An off by one memory corruption issue exists in WebSocketHandshake::readServerHandshake(). This issue is addressed by improved bounds checking. References: Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=36339 Trac: http://trac.webkit.org/changeset/56380 Acknowledgements: Red Hat would like to thank Drew Yao of Apple Product Security for responsibly reporting this issue. Upstream acknowledges Skylined of Google Chrome Security Team as the original reporter.
This is being made public now, we've been given the go-ahead from upstream to do so.
Created webkitgtk tracking bugs for this issue Affects: fedora-all [bug 606304]
Created qt tracking bugs for this issue Affects: fedora-all [bug 538236]
qt-4.6.3-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.6.3-8.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue actually did not affect webkitgtk as provided in Fedora. We provide version 1.2.0 (r56916) and this was fixed in svn commit 56380 so it was already fixed in 1.2.0.