A number of flaws were found in WebKit that also affect WebKitGTK. The following list of vulnerabilities are currently unresolved in upstream version 1.2.3: - CVE-2010-1780 (crash when focus is changed while trying to focus next element) A use after free issue exists in WebKit's handling of element focus. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of element focus. Credit to Tony Chang of Google, Inc. for reporting this issue. * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40407 * Trac: http://trac.webkit.org/changeset/60984 - CVE-2010-1782 (Memory Corruption in RenderBoxModelObject) A memory corruption issue exists in WebKit's rendering of inline elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to wushi of team509 for reporting this issue. * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=39305 * Trac: http://trac.webkit.org/changeset/61921 - CVE-2010-1783 memory corruption (read random system memory) in RenderBlock(?) A memory corruption issue exists in WebKit's handling of dynamic modifications to text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=38977 * Trac: http://trac.webkit.org/changeset/62134 - CVE-2010-1784 (ZDI-CAN-784: Apple Webkit Rendering Counter Remote Code Execution Vulnerability) A memory corruption issue exists in WebKit's handling of CSS counters. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40032 * Trac: http://trac.webkit.org/changeset/62271 * NOTE: related NULL deref, but no patch: https://bugs.webkit.org/show_bug.cgi?id=41472 - CVE-2010-1785 (ZDI-CAN-782: Apple Webkit SVG First-Letter Style Remote Code Execution Vulnerability) An uninitialized memory access issue exists in WebKit's handling of the :first-letter and :first-line pseudo-elements in SVG text elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by not rendering :first-letter or :first-line pseudo-elements in SVG text elements. [Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.] * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40031 * Trac: http://trac.webkit.org/changeset/61050 * Trac: http://trac.webkit.org/changeset/61051 - CVE-2010-1786 (ZDI-CAN-766: SVG ForeignObject Rendering Layout Vulnerability) A use after free issue exists in WebKit's handling of foreignObject elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through additional validation of SVG documents. [Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.] * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=38627 * Trac: http://trac.webkit.org/changeset/61667 - CVE-2010-1787 (ZDI-CAN-785: Apple Webkit SVG Floating Text Element Remote Code Execution Vulnerability) A memory corruption issue exists in WebKit's handling of floating elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40033 * Trac: http://trac.webkit.org/changeset/61044 - CVE-2010-1788 (Memory corruption with SVG <use> element) A memory corruption issue exists in WebKit's handling of 'use' elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of 'use' elements in SVG documents. Credit to Justin Schuh of Google, Inc. for reporting this issue. * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=40994 * Trac: http://trac.webkit.org/changeset/62482 - CVE-2010-1790 (Crash when re-entering polymorphic cache stubs) A reentrancy issue exists in WebKit's handling of just-in-time compiled javascript stubs. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved synchronization. * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=41482 * Trac: http://trac.webkit.org/changeset/62301 - CVE-2010-1792 (Yarr Interpreter is crashing in some cases of look-ahead regex patterns) A memory corruption issue exists in WebKit's handling of regular expressions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of regular expressions. Credit to Peter Varga of University of Szeged for reporting this issue. * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=41458 * Trac: http://trac.webkit.org/changeset/62386 - CVE-2010-1793 (<use> on <font-face> causes crashes, if SVGUseElement gets detached) A use after free issue exists in WebKit's handling of "font-face" and "use" elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of "font-face" and "use" elements in SVG documents [Credit to Aohelin for reporting this issue.] * Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=41621 * Trac: http://trac.webkit.org/changeset/62662 Upstream WebKitGTK intends to correct all of these in an upcoming release.
Upstream fixes for this issue that will make it into 1.2.4: CVE-2010-1780: Git: f5a22bf6b3951999255708361c9200f6d2fd8425 CVE-2010-1782: Git: 31e4e68e93b116b1c948c85ca94273640d78427e CVE-2010-1783: Git: 31e4e68e93b116b1c948c85ca94273640d78427e (note this issue was also assigned the name CVE-2010-2648) CVE-2010-1784: Git: 39f4ec0146af0102c241d876ebb8a03b61570401 CVE-2010-1785: Git: e68c7098411c0a3ff70cdc08e613b1a5e795b1fd and 31cbc85273cc56a26bea85de78fa009e18e0f91e CVE-2010-1787: Git: bab92909e0d1d76016562684cc588f92d48fdd06 CVE-2010-1788: Git: ed3c7278abc3bc0dfacf3f22ea48a708530f5f3d CVE-2010-1790: Git: 243f04c23ba228ec5d28f59510d03e0ea4d4f546 CVE-2010-1792: Git: 63528d9c152c1f18fe82583b58e2348c86eeb266 CVE-2010-1793: Git: e5bad7c10655bc20dee226113612684a80474147 Waiting on confirmation for CVE-2010-1786 from upstream.
CVE-2010-1786: Git: a32f127d8e71ed7654261d4dac36c689fb7eaf05
Upstream 1.2.4 is release: ================ WebKitGTK+ 1.2.4 ================ What's new in WebKitGTK+ 1.2.4? - New stable release, API and ABI compatible with previous 1.2.x versions; - The patches to fix the following CVEs are included with help from Vincent Danen and other members of the Red Hat security team: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785 CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790 CVE-2010-1792 CVE-2010-1793 CVE-2010-2648 There is some confusion here, however, as CVE-2010-1781 should not have affected webkitgtk, and there is no mention of CVE-2010-1780. Checking with upstream regarding that. Everything else is corrected in that release.
Created webkitgtk tracking bugs for this issue Affects: fedora-all [bug 631583]
CVE-2010-1781 was a typo; CVE-2010-1780 is indeed corrected in 1.2.4 (verified the upstream git commit and it's presence in 1.2.4).
*** Bug 668336 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0177 https://rhn.redhat.com/errata/RHSA-2011-0177.html