Debian Bug report logs -
#520052
webkit: CVE-2008-4723 cross-site scripting vulnerability
Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Tue, 17 Mar 2009 02:30:01 UTC
Severity: grave
Tags: security
Found in version webkit/1.0.1-4
Fixed in version webkit/1.1.7-1
Done: Mike Hommey <mh@glandium.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#520052
; Package libwebkit-1.0-1
.
(Tue, 17 Mar 2009 02:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Tue, 17 Mar 2009 02:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: libwebkit-1.0-1
severity: grave
tags: security
it has been found that webkit is vulnerable to a cross-site scripting
vulnerability, see CVE-2008-4723 [1].
note that certain extensions are protected and others are not. for
example, the attack does not work for files with the jpg or txt
extension. however, the attack seems to work for general extensions
such as odp, xls, etc (probably because webkit does not have a proper
download that would appropriately handle general extensions yet).
if you fix these vulnerabilities, please make sure to include the CVE
id in your changelog. please contact the security team to coordinate
a fix for stable and/or if you have any questions.
regards,
mike
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4723
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#520052
; Package libwebkit-1.0-1
.
(Tue, 17 Mar 2009 06:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Hommey <mh@glandium.org>
:
Extra info received and forwarded to list. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Tue, 17 Mar 2009 06:36:03 GMT) (full text, mbox, link).
Message #10 received at 520052@bugs.debian.org (full text, mbox, reply):
On Mon, Mar 16, 2009 at 10:28:04PM -0400, Michael Gilbert wrote:
> package: libwebkit-1.0-1
> severity: grave
> tags: security
>
> it has been found that webkit is vulnerable to a cross-site scripting
> vulnerability, see CVE-2008-4723 [1].
>
> note that certain extensions are protected and others are not. for
> example, the attack does not work for files with the jpg or txt
> extension. however, the attack seems to work for general extensions
> such as odp, xls, etc (probably because webkit does not have a proper
> download that would appropriately handle general extensions yet).
>
> if you fix these vulnerabilities, please make sure to include the CVE
> id in your changelog. please contact the security team to coordinate
> a fix for stable and/or if you have any questions.
>
> regards,
> mike
>
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4723
This sounds very exagerated. Basically, what happens is that browsers
don't care about the file extension when dealing with these, and "sniff"
the real content. But in the end, the so-called attack could be done
with an http server serving .jpeg files with a text/html mime type.
Nothing new, and nothing that sounds like a real security threat.
Mike
Reply sent
to Gustavo Noronha <kov@debian.org>
:
You have taken responsibility.
(Wed, 17 Jun 2009 19:36:06 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Wed, 17 Jun 2009 19:36:07 GMT) (full text, mbox, link).
Message #15 received at 520052-done@bugs.debian.org (full text, mbox, reply):
Hey,
Did anyone actually test that libwebkit-1.0-1 is vulnerable to this? I
could think that newer versions might, but 1.0-1 doesn't do any kind of
sniffing, at all, so I found it difficult to believe that it's affected.
I will close this bug, given my reading of the situation. I welcome
anyone who tests this to provide a sample test case that shows we're
actually vulnerable.
Thanks,
--
Gustavo Noronha <kov@debian.org>
Debian Project
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#520052
; Package libwebkit-1.0-1
.
(Wed, 17 Jun 2009 22:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Wed, 17 Jun 2009 22:48:05 GMT) (full text, mbox, link).
Message #20 received at 520052@bugs.debian.org (full text, mbox, reply):
reopen 520052
found 520052 1.0.1-4
fixed 520052 1.1.7-1
thanks
yes, i, as the original reporter, spent a non-insignificant amount of
time to determine that webkit is indeed affected. in fact, i believe
that my description in the original report is very complete and
describes the extent of the problem very accurately. enough so that
someone could come along and recheck the status.
i don't mean to sound rude, but if you wish to close bugs, please do the
requisite testing and background checking first. i spent the time to
do a good job before submitting the bug. please respect that by doing a
thorough job before closing the bug.
also, you could have just asked me to recheck, which i have now done.
it appears that the problem is now resolved in unstable; however,
lenny is still affected.
kind regards,
mike
[1] http://www.jorgan.users.cg.yu/gc-mf.txt
Bug reopened, originator not changed.
Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Wed, 17 Jun 2009 22:48:06 GMT) (full text, mbox, link).
Bug marked as found in version 1.0.1-4.
Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Wed, 17 Jun 2009 22:48:07 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.1.7-1.
Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Wed, 17 Jun 2009 22:48:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#520052
; Package libwebkit-1.0-1
.
(Wed, 17 Jun 2009 23:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Wed, 17 Jun 2009 23:00:02 GMT) (full text, mbox, link).
Message #31 received at 520052@bugs.debian.org (full text, mbox, reply):
CVE-2008-4723 is the wrong CVE, which is for firefox. it should be
CVE-2008-4724
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#520052
; Package libwebkit-1.0-1
.
(Wed, 17 Jun 2009 23:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Wed, 17 Jun 2009 23:33:06 GMT) (full text, mbox, link).
Message #36 received at 520052@bugs.debian.org (full text, mbox, reply):
since this is a minor issue, would you be interested in pushing out
fixes for this problem in a stable proposed update? if so, please
contact the security team.
mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
:
Bug#520052
; Package libwebkit-1.0-1
.
(Wed, 17 Jun 2009 23:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Gustavo Noronha <kov@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>
.
(Wed, 17 Jun 2009 23:51:03 GMT) (full text, mbox, link).
Message #41 received at 520052@bugs.debian.org (full text, mbox, reply):
On Wed, 2009-06-17 at 18:48 -0400, Michael S. Gilbert wrote:
> i don't mean to sound rude, but if you wish to close bugs, please do the
> requisite testing and background checking first. i spent the time to
> do a good job before submitting the bug. please respect that by doing a
> thorough job before closing the bug.
You are right about that, sorry. I will try to figure out a patch for
lenny.
Thanks for updating the information!
--
Gustavo Noronha <kov@debian.org>
Debian Project
Reply sent
to Mike Hommey <mh@glandium.org>
:
You have taken responsibility.
(Fri, 05 Mar 2010 21:03:18 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Fri, 05 Mar 2010 21:03:18 GMT) (full text, mbox, link).
Message #46 received at 520052-done@bugs.debian.org (full text, mbox, reply):
Version: 1.1.7-1
Bug reassigned from package 'libwebkit-1.0-1' to 'webkit'.
Request was from Luciana Fujii Pontello <luciana@fujii.eti.br>
to control@bugs.debian.org
.
(Wed, 29 Sep 2010 01:33:04 GMT) (full text, mbox, link).
Bug No longer marked as found in versions webkit/1.0.1-4.
Request was from Luciana Fujii Pontello <luciana@fujii.eti.br>
to control@bugs.debian.org
.
(Wed, 29 Sep 2010 01:33:05 GMT) (full text, mbox, link).
Bug No longer marked as fixed in versions 1.1.7-1.
Request was from Luciana Fujii Pontello <luciana@fujii.eti.br>
to control@bugs.debian.org
.
(Wed, 29 Sep 2010 01:33:05 GMT) (full text, mbox, link).
Bug Marked as found in versions webkit/1.0.1-4.
Request was from Luciana Fujii Pontello <luciana@fujii.eti.br>
to control@bugs.debian.org
.
(Wed, 29 Sep 2010 01:33:06 GMT) (full text, mbox, link).
Bug Marked as fixed in versions webkit/1.1.7-1.
Request was from Luciana Fujii Pontello <luciana@fujii.eti.br>
to control@bugs.debian.org
.
(Wed, 29 Sep 2010 01:33:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 07 Mar 2011 09:10:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:01:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.