Bug 186164 (CVE-2018-11646)

Summary: [GTK] Crash in WebKitFaviconDatabase when pageURL is unset
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, berto, bugs-noreply, calvaris, cgarcia, commit-queue, ews-watchlist, gns, mcatanzaro, mishra.dhiraj95, omarandemad, soyunhombrevirtual
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Patch
none
Archive of layout-test-results from ews202 for win-future none

Description Michael Catanzaro 2018-05-31 15:02:35 PDT
Crash in WebKitFaviconDatabase when pageURL is unset... moved from https://bugzilla.gnome.org/show_bug.cgi?id=795740.

The crash is easy to reproduce when loading https://bugzilla.gnome.org/attachment.cgi?id=371595, but it does not occur when running the same HTML locally. That's weird.
Comment 1 Michael Catanzaro 2018-05-31 15:05:26 PDT
Created attachment 341696 [details]
Patch
Comment 2 EWS Watchlist 2018-05-31 15:07:47 PDT
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
Comment 3 EWS Watchlist 2018-05-31 20:20:00 PDT
Comment on attachment 341696 [details]
Patch

Attachment 341696 [details] did not pass win-ews (win):
Output: http://webkit-queues.webkit.org/results/7915536

New failing tests:
http/tests/security/canvas-remote-read-remote-video-blocked-no-crossorigin.html
Comment 4 EWS Watchlist 2018-05-31 20:20:12 PDT
Created attachment 341727 [details]
Archive of layout-test-results from ews202 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews202  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 5 WebKit Commit Bot 2018-06-01 09:12:19 PDT
Comment on attachment 341696 [details]
Patch

Clearing flags on attachment: 341696

Committed r232397: <https://trac.webkit.org/changeset/232397>
Comment 6 WebKit Commit Bot 2018-06-01 09:12:21 PDT
All reviewed patches have been landed.  Closing bug.
Comment 7 Dhiraj 2018-06-03 06:54:35 PDT
PS: CVE-2018-11646 was assigned to this.
Comment 8 Michael Catanzaro 2018-06-03 07:40:13 PDT
Please note, the CVE description is:

"webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in Safari Technology Preview Release 57, mishandle an unset pageURL, leading to an application crash."

But this code is GLib-specific. It is not built or used by Safari.
Comment 9 Michael Catanzaro 2018-06-03 07:42:16 PDT
(In reply to Michael Catanzaro from comment #8)
> But this code is GLib-specific. It is not built or used by Safari.

These functions are not built for WPE either, so only WebKitGTK+ is affected.
Comment 10 Michael Catanzaro 2018-06-03 17:32:37 PDT
(In reply to Michael Catanzaro from comment #8)
> Please note, the CVE description is:
> 
> "webkitFaviconDatabaseSetIconForPageURL and
> webkitFaviconDatabaseSetIconURLForPageURL in
> UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in
> Safari Technology Preview Release 57, mishandle an unset pageURL, leading to
> an application crash."
> 
> But this code is GLib-specific. It is not built or used by Safari.

I've submitted a description update request to MITRE.