webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

Debian Bug report logs - #499771
webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

Date: Mon, 22 Sep 2008 17:51:02 +1000

Package: webkit
Severity: grave
Tags: security, patch
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for webkit.

CVE-2008-3950[0]:
| Off-by-one error in the
| _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
| WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4
| and 2.0 allows remote attackers to cause a denial of service (browser
| crash) via a JavaScript alert call with an argument that lacks
| breakable characters and has a length that is a multiple of the memory
| page size, leading to an out-of-bounds read.

CVE-2008-3632[1]:
| Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
| 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
| execute arbitrary code or cause a denial of service (application
| crash) via a web page with crafted Cascading Style Sheets (CSS) import
| statements.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

Please don't get confused by the very Apple-centric descriptions, it affects webkit.
A fix for CVE-2008-3632 can be found here[2]. I am not sure about CVE-2008-3950 and it
might not affect the webkit package (I couldn't even find the function mentioned), but I
thought I'd mention it as well, in case you have more information.

Please also note that webkit has a security mailinglist and it might be possible for you
as the debian maintainer to get subscribed, so I'd suggest you ask them and give it a try. :)
Some information about webkit procedures can be found here[3].

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3950
    http://security-tracker.debian.net/tracker/CVE-2008-3950
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3632
    http://security-tracker.debian.net/tracker/CVE-2008-3632
[2] http://trac.webkit.org/changeset/34815
[3] http://webkit.org/blog/184/reporting-webkit-security-bugs/

Message #10 received at 499771@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 499771@bugs.debian.org

Subject: Re: Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

Date: Mon, 22 Sep 2008 19:11:34 +0200

On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote:
> Package: webkit
> Severity: grave
> Tags: security, patch
> Justification: user security hole
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for webkit.
> 
> CVE-2008-3950[0]:
> | Off-by-one error in the
> | _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
> | WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4
> | and 2.0 allows remote attackers to cause a denial of service (browser
> | crash) via a JavaScript alert call with an argument that lacks
> | breakable characters and has a length that is a multiple of the memory
> | page size, leading to an out-of-bounds read.
> 
> CVE-2008-3632[1]:
> | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
> | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
> | execute arbitrary code or cause a denial of service (application
> | crash) via a web page with crafted Cascading Style Sheets (CSS) import
> | statements.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
> 
> Please don't get confused by the very Apple-centric descriptions, it affects webkit.
> A fix for CVE-2008-3632 can be found here[2]. I am not sure about CVE-2008-3950 and it
> might not affect the webkit package (I couldn't even find the function mentioned), but I
> thought I'd mention it as well, in case you have more information.

It's also strange, as
_web_drawInRect:withFont:ellipsis:alignment:measureOnly doesn't sound
remotely related to the javascript alert() call.

Mike

Message #15 received at 499771@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 499771@bugs.debian.org

Subject: Re: Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

Date: Fri, 26 Sep 2008 22:17:04 +1000

[Message part 1 (text/plain, inline)]

On Tue, 23 Sep 2008 03:11:34 am Mike Hommey wrote:
> On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote:
> > Package: webkit
> > Severity: grave
> > Tags: security, patch
> > Justification: user security hole
> >
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) ids were
> > published for webkit.
> >
> > CVE-2008-3950[0]:
> > | Off-by-one error in the
> > | _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
> > | WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4
> > | and 2.0 allows remote attackers to cause a denial of service (browser
> > | crash) via a JavaScript alert call with an argument that lacks
> > | breakable characters and has a length that is a multiple of the memory
> > | page size, leading to an out-of-bounds read.
> >
> > CVE-2008-3632[1]:
> > | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
> > | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
> > | execute arbitrary code or cause a denial of service (application
> > | crash) via a web page with crafted Cascading Style Sheets (CSS) import
> > | statements.
> >
> > If you fix the vulnerabilities please also make sure to include the
> > CVE ids in your changelog entry.
> >
> > Please don't get confused by the very Apple-centric descriptions, it
> > affects webkit. A fix for CVE-2008-3632 can be found here[2]. I am not
> > sure about CVE-2008-3950 and it might not affect the webkit package (I
> > couldn't even find the function mentioned), but I thought I'd mention it
> > as well, in case you have more information.
>
> It's also strange, as
> _web_drawInRect:withFont:ellipsis:alignment:measureOnly doesn't sound
> remotely related to the javascript alert() call.
I've had a look again and I don't see, how this CVE affects our debian 
packages.
This leaves us with only one issue for webkit, did you consider the other 
patch yet? I didn't see an obvious problem with it, but didn't test anything 
yet. Did you intend to get 1.0.1-3 into lenny? I guess it would be good to go 
through unstable with fixing the last CVE, what do you think?

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 499771@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 499771@bugs.debian.org

Subject: Re: Bug#499771: webkit: several vulnerabilities (CVE-2008-3950 CVE-2008-3632)

Date: Fri, 26 Sep 2008 14:50:19 +0200

On Fri, Sep 26, 2008 at 10:17:04PM +1000, Steffen Joeris wrote:
> On Tue, 23 Sep 2008 03:11:34 am Mike Hommey wrote:
> > On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote:
> > > Package: webkit
> > > Severity: grave
> > > Tags: security, patch
> > > Justification: user security hole
> > >
> > > Hi,
> > > the following CVE (Common Vulnerabilities & Exposures) ids were
> > > published for webkit.
> > >
> > > CVE-2008-3950[0]:
> > > | Off-by-one error in the
> > > | _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
> > > | WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4
> > > | and 2.0 allows remote attackers to cause a denial of service (browser
> > > | crash) via a JavaScript alert call with an argument that lacks
> > > | breakable characters and has a length that is a multiple of the memory
> > > | page size, leading to an out-of-bounds read.
> > >
> > > CVE-2008-3632[1]:
> > > | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
> > > | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
> > > | execute arbitrary code or cause a denial of service (application
> > > | crash) via a web page with crafted Cascading Style Sheets (CSS) import
> > > | statements.
> > >
> > > If you fix the vulnerabilities please also make sure to include the
> > > CVE ids in your changelog entry.
> > >
> > > Please don't get confused by the very Apple-centric descriptions, it
> > > affects webkit. A fix for CVE-2008-3632 can be found here[2]. I am not
> > > sure about CVE-2008-3950 and it might not affect the webkit package (I
> > > couldn't even find the function mentioned), but I thought I'd mention it
> > > as well, in case you have more information.
> >
> > It's also strange, as
> > _web_drawInRect:withFont:ellipsis:alignment:measureOnly doesn't sound
> > remotely related to the javascript alert() call.
> I've had a look again and I don't see, how this CVE affects our debian 
> packages.
> This leaves us with only one issue for webkit, did you consider the other 
> patch yet? I didn't see an obvious problem with it, but didn't test anything 
> yet. Did you intend to get 1.0.1-3 into lenny? I guess it would be good to go 
> through unstable with fixing the last CVE, what do you think?

1.0.1-3 is already due for Lenny.
I'll test and upload 1.0.1-4 soon to unstable, including fix for
CVE-2008-3632, and will go for 1.0.1-5 if CVE-2008-3950 appears to
be a problem in debian.

Mike

Message #27 received at 499771-close@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <glandium@debian.org>

To: 499771-close@bugs.debian.org

Subject: Bug#499771: fixed in webkit 1.0.1-4

Date: Sat, 27 Sep 2008 09:02:40 +0000

Source: webkit
Source-Version: 1.0.1-4

We believe that the bug you reported is fixed in the latest version of
webkit, which is due to be installed in the Debian FTP archive:

libwebkit-1.0-1-dbg_1.0.1-4_amd64.deb
  to pool/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4_amd64.deb
libwebkit-1.0-1_1.0.1-4_amd64.deb
  to pool/main/w/webkit/libwebkit-1.0-1_1.0.1-4_amd64.deb
libwebkit-dev_1.0.1-4_all.deb
  to pool/main/w/webkit/libwebkit-dev_1.0.1-4_all.deb
webkit_1.0.1-4.diff.gz
  to pool/main/w/webkit/webkit_1.0.1-4.diff.gz
webkit_1.0.1-4.dsc
  to pool/main/w/webkit/webkit_1.0.1-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 499771@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated webkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 27 Sep 2008 08:57:48 +0200
Source: webkit
Binary: libwebkit-1.0-1 libwebkit-dev libwebkit-1.0-1-dbg
Architecture: source all amd64
Version: 1.0.1-4
Distribution: unstable
Urgency: high
Maintainer: Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Description: 
 libwebkit-1.0-1 - Web content engine library for Gtk+
 libwebkit-1.0-1-dbg - Web content engine library for Gtk+ - Debugging symbols
 libwebkit-dev - Web content engine library for Gtk+ - Development files
Closes: 499771
Changes: 
 webkit (1.0.1-4) unstable; urgency=high
 .
   * WebCore/dom/Document.*, WebCore/loader/DocLoader.*: Avoid DoS via
     crafted CSS import statements. Fixes: CVE-2008-3632. Closes: #499771.
Checksums-Sha1: 
 0959adda20fdbe262f9884cac8a08900f337bb81 1410 webkit_1.0.1-4.dsc
 4ab8947d1690da0d2200054dbb638943dd66164c 26715 webkit_1.0.1-4.diff.gz
 ab0b4e1c19ec69e4cb6ec818802f7417f3fd2b19 34002 libwebkit-dev_1.0.1-4_all.deb
 0c24c66a42fb088c7f776cf810cfd1c37195de70 3503320 libwebkit-1.0-1_1.0.1-4_amd64.deb
 4156cf22f6924128be9ed5b2dbf0780b3d4e9b65 62588162 libwebkit-1.0-1-dbg_1.0.1-4_amd64.deb
Checksums-Sha256: 
 10dde9be719ac4a2900fd657d7ae033f5541065dcbd3fbe99f02af6dc4640d0d 1410 webkit_1.0.1-4.dsc
 06295fd826e28ac60c669f1d6f7fc9150c3d4ddcc496f195a36e27297aa0d562 26715 webkit_1.0.1-4.diff.gz
 6c2982494bab35686afb8d737a73a3cbd55b329db0307e12f2c053b8f1521d39 34002 libwebkit-dev_1.0.1-4_all.deb
 c43370e6ef9dc2dd678c8f5e3908b43a694f5e2d4e2c4cf59043df1dc46965e3 3503320 libwebkit-1.0-1_1.0.1-4_amd64.deb
 42591a4d85d9ce015f2eb9d3a20e5d3d3bf5dab95029b9903d99a6cf1668a7e0 62588162 libwebkit-1.0-1-dbg_1.0.1-4_amd64.deb
Files: 
 04d7e0961fbae6926b625a456a54ca0a 1410 web optional webkit_1.0.1-4.dsc
 187aab11e0422b307630539e2ec30d78 26715 web optional webkit_1.0.1-4.diff.gz
 2e7e66e1b7a402c90671b4172b7a3d1e 34002 libdevel extra libwebkit-dev_1.0.1-4_all.deb
 e35173675ff3a9f4103c7159fd5d600c 3503320 libs optional libwebkit-1.0-1_1.0.1-4_amd64.deb
 a92b61baaa83cc12c94f01cc285b77d6 62588162 libdevel extra libwebkit-1.0-1-dbg_1.0.1-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFI3ePz3kvaLFT9KlgRAskTAJ9Evv+yD8XqOKns00CsUQSj8rvESgCggs49
0gAcflvddN/K8MQMuw2/R0k=
=lm3Y
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.