webkit: CVE-2008-4723 cross-site scripting vulnerability

Debian Bug report logs - #520052
webkit: CVE-2008-4723 cross-site scripting vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: webkit: CVE-2008-4723 cross-site scripting vulnerability

Date: Mon, 16 Mar 2009 22:28:04 -0400

package: libwebkit-1.0-1
severity: grave
tags: security

it has been found that webkit is vulnerable to a cross-site scripting
vulnerability, see CVE-2008-4723 [1].

note that certain extensions are protected and others are not.  for
example, the attack does not work for files with the jpg or txt
extension.  however, the attack seems to work for general extensions
such as odp, xls, etc (probably because webkit does not have a proper
download that would appropriately handle general extensions yet).

if you fix these vulnerabilities, please make sure to include the CVE
id in your changelog.  please contact the security team to coordinate
a fix for stable and/or if you have any questions.

regards,
mike

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4723

Message #10 received at 520052@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 520052@bugs.debian.org

Subject: Re: Bug#520052: webkit: CVE-2008-4723 cross-site scripting vulnerability

Date: Tue, 17 Mar 2009 07:34:22 +0100

On Mon, Mar 16, 2009 at 10:28:04PM -0400, Michael Gilbert wrote:
> package: libwebkit-1.0-1
> severity: grave
> tags: security
> 
> it has been found that webkit is vulnerable to a cross-site scripting
> vulnerability, see CVE-2008-4723 [1].
> 
> note that certain extensions are protected and others are not.  for
> example, the attack does not work for files with the jpg or txt
> extension.  however, the attack seems to work for general extensions
> such as odp, xls, etc (probably because webkit does not have a proper
> download that would appropriately handle general extensions yet).
> 
> if you fix these vulnerabilities, please make sure to include the CVE
> id in your changelog.  please contact the security team to coordinate
> a fix for stable and/or if you have any questions.
> 
> regards,
> mike
> 
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4723

This sounds very exagerated. Basically, what happens is that browsers
don't care about the file extension when dealing with these, and "sniff"
the real content. But in the end, the so-called attack could be done
with an http server serving .jpeg files with a text/html mime type.

Nothing new, and nothing that sounds like a real security threat.

Mike

Message #15 received at 520052-done@bugs.debian.org (full text, mbox, reply):

From: Gustavo Noronha <kov@debian.org>

To: 520052-done@bugs.debian.org

Subject: Re: webkit: CVE-2008-4723 cross-site scripting vulnerability

Date: Wed, 17 Jun 2009 16:32:12 -0300

Hey,

Did anyone actually test that libwebkit-1.0-1 is vulnerable to this? I
could think that newer versions might, but 1.0-1 doesn't do any kind of
sniffing, at all, so I found it difficult to believe that it's affected.

I will close this bug, given my reading of the situation. I welcome
anyone who tests this to provide a sample test case that shows we're
actually vulnerable.

Thanks,

-- 
Gustavo Noronha <kov@debian.org>
Debian Project

Message #20 received at 520052@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: 520052@bugs.debian.org, kov@debian.org, control@bugs.debian.org

Subject: Re: webkit: CVE-2008-4723 cross-site scripting vulnerability

Date: Wed, 17 Jun 2009 18:48:25 -0400

reopen 520052
found 520052 1.0.1-4
fixed 520052 1.1.7-1
thanks

yes, i, as the original reporter, spent a non-insignificant amount of
time to determine that webkit is indeed affected.  in fact, i believe
that my description in the original report is very complete and
describes the extent of the problem very accurately.  enough so that
someone could come along and recheck the status.

i don't mean to sound rude, but if you wish to close bugs, please do the
requisite testing and background checking first.  i spent the time to
do a good job before submitting the bug.  please respect that by doing a
thorough job before closing the bug.  

also, you could have just asked me to recheck, which i have now done.
it appears that the problem is now resolved in unstable; however,
lenny is still affected.

kind regards,
mike

[1] http://www.jorgan.users.cg.yu/gc-mf.txt

Message #31 received at 520052@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: 520052@bugs.debian.org

Subject: wrong CVE

Date: Wed, 17 Jun 2009 19:00:31 -0400

CVE-2008-4723 is the wrong CVE, which is for firefox.  it should be
CVE-2008-4724

Message #36 received at 520052@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: 520052@bugs.debian.org

Subject: spu candidate

Date: Wed, 17 Jun 2009 19:24:52 -0400

since this is a minor issue, would you be interested in pushing out
fixes for this problem in a stable proposed update?  if so, please
contact the security team.

mike

Message #41 received at 520052@bugs.debian.org (full text, mbox, reply):

From: Gustavo Noronha <kov@debian.org>

To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Cc: 520052@bugs.debian.org

Subject: Re: webkit: CVE-2008-4723 cross-site scripting vulnerability

Date: Wed, 17 Jun 2009 20:49:55 -0300

On Wed, 2009-06-17 at 18:48 -0400, Michael S. Gilbert wrote:
> i don't mean to sound rude, but if you wish to close bugs, please do the
> requisite testing and background checking first.  i spent the time to
> do a good job before submitting the bug.  please respect that by doing a
> thorough job before closing the bug.  

You are right about that, sorry. I will try to figure out a patch for
lenny.

Thanks for updating the information!

-- 
Gustavo Noronha <kov@debian.org>
Debian Project

Message #46 received at 520052-done@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: 520052-done@bugs.debian.org

Subject: Properly closing

Date: Fri, 5 Mar 2010 22:00:19 +0100

Version: 1.1.7-1

Send a report that this bug log contains spam.