Bug 186164 (CVE-2018-11646)

Summary: [GTK] Crash in WebKitFaviconDatabase when pageURL is unset
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, berto, bugs-noreply, calvaris, cgarcia, commit-queue, ews-watchlist, gustavo, mcatanzaro, mishra.dhiraj95, omarandemad, soyunhombrevirtual
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Patch
none
Archive of layout-test-results from ews202 for win-future none

Michael Catanzaro
Reported 2018-05-31 15:02:35 PDT
Crash in WebKitFaviconDatabase when pageURL is unset... moved from https://bugzilla.gnome.org/show_bug.cgi?id=795740. The crash is easy to reproduce when loading https://bugzilla.gnome.org/attachment.cgi?id=371595, but it does not occur when running the same HTML locally. That's weird.
Attachments
Patch (1.88 KB, patch)
2018-05-31 15:05 PDT, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews202 for win-future (12.84 MB, application/zip)
2018-05-31 20:20 PDT, EWS Watchlist 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2018-05-31 15:05:26 PDT
Created attachment 341696 [details] Patch
EWS Watchlist
Comment 2 2018-05-31 15:07:47 PDT
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
EWS Watchlist
Comment 3 2018-05-31 20:20:00 PDT
Comment on attachment 341696 [details] Patch Attachment 341696 [details] did not pass win-ews (win): Output: http://webkit-queues.webkit.org/results/7915536 New failing tests: http/tests/security/canvas-remote-read-remote-video-blocked-no-crossorigin.html
EWS Watchlist
Comment 4 2018-05-31 20:20:12 PDT
Created attachment 341727 [details] Archive of layout-test-results from ews202 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews202 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
WebKit Commit Bot
Comment 5 2018-06-01 09:12:19 PDT
Comment on attachment 341696 [details] Patch Clearing flags on attachment: 341696 Committed r232397: <https://trac.webkit.org/changeset/232397>
WebKit Commit Bot
Comment 6 2018-06-01 09:12:21 PDT
All reviewed patches have been landed. Closing bug.
Dhiraj
Comment 7 2018-06-03 06:54:35 PDT
PS: CVE-2018-11646 was assigned to this.
Michael Catanzaro
Comment 8 2018-06-03 07:40:13 PDT
Please note, the CVE description is: "webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in Safari Technology Preview Release 57, mishandle an unset pageURL, leading to an application crash." But this code is GLib-specific. It is not built or used by Safari.
Michael Catanzaro
Comment 9 2018-06-03 07:42:16 PDT
(In reply to Michael Catanzaro from comment #8) > But this code is GLib-specific. It is not built or used by Safari. These functions are not built for WPE either, so only WebKitGTK+ is affected.
Michael Catanzaro
Comment 10 2018-06-03 17:32:37 PDT
(In reply to Michael Catanzaro from comment #8) > Please note, the CVE description is: > > "webkitFaviconDatabaseSetIconForPageURL and > webkitFaviconDatabaseSetIconURLForPageURL in > UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in > Safari Technology Preview Release 57, mishandle an unset pageURL, leading to > an application crash." > > But this code is GLib-specific. It is not built or used by Safari. I've submitted a description update request to MITRE.
Note You need to log in before you can comment on or make changes to this bug.