Bug#561760: qt4-x11: many webkit vulnerabilities

To: 561760@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, control@bugs.debian.org
Subject: Bug#561760: qt4-x11: many webkit vulnerabilities
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 21 Apr 2010 21:54:51 +0200
Message-id: <[🔎] 20100421195450.GA3356@galadriel.inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 561760@bugs.debian.org
In-reply-to: <20091219234323.fd69582a.michael.s.gilbert@gmail.com>
References: <20091219234323.fd69582a.michael.s.gilbert@gmail.com>

severity 561760 important
thanks

Michael Gilbert wrote:
> Package: qt4-x11
> Version: 4:4.5.3-4
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published for webkit.  qt4-x11 embeds webkit, so most of these issues
> are likely applicable to this package.  Since there are so many
> problems, I have not had time to check whether the vulnerable code is
> present or has an impact. Please check this.  Note that situations like

QT maintainers, I checked the status of QT in Lenny and 4.6.2 from
Squeeze throughout the recent weeks:

The following vulnerabilties are fixed in 4.6.2 and Lenny:
CVE-2009-1691, CVE-2009-1699, CVE-2009-1711, CVE-2009-1712
CVE-2009-1713, CVE-2009-2816 (Lenny not affected), 
CVE-2009-2841 (Lenny not affected), CVE-2009-1688, CVE-2009-1689
CVE-2009-1695 (Lenny not affected), CVE-2009-1696 (Lenny not affected)
CVE-2009-1703 (Lenny not affected)

The following vulnerabilities are fixed in 4.6.2, but unfixed in Lenny:
CVE-2006-2783, CVE-2008-2307, CVE-2009-1692, CVE-2009-3384
CVE-2008-3632, CVE-2009-2797, CVE-2009-1681, CVE-2009-1684
CVE-2009-1685, CVE-2009-1686, CVE-2009-1694, CVE-2009-1697
CVE-2009-1700, CVE-2009-1701, CVE-2009-1702, CVE-2009-1710
CVE-2009-1715, CVE-2009-1718, CVE-2009-1714
Since they're all limited to webkit and QtWebkit and since Lenny
doesn't yet provide a browser based on QtWebKit, I don't think
we need to update it (this will be different from Squeeze onwards,
though. Or do you have a different opionion on that matter?

The following vulnerabilities don't affect Lenny nor Squeeze:
CVE-2008-0298: Doesn't affect QT (or was fixed years ago)
CVE-2008-1588: This is MacOS-specific.
CVE-2008-2320: This doesn't affect Webkit or QT.
CVE-2009-2953: Not treated as a security issue
CVE-2008-4724: Unclear, but of negligable impact
CVE-2008-4231: Apparently Safari-only

This leaves us with one vulnerability, which is apparently still
unfixed in 4.6.2:

CVE-2009-1693: Webkit commit: http://trac.webkit.org/changeset/35928

Could you please contact upstream whether this is an oversight or
was left out intentionally? 

Since CVE-2009-1693 is of low impact, I'm lowering severity to
"important", but please try to get it resolved for Squeeze.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Processed: Re: qt4-x11: many webkit vulnerabilities
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#561760: qt4-x11: many webkit vulnerabilities
  - From: Fathi Boudra <fabo@debian.org>

Prev by Date: Bug#561760: qt4-x11: many webkit vulnerabilities
Next by Date: Processed: severity of 577056 is grave, tagging 577056
Previous by thread: Bug#483886: marked as done (konqueror segfaults on certain page)
Next by thread: Processed: Re: qt4-x11: many webkit vulnerabilities
Index(es):
- Date
- Thread