Debian Bug report logs -
#599830
Multiple security issues
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 11 Oct 2010 17:51:09 UTC
Severity: grave
Tags: security
Fixed in version 1.2.5-1
Done: Gustavo Noronha Silva <kov@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#599830
; Package webkit
.
(Mon, 11 Oct 2010 17:51:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Mon, 11 Oct 2010 17:51:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: webkit
Severity: grave
Tags: security
The following security issues need to be fixed in Webkit:
http://security-tracker.debian.org/tracker/CVE-2010-1807
http://security-tracker.debian.org/tracker/CVE-2010-2646
http://security-tracker.debian.org/tracker/CVE-2010-2651
http://security-tracker.debian.org/tracker/CVE-2010-3115
Also, the status of #532514 should finally be resolved
for Squeeze.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#599830
; Package webkit
.
(Sun, 17 Oct 2010 20:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Sun, 17 Oct 2010 20:30:04 GMT) (full text, mbox, link).
Message #10 received at 599830@bugs.debian.org (full text, mbox, reply):
On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> Package: webkit
> Severity: grave
> Tags: security
>
> The following security issues need to be fixed in Webkit:
>
> http://security-tracker.debian.org/tracker/CVE-2010-1807
> http://security-tracker.debian.org/tracker/CVE-2010-2646
> http://security-tracker.debian.org/tracker/CVE-2010-2651
> http://security-tracker.debian.org/tracker/CVE-2010-3115
>
> Also, the status of #532514 should finally be resolved
> for Squeeze.
People were claming that Webkit would be more maintainable
and supported then the version in Lenny.
Still, there's no followup from the maintainers since a week.
This is bad.
jmm@galadriel:~$ apt-cache rdepends libwebkit-1.0-2
libwebkit-1.0-2
Reverse Depends:
yelp
xtrkcad
libwebkit-dev
libwebkit-1.0-2-dbg
libwebkit1.1-cil
uzbl
shotwell
libseed0
python-webkit
python-jswebkit
osmo
midori
luakit
liferea
lekhonee-gnome
kazehakase-webkit
webkit-image-gtk
libghc6-webkit-dev
gphpedit
gmpc-plugins
gimp
evolution-rss
epiphany-extensions
epiphany-browser
nautilus-sendto-empathy
empathy
libdevhelp-1-1
devhelp
claws-mail-fancy-plugin
cairo-dock-weblets-plugin
bibledit
awn-applets-c-extras
anjuta
Cheers,
Moritz
Reply sent
to Gustavo Noronha Silva <kov@debian.org>
:
You have taken responsibility.
(Mon, 18 Oct 2010 13:57:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Mon, 18 Oct 2010 13:57:04 GMT) (full text, mbox, link).
Message #15 received at 599830-done@bugs.debian.org (full text, mbox, reply):
Version: 1.2.5-1
Hey,
On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > Package: webkit
> > Severity: grave
> > Tags: security
> >
> > The following security issues need to be fixed in Webkit:
> >
> > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > http://security-tracker.debian.org/tracker/CVE-2010-3115
> >
> > Also, the status of #532514 should finally be resolved
> > for Squeeze.
>
> People were claming that Webkit would be more maintainable
> and supported then the version in Lenny.
>
> Still, there's no followup from the maintainers since a week.
I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
having worked on getting many CVEs handled upstream. Michael Gilbert
also worked on a few more CVEs for the Debian package. The package I
finished uploading this morning has the following CVEs handled, from
upstream:
CVE-2010-1780 CVE-2010-3113 CVE-2010-1814 CVE-2010-1812
CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114
CVE-2010-3116 CVE-2010-3257 CVE-2010-3259
And these from Michael Gilbert's work:
* fix cve-2010-2646: security origin bypass using IFRAME elements.
* fix cve-2010-2651: vulnerability in css style rendering.
* fix cve-2010-2900: vulnerability with large canvas elements when using the
SKIA library.
* fix cve-2010-2901: vulnerability in the rendering implementation.
* fix cve-2010-3120: vulnerability in geolocation feature.
Note that some CVEs listed above do not really affect WebKitGTK+ at its
current version in Debian because we do not use skia nor enable
geolocation yet.
About #532514 this is how we generate random numbers (see
http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/RandomNumber.cpp#L70):
uint32_t part1 = random() & (RAND_MAX - 1);
uint32_t part2 = random() & (RAND_MAX - 1);
// random only provides 31 bits
uint64_t fullRandom = part1;
fullRandom <<= 31;
fullRandom |= part2;
// Mask off the low 53bits
fullRandom &= (1LL << 53) - 1;
return static_cast<double>(fullRandom)/static_cast<double>(1LL << 53);
I am not knowledgeable enough to asses the strength of this method,
hopefully you can provide some insight? In the upstream bugreport Sam
Weinig says this was a Windows-only issue, FWIW.
Thanks,
--
Gustavo Noronha Silva <kov@debian.org>
Debian Project
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#599830
; Package webkit
.
(Thu, 28 Oct 2010 16:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Thu, 28 Oct 2010 16:21:05 GMT) (full text, mbox, link).
Message #20 received at 599830@bugs.debian.org (full text, mbox, reply):
On Mon, Oct 18, 2010 at 11:52:40AM -0200, Gustavo Noronha Silva wrote:
> Version: 1.2.5-1
>
> Hey,
>
> On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> > On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > > Package: webkit
> > > Severity: grave
> > > Tags: security
> > >
> > > The following security issues need to be fixed in Webkit:
> > >
> > > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > > http://security-tracker.debian.org/tracker/CVE-2010-3115
> > >
> > > Also, the status of #532514 should finally be resolved
> > > for Squeeze.
> >
> > People were claming that Webkit would be more maintainable
> > and supported then the version in Lenny.
> >
> > Still, there's no followup from the maintainers since a week.
>
> I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
> having worked on getting many CVEs handled upstream. Michael Gilbert
> also worked on a few more CVEs for the Debian package. The package I
> finished uploading this morning has the following CVEs handled, from
> upstream:
Thanks for the upload.
There's a huge amount of vulnerabilities which need to be checked
for Webkit on top of these. Shall I open a new bug?
CVE-2009-2068
CVE-2009-3011
CVE-2010-1131
CVE-2010-1384
CVE-2010-1403
CVE-2010-1750
CVE-2010-1757
CVE-2010-1769
CVE-2010-1781
CVE-2010-1783
CVE-2010-1805
CVE-2010-1806
CVE-2010-1823
CVE-2010-1824
CVE-2010-1825
CVE-2010-1992
CVE-2010-2120
CVE-2010-2264
CVE-2010-3246
CVE-2010-3248
CVE-2010-3249
CVE-2010-3252
CVE-2010-3253
CVE-2010-3254
CVE-2010-3255
CVE-2010-3415
CVE-2010-3416
CVE-2010-3730
CVE-2010-4033
CVE-2010-4034
CVE-2010-4035
CVE-2010-4036
CVE-2010-4037
CVE-2010-4038
CVE-2010-4039
CVE-2010-4040
CVE-2010-4041
CVE-2010-4042
It is very important that more people get involved in webkit
maintenance, especially with regard to the backports needed for
Squeeze and given that it represents the web engine for the browser
installed in the standard desktop task. Could you maybe send a RFH
to debian-devel-announce?
How long will the 1.2 branch be supported by upstream?
> About #532514 this is how we generate random numbers (see
> http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/RandomNumber.cpp#L70):
I will check this in a few days and update the bug accordingly.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#599830
; Package webkit
.
(Thu, 28 Oct 2010 16:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Hommey <mh@glandium.org>
:
Extra info received and forwarded to list. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Thu, 28 Oct 2010 16:30:02 GMT) (full text, mbox, link).
Message #25 received at 599830@bugs.debian.org (full text, mbox, reply):
On Thu, Oct 28, 2010 at 06:18:29PM +0200, Moritz Muehlenhoff wrote:
> On Mon, Oct 18, 2010 at 11:52:40AM -0200, Gustavo Noronha Silva wrote:
> > Version: 1.2.5-1
> >
> > Hey,
> >
> > On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> > > On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: webkit
> > > > Severity: grave
> > > > Tags: security
> > > >
> > > > The following security issues need to be fixed in Webkit:
> > > >
> > > > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > > > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > > > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > > > http://security-tracker.debian.org/tracker/CVE-2010-3115
> > > >
> > > > Also, the status of #532514 should finally be resolved
> > > > for Squeeze.
> > >
> > > People were claming that Webkit would be more maintainable
> > > and supported then the version in Lenny.
> > >
> > > Still, there's no followup from the maintainers since a week.
> >
> > I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
> > having worked on getting many CVEs handled upstream. Michael Gilbert
> > also worked on a few more CVEs for the Debian package. The package I
> > finished uploading this morning has the following CVEs handled, from
> > upstream:
>
> Thanks for the upload.
>
> There's a huge amount of vulnerabilities which need to be checked
> for Webkit on top of these. Shall I open a new bug?
> CVE-2009-2068
> CVE-2009-3011
> CVE-2010-1131
> CVE-2010-1384
> CVE-2010-1403
> CVE-2010-1750
> CVE-2010-1757
> CVE-2010-1769
> CVE-2010-1781
> CVE-2010-1783
> CVE-2010-1805
> CVE-2010-1806
> CVE-2010-1823
> CVE-2010-1824
> CVE-2010-1825
> CVE-2010-1992
> CVE-2010-2120
> CVE-2010-2264
> CVE-2010-3246
> CVE-2010-3248
> CVE-2010-3249
> CVE-2010-3252
> CVE-2010-3253
> CVE-2010-3254
> CVE-2010-3255
> CVE-2010-3415
> CVE-2010-3416
> CVE-2010-3730
> CVE-2010-4033
> CVE-2010-4034
> CVE-2010-4035
> CVE-2010-4036
> CVE-2010-4037
> CVE-2010-4038
> CVE-2010-4039
> CVE-2010-4040
> CVE-2010-4041
> CVE-2010-4042
>
> It is very important that more people get involved in webkit
> maintenance, especially with regard to the backports needed for
> Squeeze and given that it represents the web engine for the browser
> installed in the standard desktop task. Could you maybe send a RFH
> to debian-devel-announce?
>
> How long will the 1.2 branch be supported by upstream?
From my POV it doesn't look like to be supported, which is the main
problem we have... We can't support webkit by ourselves...
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#599830
; Package webkit
.
(Thu, 28 Oct 2010 18:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Thu, 28 Oct 2010 18:33:03 GMT) (full text, mbox, link).
Message #30 received at 599830@bugs.debian.org (full text, mbox, reply):
On Thu, 28 Oct 2010 18:26:47 +0200, Mike Hommey wrote:
> On Thu, Oct 28, 2010 at 06:18:29PM +0200, Moritz Muehlenhoff wrote:
> > On Mon, Oct 18, 2010 at 11:52:40AM -0200, Gustavo Noronha Silva wrote:
> > > Version: 1.2.5-1
> > >
> > > Hey,
> > >
> > > On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> > > > On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > > > > Package: webkit
> > > > > Severity: grave
> > > > > Tags: security
> > > > >
> > > > > The following security issues need to be fixed in Webkit:
> > > > >
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-3115
> > > > >
> > > > > Also, the status of #532514 should finally be resolved
> > > > > for Squeeze.
> > > >
> > > > People were claming that Webkit would be more maintainable
> > > > and supported then the version in Lenny.
> > > >
> > > > Still, there's no followup from the maintainers since a week.
> > >
> > > I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
> > > having worked on getting many CVEs handled upstream. Michael Gilbert
> > > also worked on a few more CVEs for the Debian package. The package I
> > > finished uploading this morning has the following CVEs handled, from
> > > upstream:
> >
> > Thanks for the upload.
> >
> > There's a huge amount of vulnerabilities which need to be checked
> > for Webkit on top of these. Shall I open a new bug?
> > CVE-2009-2068
> > CVE-2009-3011
> > CVE-2010-1131
> > CVE-2010-1384
> > CVE-2010-1403
> > CVE-2010-1750
> > CVE-2010-1757
> > CVE-2010-1769
> > CVE-2010-1781
> > CVE-2010-1783
> > CVE-2010-1805
> > CVE-2010-1806
> > CVE-2010-1823
> > CVE-2010-1824
> > CVE-2010-1825
> > CVE-2010-1992
> > CVE-2010-2120
> > CVE-2010-2264
> > CVE-2010-3246
> > CVE-2010-3248
> > CVE-2010-3249
> > CVE-2010-3252
> > CVE-2010-3253
> > CVE-2010-3254
> > CVE-2010-3255
> > CVE-2010-3415
> > CVE-2010-3416
> > CVE-2010-3730
> > CVE-2010-4033
> > CVE-2010-4034
> > CVE-2010-4035
> > CVE-2010-4036
> > CVE-2010-4037
> > CVE-2010-4038
> > CVE-2010-4039
> > CVE-2010-4040
> > CVE-2010-4041
> > CVE-2010-4042
> >
> > It is very important that more people get involved in webkit
> > maintenance, especially with regard to the backports needed for
> > Squeeze and given that it represents the web engine for the browser
> > installed in the standard desktop task. Could you maybe send a RFH
> > to debian-devel-announce?
> >
> > How long will the 1.2 branch be supported by upstream?
>
> From my POV it doesn't look like to be supported, which is the main
> problem we have... We can't support webkit by ourselves...
Didn't Gustavo take over as the manager for stable upstream releases?
Mike
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 26 Nov 2010 07:32:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:56:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.