Bug 186164 (CVE-2018-11646) - [GTK] Crash in WebKitFaviconDatabase when pageURL is unset
Summary: [GTK] Crash in WebKitFaviconDatabase when pageURL is unset
Status: RESOLVED FIXED
Alias: CVE-2018-11646
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-31 15:02 PDT by Michael Catanzaro
Modified: 2019-07-21 21:55 PDT (History)
12 users (show)

See Also:

Attachments
Patch (1.88 KB, patch)
2018-05-31 15:05 PDT, Michael Catanzaro 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews202 for win-future (12.84 MB, application/zip)
2018-05-31 20:20 PDT, EWS Watchlist 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2018-05-31 15:02:35 PDT 
Crash in WebKitFaviconDatabase when pageURL is unset... moved from https://bugzilla.gnome.org/show_bug.cgi?id=795740.

The crash is easy to reproduce when loading https://bugzilla.gnome.org/attachment.cgi?id=371595, but it does not occur when running the same HTML locally. That's weird.
Comment 1 Michael Catanzaro 2018-05-31 15:05:26 PDT 
Created attachment 341696 [details]
Patch
Comment 2 EWS Watchlist 2018-05-31 15:07:47 PDT 
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
Comment 3 EWS Watchlist 2018-05-31 20:20:00 PDT 
Comment on attachment 341696 [details]
Patch

Attachment 341696 [details] did not pass win-ews (win):
Output: http://webkit-queues.webkit.org/results/7915536

New failing tests:
http/tests/security/canvas-remote-read-remote-video-blocked-no-crossorigin.html
Comment 4 EWS Watchlist 2018-05-31 20:20:12 PDT 
Created attachment 341727 [details]
Archive of layout-test-results from ews202 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews202  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 5 WebKit Commit Bot 2018-06-01 09:12:19 PDT 
Comment on attachment 341696 [details]
Patch

Clearing flags on attachment: 341696

Committed r232397: <https://trac.webkit.org/changeset/232397>
Comment 6 WebKit Commit Bot 2018-06-01 09:12:21 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Dhiraj 2018-06-03 06:54:35 PDT 
PS: CVE-2018-11646 was assigned to this.
Comment 8 Michael Catanzaro 2018-06-03 07:40:13 PDT 
Please note, the CVE description is:

"webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in Safari Technology Preview Release 57, mishandle an unset pageURL, leading to an application crash."

But this code is GLib-specific. It is not built or used by Safari.
Comment 9 Michael Catanzaro 2018-06-03 07:42:16 PDT 
(In reply to Michael Catanzaro from comment #8)
> But this code is GLib-specific. It is not built or used by Safari.

These functions are not built for WPE either, so only WebKitGTK+ is affected.
Comment 10 Michael Catanzaro 2018-06-03 17:32:37 PDT 
(In reply to Michael Catanzaro from comment #8)
> Please note, the CVE description is:
> 
> "webkitFaviconDatabaseSetIconForPageURL and
> webkitFaviconDatabaseSetIconURLForPageURL in
> UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in
> Safari Technology Preview Release 57, mishandle an unset pageURL, leading to
> an application crash."
> 
> But this code is GLib-specific. It is not built or used by Safari.

I've submitted a description update request to MITRE.