Bug#561765: kdelibs: many webkit vulnerabilities

To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: 561765@bugs.debian.org, control@bugs.debian.org
Subject: Bug#561765: kdelibs: many webkit vulnerabilities
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sat, 3 Apr 2010 12:58:56 +0200
Message-id: <[🔎] 20100403105856.GA2547@galadriel.inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 561765@bugs.debian.org
In-reply-to: <20091219235122.864182a8.michael.s.gilbert@gmail.com>
References: <20091219235122.864182a8.michael.s.gilbert@gmail.com>
severity 561765 important
thanks

> The following CVE (Common Vulnerabilities & Exposures) ids were
> published for webkit.  webkit was forked from khtml, so these
> issues very like apply to this package as well.  Since there are so
> many problems, I have not had time to check whether the vulnerable code
> is present or has an impact. Please check this and keep either myself
> or the security team informed of the affected/not-affected issues.
> Thank you very much for looking into this.
> 
> CVE-2006-2783[0]:
> | Mozilla Firefox and Thunderbird before 1.5.0.4 strip the Unicode
> | Byte-order-Mark (BOM) from a UTF-8 page before the page is passed to
> | the parser, which allows remote attackers to conduct cross-site
> | scripting (XSS) attacks via a BOM sequence in the middle of a
> | dangerous tag such as SCRIPT.

3.5 kdelibs is not affected.
 
> CVE-2008-0298[1]:
> | KHTML WebKit as used in Apple Safari 2.x allows remote attackers to
> | cause a denial of service (browser crash) via a crafted web page,
> | possibly involving a STYLE attribute of a DIV element.

Didn't check, browser crashes w/o code injection are not treated as 
security issues.
 
> CVE-2008-1588[2]:
> | Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows
> | remote attackers to spoof the address bar via Unicode ideographic
> | spaces in the URL.

This is a MacOS specific vulnerability.
 
> CVE-2008-2307[3]:
> | Unspecified vulnerability in WebKit in Apple Safari before 3.1.2, as
> | distributed in Mac OS X before 10.5.4, and standalone for Windows and
> | Mac OS X 10.4, allows remote attackers to cause a denial of service
> | (application crash) or execute arbitrary code via vectors involving
> | JavaScript arrays that trigger memory corruption.

This affects kdelibs 3.5.
 
> CVE-2008-2320[4]:
> | Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11
> | and 10.5.4, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows context-dependent attackers to execute
> | arbitrary code or cause a denial of service (application crash) via a
> | long filename to the file management API.

This doesn't affect webkit or kdelibs.

> CVE-2008-3632[5]:
> | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through
> | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to
> | execute arbitrary code or cause a denial of service (application
> | crash) via a web page with crafted Cascading Style Sheets (CSS) import
> | statements.

This doesn't affect kdelibs.
 
> CVE-2008-4231[6]:
> | Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch
> | 1.1 through 2.1 does not properly handle HTML TABLE elements, which
> | allows remote attackers to execute arbitrary code or cause a denial of
> | service (memory corruption and application crash) via a crafted HTML
> | document.

Couldn't find specific information on this.
 
> CVE-2008-4724[7]:
> | Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome
> | 0.2.149.30 allow remote attackers to inject arbitrary web script or
> | HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF,
> | or (3) TXT file.  NOTE: the provenance of this information is unknown;
> | the details are obtained solely from third party information.

This doesn't affect kdelibs 3.5.
 
> CVE-2009-0945[8]:
> | Array index error in the insertItemBefore method in WebKit, as used in
> | Apple Safari before 3.2.3 and 4 Public Beta, iPhone OS 1.0 through
> | 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome
> | Stable before 1.0.154.65, and possibly other products allows remote
> | attackers to execute arbitrary code via a document with a SVGPathList
> | data structure containing a negative index in the (1)
> | SVGTransformList, (2) SVGStringList, (3) SVGNumberList, (4)
> | SVGPathSegList, (5) SVGPointList, or (6) SVGLengthList SVGList object,
> | which triggers memory corruption.

This doesn't affect kdelibs, the issue is in ksvg from kdegraphics.
 
> CVE-2009-1681[9]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites
> | from loading third-party content into a subframe, which allows remote
> | attackers to bypass the Same Origin Policy and conduct "clickjacking"
> | attacks via a crafted HTML document.

This doesn't affect kdelibs.
 
> CVE-2009-1684[10]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via an event handler that triggers script execution in
> | the context of the next loaded document.

This doesn't affect kdelibs.
 
> CVE-2009-1685[11]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML by overwriting the document.implementation property of
> | (1) an embedded document or (2) a parent document.

This doesn't affect kdelibs.
 
> CVE-2009-1686[12]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
> | constant (aka const) declarations in a type-conversion operation
> | during JavaScript exception handling, which allows remote attackers to
> | execute arbitrary code or cause a denial of service (memory corruption
> | and application crash) via a crafted HTML document.

This doesn't affect kdelibs.

> CVE-2009-1688[13]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to determining a security context
> | through an approach that is not the "HTML 5 standard method."

This doesn't affect kdelibs.
 
> CVE-2009-1689[14]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors involving submission of a form to the
> | about:blank URL, leading to security-context replacement.

This doesn't affect kdelibs.
 
> CVE-2009-1691[15]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to insufficient access control for
> | standard JavaScript prototypes in other domains.

This doesn't affect kdelibs.
 
> CVE-2009-1692[16]:
> | WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1,
> | iPhone OS for iPod touch 1.1 through 2.2.1, Safari, and other
> | software, allows remote attackers to cause a denial of service (memory
> | consumption or device reset) via a web page containing an
> | HTMLSelectElement object with a large length attribute, related to the
> | length property of a Select object.

Didn't check, browser crashes w/o code injection are not treated as 
security issues.
 
> CVE-2009-1693[17]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
> | read images from arbitrary web sites via a CANVAS element with an SVG
> | image, related to a "cross-site image capture issue."

This doesn't affect kdelibs.
 
> CVE-2009-1694[18]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle
> | redirects, which allows remote attackers to read images from arbitrary
> | web sites via vectors involving a CANVAS element and redirection,
> | related to a "cross-site image capture issue."

This doesn't affect kdelibs.
 
> CVE-2009-1695[19]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors involving access to frame contents after
> | completion of a page transition.

This doesn't affect kdelibs.
 
> CVE-2009-1696[20]:
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 uses predictable random
> | numbers in JavaScript applications, which makes it easier for remote
> | web servers to track the behavior of a Safari user during a session.

This doesn't affect kdelibs.
 
> CVE-2009-1697[21]:
> | CRLF injection vulnerability in WebKit in Apple Safari before 4.0,
> | iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through
> | 2.2.1 allows remote attackers to inject HTTP headers and bypass the
> | Same Origin Policy via a crafted HTML document, related to cross-site
> | scripting (XSS) attacks that depend on communication with arbitrary
> | web sites on the same server through use of XMLHttpRequest without a
> | Host header.

This doesn't affect kdelibs.
 
> CVE-2009-1699[22]:
> | The XSL stylesheet implementation in WebKit in Apple Safari before
> | 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1
> | through 2.2.1 does not properly handle XML external entities, which
> | allows remote attackers to read arbitrary files via a crafted DTD, as
> | demonstrated by a file:///etc/passwd URL in an entity declaration,
> | related to an "XXE attack."

This doesn't affect kdelibs.
 
> CVE-2009-1700[23]:
> | The XSLT implementation in WebKit in Apple Safari before 4.0, iPhone
> | OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1
> | does not properly handle redirects, which allows remote attackers to
> | read XML content from arbitrary web pages via a crafted document.

This doesn't affect kdelibs.

> CVE-2009-1701[24]:
> | Use-after-free vulnerability in the JavaScript DOM implementation in
> | WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and
> | iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to
> | execute arbitrary code or cause a denial of service (application
> | crash) by destroying a document.body element that has an unspecified
> | XML container with elements that support the dir attribute.

This doesn't affect kdelibs.
 
> CVE-2009-1702[25]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch
> | 1.1 through 2.2.1 allows remote attackers to inject arbitrary web
> | script or HTML via vectors related to improper handling of Location
> | and History objects.

This doesn't affect kdelibs.
 
> CVE-2009-1703[26]:
> | WebKit in Apple Safari before 4.0 does not prevent references to file:
> | URLs within (1) audio and (2) video elements, which allows remote
> | attackers to determine the existence of arbitrary files via a crafted
> | HTML document.

This doesn't affect kdelibs.
 
> CVE-2009-1710[27]:
> | WebKit in Apple Safari before 4.0 allows remote attackers to spoof the
> | browser's display of (1) the host name, (2) security indicators, and
> | unspecified other UI elements via a custom cursor in conjunction with
> | a modified CSS3 hotspot property.

This doesn't affect kdelibs.
 
> CVE-2009-1711[28]:
> | WebKit in Apple Safari before 4.0 does not properly initialize memory
> | for Attr DOM objects, which allows remote attackers to execute
> | arbitrary code or cause a denial of service (application crash) via a
> | crafted HTML document.

This doesn't affect kdelibs.
 
> CVE-2009-1712[29]:
> | WebKit in Apple Safari before 4.0 does not prevent remote loading of
> | local Java applets, which allows remote attackers to execute arbitrary
> | code, gain privileges, or obtain sensitive information via an APPLET
> | or OBJECT element.

This doesn't affect kdelibs.
 
> CVE-2009-1713[30]:
> | The XSLT functionality in WebKit in Apple Safari before 4.0 does not
> | properly implement the document function, which allows remote
> | attackers to read (1) arbitrary local files and (2) files from
> | different security zones via unspecified vectors.

This doesn't affect kdelibs.
 
> CVE-2009-1714[31]:
> | Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
> | Apple Safari before 4.0 allows user-assisted remote attackers to
> | inject arbitrary web script or HTML, and read local files, via vectors
> | related to the improper escaping of HTML attributes.

This doesn't affect kdelibs.
 
> CVE-2009-1715[32]:
> | Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in
> | Apple Safari before 4.0 allows user-assisted remote attackers to
> | inject arbitrary web script or HTML, and read local files, via vectors
> | related to script execution with incorrect privileges.

This doesn't affect kdelibs.
 
> CVE-2009-1718[33]:
> | WebKit in Apple Safari before 4.0 allows user-assisted remote
> | attackers to obtain sensitive information via vectors involving drag
> | events and the dragging of content over a crafted web page.

Minor impact, can be ignored.
 
> CVE-2009-1724[34]:
> | Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari
> | before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1
> | for iPod touch, and other platforms, allows remote attackers to inject
> | arbitrary web script or HTML via vectors related to parent and top
> | objects.

Minor impact, can be ignored.
 
> CVE-2009-2195[35]:
> | Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote
> | attackers to execute arbitrary code or cause a denial of service
> | (application crash) via crafted floating-point numbers.

Doesn't affect kdelibs 3.5.
 
> CVE-2009-2419[36]:
> | Use-after-free vulnerability in the servePendingRequests function in
> | WebCore in WebKit in Apple Safari 4.0 and 4.0.1 allows remote
> | attackers to cause a denial of service (application crash) or possibly
> | execute arbitrary code via a crafted HTML document that references a
> | zero-length .js file and the JavaScript reload function.  NOTE: some of
> | these details are obtained from third party information.

This apparently affects kdelibs.
 
> CVE-2009-2797[37]:
> | The WebKit component in Safari in Apple iPhone OS before 3.1, and
> | iPhone OS before 3.1.1 for iPod touch, does not remove usernames and
> | passwords from URLs sent in Referer headers, which allows remote
> | attackers to obtain sensitive information by reading Referer logs on a
> | web server.

Doesn't affect kdelibs.
 
> CVE-2009-2816[38]:
> | The implementation of Cross-Origin Resource Sharing (CORS) in WebKit,
> | as used in Apple Safari before 4.0.4 and Google Chrome before
> | 3.0.195.33, includes certain custom HTTP headers in the OPTIONS
> | request during cross-origin operations with preflight, which makes it
> | easier for remote attackers to conduct cross-site request forgery
> | (CSRF) attacks via a crafted web page.

Doesn't affect kdelibs.
 
> CVE-2009-2841[39]:
> | WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform the
> | expected callbacks for HTML 5 media elements that have external URLs
> | for media resources, which allows remote attackers to trigger requests
> | to arbitrary web sites via a crafted HTML document, as demonstrated by
> | an HTML e-mail message that uses a media element for
> | X-Confirm-Reading-To functionality.

Not affected, doesn't support HTML5 video tags.
 
> CVE-2009-2953[40]:
> | Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote
> | attackers to cause a denial of service (CPU consumption) via
> | JavaScript code with a long string value for the hash property (aka
> | location.hash), a related issue to CVE-2008-5715.

Didn't check, browser crashes w/o code injection are not treated as 
security issues.
 
> CVE-2009-3384[41]:
> | Multiple unspecified vulnerabilities in WebKit in Apple Safari before
> | 4.0.4 on Windows allow remote FTP servers to execute arbitrary code,
> | cause a denial of service (application crash), or obtain sensitive
> | information via a crafted directory listing in a reply.

This one is Windows-specific.

I'm lowering the severity to "important", since Konqueror in Squeeze
no longer uses kdelibs 3.5 and the remaining problem is vague and
doesn't pose a significant risk to the applications still using
kdelibs3.

Cheers,
        Moritz
Reply to:
Follow-Ups:
- Processed: Re: kdelibs: many webkit vulnerabilities
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
Prev by Date: Processed: Re: kdelibs: many webkit vulnerabilities
Next by Date: how to test patch to correct kopete bug
Previous by thread: Processing of qt4-x11_4.6.2-2_amd64.changes
Next by thread: Processed: Re: kdelibs: many webkit vulnerabilities
Index(es):
- Date
- Thread