Bug 655971

Summary: VUL-1: libwebkit: remote bypass of pop-up blocker
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: GeneralAssignee: E-mail List <gnome-bugs>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team, vuntz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2010-11-25 12:35:19 UTC 
Hi.
There is a security bug in package 'libwebkit'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	https://bugzilla.redhat.com/show_bug.cgi?id=657099

CVE number: CVE-2010-4037
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4037
CVSS v2 Base Score: 3.7 (moderate) (AV:L/AC:H/Au:N/C:P/I:P/A:P)
Insufficient Information (CWE-noinfo)


Original posting:


https://bugzilla.redhat.com/show_bug.cgi?id=657099

Vincent Danen 2010-11-24 17:02:20 EST

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4037 to
the following vulnerability:


Name: CVE-2010-4037
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4037
Assigned: 20101021
Reference: CONFIRM: http://code.google.com/p/chromium/issues/detail?id=53002
Reference: CONFIRM:
http://googlechromereleases.blogspot.com/2010/10/stable-channel-update.html
Reference: BID:44241
Reference: URL: http://www.securityfocus.com/bid/44241
Reference: SECUNIA:41888
Reference: URL: http://secunia.com/advisories/41888
Reference: VUPEN:ADV-2010-2731
Reference: URL: http://www.vupen.com/english/advisories/2010/2731

Unspecified vulnerability in Google Chrome before 7.0.517.41 allows
remote attackers to bypass the pop-up blocker via unknown vectors.


It is unclear to me as of yet whether this does affect webkitgtk; the code
looks like it may be applicable but due to how Chrome handles things
differently, it is possible this is Chrome-specific.  It needs further
investigation.

Additional references:

Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=45369
Trac: http://trac.webkit.org/changeset/67716
Comment 1 Thomas Biege 2010-11-29 14:54:28 UTC 
P5->P3 mass change
Comment 2 Vincent Untz 2011-01-03 15:19:45 UTC 
This code does not seem to be in webkit-gtk 1.2.x, so the issue won't affect 11.3 and earlier.

The code is in Factory, but it already features a fixed version (the fix changed a bit later, so the changeset mentioned here is not really a good indicator, see http://trac.webkit.org/changeset/69924/trunk/WebCore/loader/NavigationScheduler.cpp)