Bug 570349 (CVE-2010-0046, CVE-2010-0047, CVE-2010-0048, CVE-2010-0049, CVE-2010-0050, CVE-2010-0052, CVE-2010-0053, CVE-2010-0054) - CVE-2010-0046, CVE-2010-0047, CVE-2010-0048, CVE-2010-0049, CVE-2010-0050, CVE-2010-0052, CVE-2010-0053, CVE-2010-0054 qt, webkitgtk: multiple security vulnerabilities in WebKit
Summary: CVE-2010-0046, CVE-2010-0047, CVE-2010-0048, CVE-2010-0049, CVE-2010-0050, CV...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0046, CVE-2010-0047, CVE-2010-0048, CVE-2010-0049, CVE-2010-0050, CVE-2010-0052, CVE-2010-0053, CVE-2010-0054
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 572753 572756 572757 572758 574798 589165 589169
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-03 23:25 UTC by Vincent Danen
Modified: 2019-09-29 12:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-20 18:40:08 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2010-03-03 23:25:20 UTC
A number of security vulnerabilities were reported in WebKit:

CVE-2010-0046: CSS format() argument memory corruption
https://bugs.webkit.org/show_bug.cgi?id=31815
http://trac.webkit.org/changeset/51727

CSS format() arguments were always treated as strings, which could result
in a crash or arbitrary code execution if an integer or other unexpected
type was used instead.


CVE-2010-0047: Call-after-free in HTMLObjectElement::renderFallBackContent (ZDI-CAN-579)
https://bugs.webkit.org/show_bug.cgi?id=31277
http://trac.webkit.org/changeset/50698

Changes to the style of an OBJECT element resulted in the creation of a new
frame, instead of re-using the existing frame. The existing frame would
then be prematurely destroyed, which could result in a crash or arbitrary
code execution.


CVE-2010-0048: Crash in XMLTokenizer::popCurrentNode if window.close() is called during parsing
https://bugs.webkit.org/show_bug.cgi?id=31576
http://trac.webkit.org/changeset/51962

The lifetime of an XML parser context was previously tied to its owning
document, which could result in a crash or arbitrary code execution if the
document is destroyed during parsing.


CVE-2010-0049: Use of free()d line boxes in mixed LTR/RTL text
https://bugs.webkit.org/show_bug.cgi?id=32749
http://trac.webkit.org/changeset/52527

When removing an empty text run, a linked list of text boxes may be
prematurely destroyed, which could result in a crash or arbitrary code
execution.


CVE-2010-0050: Crash at HTMLParser::popOneBlockCommon() after handling misnested residual style tags
https://bugs.webkit.org/show_bug.cgi?id=32567
http://trac.webkit.org/changeset/52073

A reference counting issue in the handling of incorrectly nested style tags
could result in a crash or arbitrary code execution.


CVE-2010-0052: Navigating to a cached page can result in accessing a destroyed HTMLInputElement
https://bugs.webkit.org/show_bug.cgi?id=32293
http://trac.webkit.org/changeset/51877

Returning to a page using Back/Forward navigation could result in a crash
or arbitrary code execution, if the page in question has a form element
with autocomplete disabled, then re-enables autocomplete for that form and
removes it from the page.


CVE-2010-0053: Crash due to double-destroy related to CSS run-in property
https://bugs.webkit.org/show_bug.cgi?id=31034
http://trac.webkit.org/changeset/50466

Continuations were destroyed before their anonymous children in some cases,
which could result in a crash or arbitrary code execution.


CVE-2010-0054: Use of stale HTMLImageElement pointer in JSHTMLFormElement::nameGetter
https://bugs.webkit.org/show_bug.cgi?id=34076
http://trac.webkit.org/changeset/53812
http://trac.webkit.org/changeset/53813
http://trac.webkit.org/changeset/54242


The destructor for HTML image input elements attempted to manipulate the
DOM of the containing document, which could result in a crash or arbitrary
code execution.

Comment 3 Vincent Danen 2010-03-11 22:42:20 UTC
The Apple release of Safari 4.0.5 is public now: APPLE-SA-2010-03-11-1 http://support.apple.com/kb/HT4070

Unfortunately, they reference CVE-2010-0051 which is the same flaw as CVE-2010-0651, which was previously corrected in Google Chrome.

These flaws may affect QtWebKit (in qt) and webkitgtk.

Comment 8 Jaroslav Reznik 2010-03-16 16:21:45 UTC
CVE-2010-0047, CVE-2010-0048 and CVE-2010-0053 do not affect QtWebKit as found in Fedora 11, 12 (Qt 4.5, Qt 4.6).

CVE-2010-0046, CVE-2010-0049 through 0052 and CVE-2010-0054 affects QtWebKit, issues will be fixed with next update to Qt.

Comment 11 Fedora Update System 2010-03-18 15:45:24 UTC
qt-4.6.2-8.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/qt-4.6.2-8.fc11

Comment 12 Fedora Update System 2010-03-18 15:45:55 UTC
qt-4.6.2-8.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/qt-4.6.2-8.fc13

Comment 13 Fedora Update System 2010-03-18 15:46:04 UTC
qt-4.6.2-8.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/qt-4.6.2-8.fc12

Comment 14 Fedora Update System 2010-03-23 02:09:50 UTC
qt-4.6.2-8.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2010-03-23 02:23:57 UTC
qt-4.6.2-8.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2010-03-23 02:24:12 UTC
qt-4.6.2-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2010-05-11 06:21:20 UTC
qt-4.6.2-17.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/qt-4.6.2-17.fc11

Comment 24 Fedora Update System 2010-05-11 06:21:26 UTC
qt-4.6.2-17.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/qt-4.6.2-17.fc12

Comment 25 Fedora Update System 2010-05-11 06:22:46 UTC
qt-4.6.2-17.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/qt-4.6.2-17.fc13

Comment 26 Fedora Update System 2010-05-15 20:17:22 UTC
qt-4.6.2-17.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2010-05-15 20:33:26 UTC
qt-4.6.2-17.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2010-05-15 20:35:01 UTC
qt-4.6.2-17.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2011-11-20 23:56:15 UTC
kdelibs-4.7.3-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.