Bug#684251: webkit code embedded in qt4-11 and possibly may be out of date and vulnerable

To: submit@bugs.debian.org
Subject: Bug#684251: webkit code embedded in qt4-11 and possibly may be out of date and vulnerable
From: Silvio Cesare <silvio.cesare@gmail.com>
Date: Wed, 8 Aug 2012 13:03:13 +1000
Message-id: <[🔎] CA+ygN1+c7ifTgR2mkdw7T2RNFFMmPQxC=jPN44WkqXL0JFwchA@mail.gmail.com>
Reply-to: Silvio Cesare <silvio.cesare@gmail.com>, 684251@bugs.debian.org

Package: qt4-x11
Severity: important
Tags: security

I have been working on a tool called Clonewise to automatically identify embedded code copies in Debian packages and determine if they are out of date and vulnerable. Ideally, embedding code and libraries should be avoided and a system wide library should be used instead.

I recently ran the tool on Debian 6 stable. The results are here at http://www.foocodechu.com/downloads/Clonewise-report.txt

The qt4-x11 package reported potential issues appended to this message.

The analysis tries to justify why it believes a library or code is embedded in the package and if the relationship is not already being tracked by Debian in the embedded-code-copies database it shows the files that are shared between the two pieces of software.

Apologies if these are false positives. Your help in advising me on whether these issues are real will help me improve the analysis for the future.

--
Silvio Cesare
Deakin University

### Summary:
###

webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1386
webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1760
webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1766

### Reports by package:
###

# Package qt4-x11 may be vulnerable to the following issues:
#
	CVE-2010-1386
	CVE-2010-1760
	CVE-2010-1766


# SUMMARY: page/Geolocation.cpp in WebCore in WebKit before r56188 and before 1.2.5 does not properly restrict access to the lastPosition function, which has unspecified impact and remote attack vectors, aka rdar problem 7746357.
#

# CVE-2010-1386 relates to a vulnerability in package webkit.
# The following source filenames are likely responsible:
#	geolocation.c
#

# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#

webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1386


# SUMMARY: loader/DocumentThreadableLoader.cpp in the XMLHttpRequest implementation in WebCore in WebKit before r58409 does not properly handle credentials during a cross-origin synchronous request, which has unspecified impact and remote attack vectors, aka rdar problem 7905150.
#

# CVE-2010-1760 relates to a vulnerability in package webkit.
# The following source filenames are likely responsible:
#	documentthreadableloader.c
#

# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#

webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1760


# SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid.
#

# CVE-2010-1766 relates to a vulnerability in package webkit.
# The following source filenames are likely responsible:
#	websockethandshake.c
#

# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#

webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1766

Reply to:

Prev by Date: Bug#684177: Same here
Next by Date: Processing of qtcreator_2.5.0-2_amd64.changes
Previous by thread: Processed: Re: Bug#684177: Same here
Next by thread: Processing of qtcreator_2.5.0-2_amd64.changes
Index(es):
- Date
- Thread