Bug 627366 - (CVE-2010-1780, CVE-2010-1782, CVE-2010-1783, CVE-2010-1784, CVE-2010-1785, CVE-2010-1786, CVE-2010-1787, CVE-2010-1788, CVE-2010-1790, CVE-2010-1792, CVE-2010-1793) CVE-2010-1780 CVE-2010-1782 CVE-2010-1783 CVE-2010-1784 CVE-2010-1785 CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790 CVE-2010-1792 CVE-2010-1793 WebKit: multiple vulnerabilities in WebKitGTK
CVE-2010-1780 CVE-2010-1782 CVE-2010-1783 CVE-2010-1784 CVE-2010-1785 CVE-201...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100811,reported=20100716,sou...
: Security
: CVE-2010-2647 (view as bug list)
Depends On: 631583 640385 640386
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-25 16:14 EDT by Vincent Danen
Modified: 2012-03-07 02:06 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-07 02:06:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-08-25 16:14:07 EDT
A number of flaws were found in WebKit that also affect WebKitGTK.  The following list of vulnerabilities are currently unresolved in upstream version 1.2.3:

- CVE-2010-1780 (crash when focus is changed while trying to focus next element)
A use after free issue exists in WebKit's handling of element focus. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of element focus. Credit to Tony Chang of Google, Inc. for reporting this issue.
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40407
* Trac: http://trac.webkit.org/changeset/60984


- CVE-2010-1782 (Memory Corruption in RenderBoxModelObject)
A memory corruption issue exists in WebKit's rendering of inline elements. Visiting a maliciously crafted website may lead to an  unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to wushi of team509 for reporting this issue.
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=39305
* Trac: http://trac.webkit.org/changeset/61921


- CVE-2010-1783 memory corruption (read random system memory) in RenderBlock(?)
A memory corruption issue exists in WebKit's handling of dynamic modifications to text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.  This issue is addressed through improved memory management.
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=38977
* Trac: http://trac.webkit.org/changeset/62134


- CVE-2010-1784 (ZDI-CAN-784: Apple Webkit Rendering Counter Remote Code Execution Vulnerability)
A memory corruption issue exists in WebKit's handling of CSS counters. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.  
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40032
* Trac: http://trac.webkit.org/changeset/62271
* NOTE: related NULL deref, but no patch: https://bugs.webkit.org/show_bug.cgi?id=41472


- CVE-2010-1785 (ZDI-CAN-782: Apple Webkit SVG First-Letter Style Remote Code Execution Vulnerability)
An uninitialized memory access issue exists in WebKit's handling of the :first-letter and :first-line pseudo-elements in SVG text elements.  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by not rendering :first-letter or :first-line pseudo-elements in SVG text elements. [Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.]
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40031
* Trac: http://trac.webkit.org/changeset/61050
* Trac: http://trac.webkit.org/changeset/61051


- CVE-2010-1786 (ZDI-CAN-766: SVG ForeignObject Rendering Layout Vulnerability)
A use after free issue exists in WebKit's handling of foreignObject elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through additional validation of SVG documents. [Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.]
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=38627
* Trac: http://trac.webkit.org/changeset/61667


- CVE-2010-1787 (ZDI-CAN-785: Apple Webkit SVG Floating Text Element Remote Code Execution Vulnerability)
A memory corruption issue exists in WebKit's handling of floating elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40033
* Trac: http://trac.webkit.org/changeset/61044


- CVE-2010-1788 (Memory corruption with SVG <use> element)
A memory corruption issue exists in WebKit's handling of 'use' elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of 'use' elements in SVG documents. Credit to Justin Schuh of Google,
Inc. for reporting this issue.
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40994
* Trac: http://trac.webkit.org/changeset/62482


- CVE-2010-1790 (Crash when re-entering polymorphic cache stubs)
A reentrancy issue exists in WebKit's handling of just-in-time compiled javascript stubs. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved synchronization.
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=41482
* Trac: http://trac.webkit.org/changeset/62301


- CVE-2010-1792 (Yarr Interpreter is crashing in some cases of look-ahead regex patterns)
A memory corruption issue exists in WebKit's handling of regular expressions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of regular expressions.  Credit to Peter Varga of University of Szeged for reporting this issue.
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=41458
* Trac: http://trac.webkit.org/changeset/62386


- CVE-2010-1793 (<use> on <font-face> causes crashes, if SVGUseElement gets detached)
A use after free issue exists in WebKit's handling of "font-face" and "use" elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of "font-face" and "use" elements in SVG documents [Credit to Aohelin for reporting this issue.]
* Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=41621
* Trac: http://trac.webkit.org/changeset/62662


Upstream WebKitGTK intends to correct all of these in an upcoming release.
Comment 1 Vincent Danen 2010-09-03 13:28:08 EDT
Upstream fixes for this issue that will make it into 1.2.4:

CVE-2010-1780:
Git: f5a22bf6b3951999255708361c9200f6d2fd8425

CVE-2010-1782:
Git: 31e4e68e93b116b1c948c85ca94273640d78427e

CVE-2010-1783:
Git: 31e4e68e93b116b1c948c85ca94273640d78427e
(note this issue was also assigned the name CVE-2010-2648)

CVE-2010-1784:
Git: 39f4ec0146af0102c241d876ebb8a03b61570401

CVE-2010-1785:
Git: e68c7098411c0a3ff70cdc08e613b1a5e795b1fd and 31cbc85273cc56a26bea85de78fa009e18e0f91e

CVE-2010-1787:
Git: bab92909e0d1d76016562684cc588f92d48fdd06

CVE-2010-1788:
Git: ed3c7278abc3bc0dfacf3f22ea48a708530f5f3d

CVE-2010-1790:
Git: 243f04c23ba228ec5d28f59510d03e0ea4d4f546

CVE-2010-1792:
Git: 63528d9c152c1f18fe82583b58e2348c86eeb266

CVE-2010-1793:
Git: e5bad7c10655bc20dee226113612684a80474147

Waiting on confirmation for CVE-2010-1786 from upstream.
Comment 2 Vincent Danen 2010-09-03 15:32:47 EDT
CVE-2010-1786:
Git: a32f127d8e71ed7654261d4dac36c689fb7eaf05
Comment 3 Vincent Danen 2010-09-07 18:53:38 EDT
Upstream 1.2.4 is release:

================
WebKitGTK+ 1.2.4
================

What's new in WebKitGTK+ 1.2.4?

  - New stable release, API and ABI compatible with previous 1.2.x
    versions;
  - The patches to fix the following CVEs are included with help from
    Vincent Danen and other members of the Red Hat security team:

      CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
      CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
      CVE-2010-1792 CVE-2010-1793 CVE-2010-2648


There is some confusion here, however, as CVE-2010-1781 should not have affected webkitgtk, and there is no mention of CVE-2010-1780.  Checking with upstream regarding that.  Everything else is corrected in that release.
Comment 4 Vincent Danen 2010-09-07 18:55:58 EDT
Created webkitgtk tracking bugs for this issue

Affects: fedora-all [bug 631583]
Comment 5 Vincent Danen 2010-09-08 18:34:40 EDT
CVE-2010-1781 was a typo; CVE-2010-1780 is indeed corrected in 1.2.4 (verified the upstream git commit and it's presence in 1.2.4).
Comment 17 Huzaifa S. Sidhpurwala 2011-01-10 03:35:34 EST
*** Bug 668336 has been marked as a duplicate of this bug. ***
Comment 18 errata-xmlrpc 2011-01-25 12:07:21 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0177 https://rhn.redhat.com/errata/RHSA-2011-0177.html

Note You need to log in before you can comment on or make changes to this bug.