Bug 186164 (CVE-2018-11646) - [GTK] Crash in WebKitFaviconDatabase when pageURL is unset
Summary: [GTK] Crash in WebKitFaviconDatabase when pageURL is unset
Status: RESOLVED FIXED
Alias: CVE-2018-11646
Product: WebKit
Classification: Unclassified
Component: WebKit Gtk (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-31 15:02 PDT by Michael Catanzaro
Modified: 2018-06-03 17:32 PDT (History)
9 users (show)

See Also:


Attachments
Patch (1.88 KB, patch)
2018-05-31 15:05 PDT, Michael Catanzaro
no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews202 for win-future (12.84 MB, application/zip)
2018-05-31 20:20 PDT, Build Bot
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2018-05-31 15:02:35 PDT
Crash in WebKitFaviconDatabase when pageURL is unset... moved from https://bugzilla.gnome.org/show_bug.cgi?id=795740.

The crash is easy to reproduce when loading https://bugzilla.gnome.org/attachment.cgi?id=371595, but it does not occur when running the same HTML locally. That's weird.
Comment 1 Michael Catanzaro 2018-05-31 15:05:26 PDT
Created attachment 341696 [details]
Patch
Comment 2 Build Bot 2018-05-31 15:07:47 PDT
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
Comment 3 Build Bot 2018-05-31 20:20:00 PDT
Comment on attachment 341696 [details]
Patch

Attachment 341696 [details] did not pass win-ews (win):
Output: http://webkit-queues.webkit.org/results/7915536

New failing tests:
http/tests/security/canvas-remote-read-remote-video-blocked-no-crossorigin.html
Comment 4 Build Bot 2018-05-31 20:20:12 PDT
Created attachment 341727 [details]
Archive of layout-test-results from ews202 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews202  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 5 WebKit Commit Bot 2018-06-01 09:12:19 PDT
Comment on attachment 341696 [details]
Patch

Clearing flags on attachment: 341696

Committed r232397: <https://trac.webkit.org/changeset/232397>
Comment 6 WebKit Commit Bot 2018-06-01 09:12:21 PDT
All reviewed patches have been landed.  Closing bug.
Comment 7 Dhiraj 2018-06-03 06:54:35 PDT
PS: CVE-2018-11646 was assigned to this.
Comment 8 Michael Catanzaro 2018-06-03 07:40:13 PDT
Please note, the CVE description is:

"webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in Safari Technology Preview Release 57, mishandle an unset pageURL, leading to an application crash."

But this code is GLib-specific. It is not built or used by Safari.
Comment 9 Michael Catanzaro 2018-06-03 07:42:16 PDT
(In reply to Michael Catanzaro from comment #8)
> But this code is GLib-specific. It is not built or used by Safari.

These functions are not built for WPE either, so only WebKitGTK+ is affected.
Comment 10 Michael Catanzaro 2018-06-03 17:32:37 PDT
(In reply to Michael Catanzaro from comment #8)
> Please note, the CVE description is:
> 
> "webkitFaviconDatabaseSetIconForPageURL and
> webkitFaviconDatabaseSetIconURLForPageURL in
> UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in
> Safari Technology Preview Release 57, mishandle an unset pageURL, leading to
> an application crash."
> 
> But this code is GLib-specific. It is not built or used by Safari.

I've submitted a description update request to MITRE.