Multiple security issues

Debian Bug report logs - #599830
Multiple security issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Multiple security issues

Date: Mon, 11 Oct 2010 19:50:48 +0200

Package: webkit
Severity: grave
Tags: security

The following security issues need to be fixed in Webkit:

http://security-tracker.debian.org/tracker/CVE-2010-1807
http://security-tracker.debian.org/tracker/CVE-2010-2646
http://security-tracker.debian.org/tracker/CVE-2010-2651
http://security-tracker.debian.org/tracker/CVE-2010-3115

Also, the status of #532514 should finally be resolved
for Squeeze.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Message #10 received at 599830@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 599830@bugs.debian.org

Subject: Re: Multiple security issues

Date: Sun, 17 Oct 2010 22:27:35 +0200

On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> Package: webkit
> Severity: grave
> Tags: security
> 
> The following security issues need to be fixed in Webkit:
> 
> http://security-tracker.debian.org/tracker/CVE-2010-1807
> http://security-tracker.debian.org/tracker/CVE-2010-2646
> http://security-tracker.debian.org/tracker/CVE-2010-2651
> http://security-tracker.debian.org/tracker/CVE-2010-3115
> 
> Also, the status of #532514 should finally be resolved
> for Squeeze.

People were claming that Webkit would be more maintainable
and supported then the version in Lenny.

Still, there's no followup from the maintainers since a week.

This is bad.

jmm@galadriel:~$ apt-cache rdepends libwebkit-1.0-2
libwebkit-1.0-2
Reverse Depends:
  yelp
  xtrkcad
  libwebkit-dev
  libwebkit-1.0-2-dbg
  libwebkit1.1-cil
  uzbl
  shotwell
  libseed0
  python-webkit
  python-jswebkit
  osmo
  midori
  luakit
  liferea
  lekhonee-gnome
  kazehakase-webkit
  webkit-image-gtk
  libghc6-webkit-dev
  gphpedit
  gmpc-plugins
  gimp
  evolution-rss
  epiphany-extensions
  epiphany-browser
  nautilus-sendto-empathy
  empathy
  libdevhelp-1-1
  devhelp
  claws-mail-fancy-plugin
  cairo-dock-weblets-plugin
  bibledit
  awn-applets-c-extras
  anjuta

Cheers,
        Moritz

Message #15 received at 599830-done@bugs.debian.org (full text, mbox, reply):

From: Gustavo Noronha Silva <kov@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 599830-done@bugs.debian.org

Subject: Re: Bug#599830: Multiple security issues

Date: Mon, 18 Oct 2010 11:52:40 -0200

Version: 1.2.5-1

Hey,

On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > Package: webkit
> > Severity: grave
> > Tags: security
> > 
> > The following security issues need to be fixed in Webkit:
> > 
> > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > http://security-tracker.debian.org/tracker/CVE-2010-3115
> > 
> > Also, the status of #532514 should finally be resolved
> > for Squeeze.
> 
> People were claming that Webkit would be more maintainable
> and supported then the version in Lenny.
> 
> Still, there's no followup from the maintainers since a week.

I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
having worked on getting many CVEs handled upstream. Michael Gilbert
also worked on a few more CVEs for the Debian package. The package I
finished uploading this morning has the following CVEs handled, from
upstream:

      CVE-2010-1780 CVE-2010-3113 CVE-2010-1814 CVE-2010-1812
      CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114
      CVE-2010-3116 CVE-2010-3257 CVE-2010-3259

And these from Michael Gilbert's work:

  * fix cve-2010-2646: security origin bypass using IFRAME elements.
  * fix cve-2010-2651: vulnerability in css style rendering.
  * fix cve-2010-2900: vulnerability with large canvas elements when using the
    SKIA library.
  * fix cve-2010-2901: vulnerability in the rendering implementation.
  * fix cve-2010-3120: vulnerability in geolocation feature.

Note that some CVEs listed above do not really affect WebKitGTK+ at its
current version in Debian because we do not use skia nor enable
geolocation yet.

About #532514 this is how we generate random numbers (see
http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/RandomNumber.cpp#L70):

    uint32_t part1 = random() & (RAND_MAX - 1);
    uint32_t part2 = random() & (RAND_MAX - 1);
    // random only provides 31 bits
    uint64_t fullRandom = part1;
    fullRandom <<= 31;
    fullRandom |= part2;

    // Mask off the low 53bits
    fullRandom &= (1LL << 53) - 1;
    return static_cast<double>(fullRandom)/static_cast<double>(1LL << 53);

I am not knowledgeable enough to asses the strength of this method,
hopefully you can provide some insight? In the upstream bugreport Sam
Weinig says this was a Windows-only issue, FWIW.

Thanks,

-- 
Gustavo Noronha Silva <kov@debian.org>
Debian Project

Message #20 received at 599830@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Gustavo Noronha Silva <kov@debian.org>

Cc: 599830@bugs.debian.org, michael.s.gilbert@gmail.com

Subject: Re: Bug#599830: Multiple security issues

Date: Thu, 28 Oct 2010 18:18:29 +0200

On Mon, Oct 18, 2010 at 11:52:40AM -0200, Gustavo Noronha Silva wrote:
> Version: 1.2.5-1
> 
> Hey,
> 
> On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> > On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > > Package: webkit
> > > Severity: grave
> > > Tags: security
> > > 
> > > The following security issues need to be fixed in Webkit:
> > > 
> > > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > > http://security-tracker.debian.org/tracker/CVE-2010-3115
> > > 
> > > Also, the status of #532514 should finally be resolved
> > > for Squeeze.
> > 
> > People were claming that Webkit would be more maintainable
> > and supported then the version in Lenny.
> > 
> > Still, there's no followup from the maintainers since a week.
> 
> I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
> having worked on getting many CVEs handled upstream. Michael Gilbert
> also worked on a few more CVEs for the Debian package. The package I
> finished uploading this morning has the following CVEs handled, from
> upstream:

Thanks for the upload.

There's a huge amount of vulnerabilities which need to be checked
for Webkit on top of these. Shall I open a new bug?
CVE-2009-2068 
CVE-2009-3011 
CVE-2010-1131
CVE-2010-1384 
CVE-2010-1403
CVE-2010-1750
CVE-2010-1757
CVE-2010-1769
CVE-2010-1781
CVE-2010-1783
CVE-2010-1805
CVE-2010-1806
CVE-2010-1823
CVE-2010-1824
CVE-2010-1825
CVE-2010-1992
CVE-2010-2120 
CVE-2010-2264
CVE-2010-3246
CVE-2010-3248
CVE-2010-3249
CVE-2010-3252
CVE-2010-3253
CVE-2010-3254
CVE-2010-3255
CVE-2010-3415
CVE-2010-3416
CVE-2010-3730
CVE-2010-4033
CVE-2010-4034
CVE-2010-4035
CVE-2010-4036
CVE-2010-4037
CVE-2010-4038
CVE-2010-4039
CVE-2010-4040
CVE-2010-4041
CVE-2010-4042

It is very important that more people get involved in webkit
maintenance, especially with regard to the backports needed for
Squeeze and given that it represents the web engine for the browser
installed in the standard desktop task. Could you maybe send a RFH
to debian-devel-announce?

How long will the 1.2 branch be supported by upstream?

> About #532514 this is how we generate random numbers (see
> http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/RandomNumber.cpp#L70):

I will check this in a few days and update the bug accordingly.

Cheers,
        Moritz

Message #25 received at 599830@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 599830@bugs.debian.org

Cc: Gustavo Noronha Silva <kov@debian.org>

Subject: Re: Bug#599830: Multiple security issues

Date: Thu, 28 Oct 2010 18:26:47 +0200

On Thu, Oct 28, 2010 at 06:18:29PM +0200, Moritz Muehlenhoff wrote:
> On Mon, Oct 18, 2010 at 11:52:40AM -0200, Gustavo Noronha Silva wrote:
> > Version: 1.2.5-1
> > 
> > Hey,
> > 
> > On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> > > On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: webkit
> > > > Severity: grave
> > > > Tags: security
> > > > 
> > > > The following security issues need to be fixed in Webkit:
> > > > 
> > > > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > > > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > > > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > > > http://security-tracker.debian.org/tracker/CVE-2010-3115
> > > > 
> > > > Also, the status of #532514 should finally be resolved
> > > > for Squeeze.
> > > 
> > > People were claming that Webkit would be more maintainable
> > > and supported then the version in Lenny.
> > > 
> > > Still, there's no followup from the maintainers since a week.
> > 
> > I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
> > having worked on getting many CVEs handled upstream. Michael Gilbert
> > also worked on a few more CVEs for the Debian package. The package I
> > finished uploading this morning has the following CVEs handled, from
> > upstream:
> 
> Thanks for the upload.
> 
> There's a huge amount of vulnerabilities which need to be checked
> for Webkit on top of these. Shall I open a new bug?
> CVE-2009-2068 
> CVE-2009-3011 
> CVE-2010-1131
> CVE-2010-1384 
> CVE-2010-1403
> CVE-2010-1750
> CVE-2010-1757
> CVE-2010-1769
> CVE-2010-1781
> CVE-2010-1783
> CVE-2010-1805
> CVE-2010-1806
> CVE-2010-1823
> CVE-2010-1824
> CVE-2010-1825
> CVE-2010-1992
> CVE-2010-2120 
> CVE-2010-2264
> CVE-2010-3246
> CVE-2010-3248
> CVE-2010-3249
> CVE-2010-3252
> CVE-2010-3253
> CVE-2010-3254
> CVE-2010-3255
> CVE-2010-3415
> CVE-2010-3416
> CVE-2010-3730
> CVE-2010-4033
> CVE-2010-4034
> CVE-2010-4035
> CVE-2010-4036
> CVE-2010-4037
> CVE-2010-4038
> CVE-2010-4039
> CVE-2010-4040
> CVE-2010-4041
> CVE-2010-4042
> 
> It is very important that more people get involved in webkit
> maintenance, especially with regard to the backports needed for
> Squeeze and given that it represents the web engine for the browser
> installed in the standard desktop task. Could you maybe send a RFH
> to debian-devel-announce?
> 
> How long will the 1.2 branch be supported by upstream?

From my POV it doesn't look like to be supported, which is the main
problem we have... We can't support webkit by ourselves...

Mike

Message #30 received at 599830@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 599830@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#599830: Multiple security issues

Date: Thu, 28 Oct 2010 14:30:36 -0400

On Thu, 28 Oct 2010 18:26:47 +0200, Mike Hommey wrote:
> On Thu, Oct 28, 2010 at 06:18:29PM +0200, Moritz Muehlenhoff wrote:
> > On Mon, Oct 18, 2010 at 11:52:40AM -0200, Gustavo Noronha Silva wrote:
> > > Version: 1.2.5-1
> > > 
> > > Hey,
> > > 
> > > On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> > > > On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > > > > Package: webkit
> > > > > Severity: grave
> > > > > Tags: security
> > > > > 
> > > > > The following security issues need to be fixed in Webkit:
> > > > > 
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-3115
> > > > > 
> > > > > Also, the status of #532514 should finally be resolved
> > > > > for Squeeze.
> > > > 
> > > > People were claming that Webkit would be more maintainable
> > > > and supported then the version in Lenny.
> > > > 
> > > > Still, there's no followup from the maintainers since a week.
> > > 
> > > I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
> > > having worked on getting many CVEs handled upstream. Michael Gilbert
> > > also worked on a few more CVEs for the Debian package. The package I
> > > finished uploading this morning has the following CVEs handled, from
> > > upstream:
> > 
> > Thanks for the upload.
> > 
> > There's a huge amount of vulnerabilities which need to be checked
> > for Webkit on top of these. Shall I open a new bug?
> > CVE-2009-2068 
> > CVE-2009-3011 
> > CVE-2010-1131
> > CVE-2010-1384 
> > CVE-2010-1403
> > CVE-2010-1750
> > CVE-2010-1757
> > CVE-2010-1769
> > CVE-2010-1781
> > CVE-2010-1783
> > CVE-2010-1805
> > CVE-2010-1806
> > CVE-2010-1823
> > CVE-2010-1824
> > CVE-2010-1825
> > CVE-2010-1992
> > CVE-2010-2120 
> > CVE-2010-2264
> > CVE-2010-3246
> > CVE-2010-3248
> > CVE-2010-3249
> > CVE-2010-3252
> > CVE-2010-3253
> > CVE-2010-3254
> > CVE-2010-3255
> > CVE-2010-3415
> > CVE-2010-3416
> > CVE-2010-3730
> > CVE-2010-4033
> > CVE-2010-4034
> > CVE-2010-4035
> > CVE-2010-4036
> > CVE-2010-4037
> > CVE-2010-4038
> > CVE-2010-4039
> > CVE-2010-4040
> > CVE-2010-4041
> > CVE-2010-4042
> > 
> > It is very important that more people get involved in webkit
> > maintenance, especially with regard to the backports needed for
> > Squeeze and given that it represents the web engine for the browser
> > installed in the standard desktop task. Could you maybe send a RFH
> > to debian-devel-announce?
> > 
> > How long will the 1.2 branch be supported by upstream?
> 
> From my POV it doesn't look like to be supported, which is the main
> problem we have... We can't support webkit by ourselves...

Didn't Gustavo take over as the manager for stable upstream releases?

Mike

Send a report that this bug log contains spam.