasaka/task_572401/

Now trying dist-f8-updates-candidate build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=572457
Comment 17 Mamoru TASAKA 2008-04-18 13:23:45 EDT
Created attachment 302906 [details]
screenshot of midori with WebKit r32012
Comment 18 Peter Gordon 2008-04-19 23:06:39 EDT
Mock is building an updated snapshot for this, which should be done by the time
CVS finishes branching and whatnot. (No API/ABI changes according to upstream,
so no worries about rebuilding packages.)

Thanks for the testing!
Comment 19 Fedora Update System 2008-04-22 18:35:41 EDT
WebKit-1.0.0-0.8.svn31787.fc8, midori-0.0.17-3.fc8, kazehakase-0.5.4-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Mamoru TASAKA 2008-04-24 01:55:22 EDT
WebKit r32416 scratch build:

dist-f8-updates-candidate:
http://koji.fedoraproject.org/koji/taskinfo?taskID=580074
http://koji.fedoraproject.org/scratch/mtasaka/task_580074/

dist-f9:
http://koji.fedoraproject.org/koji/taskinfo?taskID=580048
http://koji.fedoraproject.org/scratch/mtasaka/task_580048/

With this revision, midori/kazehakase don't crash.
Comment 21 Fedora Update System 2008-04-29 17:01:00 EDT
midori-0.0.17-3.fc7, WebKit-1.0.0-0.8.svn31787.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Peter Gordon 2008-05-03 22:51:15 EDT
I believe this has been sufficiently fixed with recent updates (noted by the
Bodhi comments); so closing as ERRATA. Please feel free to re-open this bug with
more details if the issue persists. Thanks.

Note You need to log in before you can comment on or make changes to this bug.