Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2195 to the following vulnerability: Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted floating-point numbers. References: http://support.apple.com/kb/HT3733 http://lists.apple.com/archives/security-announce/2009/Aug/msg00002.html Upstream fix with test cases: http://trac.webkit.org/changeset/45696 Likely to affect webkit versions shipped in Fedora (WebKit, webkitgtk, QT).
Another two webkit CVEs are covered in HT3733, but all relevant changes are in mac or win specific directories, so do not seem to apply: CVE-2009-2199 http://trac.webkit.org/changeset/45254 CVE-2009-2200 http://trac.webkit.org/changeset/44905 http://trac.webkit.org/changeset/44909
Note: looks like upstream commit 45696 is included in webkitgtk 1.1.11 and later.
Any idea whether this also affects KHTML? There's also a version of dtoa.cpp in there, but AFAIK it's somewhat different and might not be affected. Qt 4.5.2's QtWebKit appears to be vulnerable. I do NOT see the changeset with the fix in the JavaScriptCore changelog.
We've tested couple of konqueror/KHTML versions with test cases from the above commit, none of the versions misbehaved.
i cannot reproduce this issue with kdelibs (3.x in rhelX, 4.x in fedora) and qt-4.5.2. The code is a bit different.
Does anything here affect Fedora 12? If so, which versions? IU see webkitkde and webkitgtk, and we have QT as well right? Fedora 12 has QT version 4.5.3 so I am to understand that means it is not vulnerable? What about the others?
webkitkde should not contain another webkit copy, but rather only provide KDE "wrapper" / bindings around qtwebkit in qt. Based on comment #2, webkitgtk 1.1.11 and later should have a fix, i.e. F12 should be fine, F11 still has 1.1.10. Having a quick look into qt 4.5 tree git version of the file, it seems quite different, so may not have that commit that introduced this regression. But it seems Kevin had a closer look on qtwebkit version, given the comment #3.
Well, I didn't find the fix in 4.5.2, but I don't know if it was vulnerable, and I haven't looked at 4.5.3 at all so far.
Following up on this, Fedora 11 still has webkitgtk-1.1.10 so would still be vulnerable. Do we know if qt-4.5.3 corrects this? Current Fedora has 4.6.2, so may not be vulnerable.
The upstream fix is included in QtWebKit 4.6.2 (qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/JavaScriptCore/wtf/dtoa.cpp), so Fedora 11+ is ok. Only webkitgtk on Fedora 11 would still be vulnerable to this.
I think we need to close this as F11 is already EOL ?
No, it's not. The F11 EOL is on June 25.
Can we close this now? :)
Yes, we can. Thanks.