Bug#479644: marked as done (libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit)

To: fabo@debian.org
Subject: Bug#479644: marked as done (libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 20 May 2008 13:30:12 +0000
Message-id: <[🔎] handler.479644.D479644.121129012515169.ackdone@bugs.debian.org>
References: <200805201528.36426.fabo@debian.org> <[🔎] 481F7D97.7060607@edermarques.net>

Your message dated Tue, 20 May 2008 15:28:35 +0200
with message-id <200805201528.36426.fabo@debian.org>
and subject line libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit
has caused the Debian Bug report #479644,
regarding libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
479644: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479644
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit
From: "Eder L. Marques" <eder@edermarques.net>
Date: Mon, 05 May 2008 18:35:19 -0300
Message-id: <[🔎] 481F7D97.7060607@edermarques.net>

Package: libqt4-webkit
Version: 4.4.0~rc1-5
Severity: medium
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libqt4-webkit.

CVE-2008-1025[0]:
| Cross-site scripting (XSS) vulnerability in Apple WebKit, as used in
| Safari before 3.1.1, allows remote attackers to inject arbitrary web
| script or HTML via a crafted URL with a colon in the hostname portion.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1025
    http://security-tracker.debian.net/tracker/CVE-2008-1025


A changeset of the modifications needed are here:
http://trac.webkit.org/changeset/31438


WebKit-1.0.0-0.8.svn31787 or newer have the code fixed.

Kind regards,

-- 
Eder L. Marques
Just another weekend hacker
http://blog.edermarques.net/ |  http://www.debian.org/
http://administrando.net/    |  http://www.debianbrasil.org/
http://www.fsfla.org/	     |  http://www.debian-ce.org/

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

To: 479644-done@bugs.debian.org

Subject: libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit

From: Fathi BOUDRA <fabo@debian.org>

Date: Tue, 20 May 2008 15:28:35 +0200

Message-id: <200805201528.36426.fabo@debian.org>

Reply-to: fabo@debian.org
Hi,

in WebKit Qt port, URLs are handled by QUrl instead od NSURL.
QUrl considers such urls invalid and therefore the underlying networking layer
refuses to load them.

cheers,

Fathi
--- End Message ---

Reply to:

References:
- Bug#479644: libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit
  - From: "Eder L. Marques" <eder@edermarques.net>

Prev by Date: Re: Problem compiling kdebindings (KDE4)
Next by Date: Re: Problem compiling kdebindings (KDE4)
Previous by thread: Bug#479644: libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit
Next by thread: Bug#479644: libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit
Index(es):
- Date
- Thread