Your message dated Tue, 11 Nov 2014 15:31:40 +0000
with message-id <[email protected]>
and subject line Bug#768929: fixed in webkitgtk 2.4.7-2
has caused the Debian Bug report #768929,
regarding libwebkit2gtk-3.0-25: plugin process vulnerable to stack buffer
overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
768929: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768929
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libwebkit2gtk-3.0-25
Version: 2.4.7-1
Severity: normal
Tags: patch upstream
Like the 2.6 series of webkitgtk, this release is also vulnerable to
the same stack buffer overflow problem (#768341).
In short, we have this code to obtain the value of
NPPVpluginNeedsXEmbed from a plugin:
uint64_t windowID = 0;
bool needsXEmbed = false;
NPP_GetValue(NPPVpluginNeedsXEmbed, &needsXEmbed);
The value of NPPVpluginNeedsXEmbed is boolean (1 byte), however some
plugins are using an int instead. This has been confirmed with the
Flash plugin at least.
Making needsXEmbed an int fixes the problem.
This is not reproducible in all situations because depending on
how the code is compiled it might just be overwriting the windowID
variable again with zeroes.
The patch has been applied upstream and will be available in the next
release from the 2.4 branch.
http://trac.webkit.org/changeset/175696
http://trac.webkit.org/wiki/WebKitGTK/2.4.x
Berto
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libwebkit2gtk-3.0-25 depends on:
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-12
ii libcairo-gobject2 1.14.0-2.1
ii libcairo2 1.14.0-2.1
ii libenchant1c2a 1.6.0-10.1
ii libfontconfig1 2.11.0-6.1
ii libfreetype6 2.5.2-2
ii libgcc1 1:4.9.1-19
ii libgdk-pixbuf2.0-0 2.31.1-2+b1
ii libgl1-mesa-glx [libgl1] 10.3.2-1
ii libglib2.0-0 2.42.0-2
ii libgstreamer-plugins-base1.0-0 1.4.3-1.1
ii libgstreamer1.0-0 1.4.3-1.2
ii libgtk-3-0 3.14.4-1
ii libgtk2.0-0 2.24.25-1
ii libharfbuzz-icu0 0.9.35-2
ii libharfbuzz0b 0.9.35-2
ii libicu52 52.1-6
ii libjavascriptcoregtk-3.0-0 2.4.7-1
ii libjpeg62-turbo 1:1.3.1-10
ii libpango-1.0-0 1.36.8-2
ii libpangocairo-1.0-0 1.36.8-2
ii libpangoft2-1.0-0 1.36.8-2
ii libpng12-0 1.2.50-2+b1
ii libsecret-1-0 0.18-1+b1
ii libsoup2.4-1 2.48.0-1
ii libsqlite3-0 3.8.7-1
ii libstdc++6 4.9.1-19
ii libwebkitgtk-3.0-common 2.4.7-1
ii libwebp5 0.4.1-1.2+b2
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2
ii libxfixes3 1:5.0.1-2+b1
ii libxml2 2.9.1+dfsg1-4
ii libxrender1 1:0.9.8-1+b1
ii libxslt1.1 1.1.28-2+b2
ii libxt6 1:1.1.4-1+b1
ii multiarch-support 2.19-12
ii zlib1g 1:1.2.8.dfsg-2
Versions of packages libwebkit2gtk-3.0-25 recommends:
ii geoclue-2.0 2.1.10-2
ii gstreamer1.0-plugins-base 1.4.3-1.1
ii gstreamer1.0-plugins-good 1.4.3-2
libwebkit2gtk-3.0-25 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: webkitgtk
Source-Version: 2.4.7-2
We believe that the bug you reported is fixed in the latest version of
webkitgtk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Garcia <[email protected]> (supplier of updated webkitgtk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 Nov 2014 12:43:45 +0200
Source: webkitgtk
Binary: libjavascriptcoregtk-1.0-0 libjavascriptcoregtk-1.0-dev
libjavascriptcoregtk-1.0-0-dbg libwebkitgtk-1.0-0 libwebkit-dev
libwebkitgtk-dev libwebkitgtk-1.0-common libwebkitgtk-1.0-0-dbg
libjavascriptcoregtk-3.0-0 libjavascriptcoregtk-3.0-dev
libjavascriptcoregtk-3.0-0-dbg libjavascriptcoregtk-3.0-bin
gir1.2-javascriptcoregtk-3.0 libwebkitgtk-3.0-0 libwebkitgtk-3.0-dev
libwebkitgtk-3.0-common libwebkitgtk-3.0-0-dbg gir1.2-webkit-3.0
libwebkit2gtk-3.0-25 libwebkit2gtk-3.0-dev libwebkit2gtk-3.0-25-dbg
gir1.2-webkit2-3.0 libwebkitgtk-common-dev
Architecture: source all amd64
Version: 2.4.7-2
Distribution: unstable
Urgency: medium
Maintainer: Debian WebKit Maintainers
<[email protected]>
Changed-By: Alberto Garcia <[email protected]>
Description:
gir1.2-javascriptcoregtk-3.0 - JavaScript engine library from WebKitGTK+ -
GObject introspection
gir1.2-webkit-3.0 - Web content engine library for GTK+ - GObject
introspection data
gir1.2-webkit2-3.0 - WebKit2 API layer for WebKitGTK+ - GObject introspection
data
libjavascriptcoregtk-1.0-0 - JavaScript engine library from WebKitGTK+
libjavascriptcoregtk-1.0-0-dbg - JavaScript engine library from WebKitGTK+ -
debugging symbols
libjavascriptcoregtk-1.0-dev - JavaScript engine library from WebKitGTK+ -
development files
libjavascriptcoregtk-3.0-0 - JavaScript engine library from WebKitGTK+
libjavascriptcoregtk-3.0-0-dbg - JavaScript engine library from WebKitGTK+ -
debugging symbols
libjavascriptcoregtk-3.0-bin - JavaScript engine library from WebKitGTK+ -
command-line interpre
libjavascriptcoregtk-3.0-dev - JavaScript engine library from WebKitGTK+ -
development files
libwebkit-dev - Transitional package for the development files of WebKitGTK+
libwebkit2gtk-3.0-25 - WebKit2 API layer for WebKitGTK+
libwebkit2gtk-3.0-25-dbg - WebKit2 API layer for WebKitGTK+ - debugging symbols
libwebkit2gtk-3.0-dev - WebKit2 API layer for WebKitGTK+ - development files
libwebkitgtk-1.0-0 - Web content engine library for GTK+
libwebkitgtk-1.0-0-dbg - Web content engine library for GTK+ - debugging
symbols
libwebkitgtk-1.0-common - Web content engine library for GTK+ - data files
libwebkitgtk-3.0-0 - Web content engine library for GTK+
libwebkitgtk-3.0-0-dbg - Web content engine library for GTK+ - debugging
symbols
libwebkitgtk-3.0-common - Web content engine library for GTK+ - data files
libwebkitgtk-3.0-dev - Web content engine library for GTK+ - development files
libwebkitgtk-common-dev - Web content engine library for GTK+ - common
development files
libwebkitgtk-dev - Web content engine library for GTK+ - development files
Closes: 761492 768929
Changes:
webkitgtk (2.4.7-2) unstable; urgency=medium
.
* debian/patches/touch-event.patch:
+ Fix crash in EventPath::updateTouchLists() (Closes: #761492).
* debian/patches/flash-crash.patch:
+ Fix crash in the Flash player (Closes: #768929).
Checksums-Sha1:
0c2786681618e08c07c311a815b35499ffa8ecfe 4627 webkitgtk_2.4.7-2.dsc
f034fd20b0ddd2dbeef8437a8fad35bc310fca14 53248 webkitgtk_2.4.7-2.debian.tar.xz
fa909c7961cd8b417ae95335befe2f4bbbd4343b 115992 libwebkit-dev_2.4.7-2_all.deb
fd607c43742828016d270f415d525ee6a6929c0b 449798
libwebkitgtk-1.0-common_2.4.7-2_all.deb
5b66681e53848cea9742bb7b74953329b74a4ca4 451426
libwebkitgtk-3.0-common_2.4.7-2_all.deb
8c8d227c3fa2ae6c44f797c8f5a0027eec25ae8b 166158
libwebkitgtk-common-dev_2.4.7-2_all.deb
912ddb51f88798439649ee6385bf0c72cb70a79e 1996160
libjavascriptcoregtk-1.0-0_2.4.7-2_amd64.deb
bd8688b8f4e9deebd97f60b573c57d0e873adccb 127410
libjavascriptcoregtk-1.0-dev_2.4.7-2_amd64.deb
277bab595838a6d74812b82d3fdeebbc0ac9e3b9 78317198
libjavascriptcoregtk-1.0-0-dbg_2.4.7-2_amd64.deb
bc0a0d6d0b9f26fae12b3ab803329862731fefe4 7701204
libwebkitgtk-1.0-0_2.4.7-2_amd64.deb
f03d67fd5cb5c45ed70931280ffcdb35d0c64865 345016
libwebkitgtk-dev_2.4.7-2_amd64.deb
7635d496324826680a5cde14f03ee9efecc86bfd 301657432
libwebkitgtk-1.0-0-dbg_2.4.7-2_amd64.deb
407cad7e0f2248a861473f33540036c87cdfbd7a 1994646
libjavascriptcoregtk-3.0-0_2.4.7-2_amd64.deb
a975287fe423c19550be2c3613182c548eb9fbc5 127448
libjavascriptcoregtk-3.0-dev_2.4.7-2_amd64.deb
7f33048801009d5c1954622677c75fbc4d2b5240 78334114
libjavascriptcoregtk-3.0-0-dbg_2.4.7-2_amd64.deb
3ede85fd3ca587615182965dcb83fbe59f005675 138546
libjavascriptcoregtk-3.0-bin_2.4.7-2_amd64.deb
dd23c9002edebc1429999719b03c6a3ade4098f6 116632
gir1.2-javascriptcoregtk-3.0_2.4.7-2_amd64.deb
1d31606fb77db51cee835d73f2cc2901462dd1cc 7698524
libwebkitgtk-3.0-0_2.4.7-2_amd64.deb
682d5e476d7e74e687b13971f35f0f8fc59448a1 295980
libwebkitgtk-3.0-dev_2.4.7-2_amd64.deb
2f1efb48fd989924998f78977c0187379a954e3d 302025944
libwebkitgtk-3.0-0-dbg_2.4.7-2_amd64.deb
0333e9a64f69844515c9b860076ad84046d4185d 166290
gir1.2-webkit-3.0_2.4.7-2_amd64.deb
f1e986937d29fcdee2fd6402895306088f5d56f8 15181376
libwebkit2gtk-3.0-25_2.4.7-2_amd64.deb
7e3eed4566419c0289dbd3aed1a81ca582bc5d2e 276040
libwebkit2gtk-3.0-dev_2.4.7-2_amd64.deb
8339305afd41d73a930f7668f2428aff4ef7df45 599387498
libwebkit2gtk-3.0-25-dbg_2.4.7-2_amd64.deb
4e7dbde38ed7fd0fa81d2cdda34c042c46473384 132736
gir1.2-webkit2-3.0_2.4.7-2_amd64.deb
Checksums-Sha256:
6a95b219da448121277066bde95723207b3e94a55bef36e0d98c9876d19341e2 4627
webkitgtk_2.4.7-2.dsc
b95e4faf8c3cca91850ebffa8bad87b48950847bef5a45d2fb2600170ab5ba14 53248
webkitgtk_2.4.7-2.debian.tar.xz
a0076a78f63de3628b5eccc43e908beca4a9c3d3c143d8f67040c622adde5bf1 115992
libwebkit-dev_2.4.7-2_all.deb
5c47d5c2aaf15715c0dbf3e1210283bcef73b9d7da187ff02d7728a7799de95c 449798
libwebkitgtk-1.0-common_2.4.7-2_all.deb
1e9a3edc4e3aa9dc53db32b1600c49454351adaa084f2633ef570bf8586e4d56 451426
libwebkitgtk-3.0-common_2.4.7-2_all.deb
c9675ec6f7bf00a4eea62b91fa0635febcd94a500a22e303e2faefe72a510cf6 166158
libwebkitgtk-common-dev_2.4.7-2_all.deb
e509122ab2fd260a17d1814146f0f45f9ba97edd16d20432747b056178fc1494 1996160
libjavascriptcoregtk-1.0-0_2.4.7-2_amd64.deb
57edfdc9cd530f7a689730ec1066a0992132c02500dfc6912609f6403df48ed4 127410
libjavascriptcoregtk-1.0-dev_2.4.7-2_amd64.deb
2b347c4aebefa4431873964c280f2c417f3925597910f847c25f47c07bd76276 78317198
libjavascriptcoregtk-1.0-0-dbg_2.4.7-2_amd64.deb
ea64d0c8fde4179b5f86eb12eb98424b74405fef41ba49c1b9b050974b59704f 7701204
libwebkitgtk-1.0-0_2.4.7-2_amd64.deb
bff44fd73f16586fcb0b6754ed6c761737208c7f6aaf46cc347bd73cd3e7416f 345016
libwebkitgtk-dev_2.4.7-2_amd64.deb
8b7adefb82e463bbe76e0562480bc40f89bcdb90c341a0ad4238d3a2f61bbfb2 301657432
libwebkitgtk-1.0-0-dbg_2.4.7-2_amd64.deb
720152b0dbb61ab40c84972499d2cf69fb82d313eef0544a159f3821250066de 1994646
libjavascriptcoregtk-3.0-0_2.4.7-2_amd64.deb
907bae626f4374d790837ec0d6c0a7b7db01a80af7a8b9a00fa02f8115cbcbf0 127448
libjavascriptcoregtk-3.0-dev_2.4.7-2_amd64.deb
dad492c45fe82033ed7a10724085dccd002e7a124f1ba1ba871c8b60ec4bb6f8 78334114
libjavascriptcoregtk-3.0-0-dbg_2.4.7-2_amd64.deb
aff898195b5be9459412d2dbfbacfa788c4987d53a648def4faaafda13794095 138546
libjavascriptcoregtk-3.0-bin_2.4.7-2_amd64.deb
b413f8802665ef2c59d074299dbc2d0e5e51da8d3ab2c3d4bec32cf4a079cb26 116632
gir1.2-javascriptcoregtk-3.0_2.4.7-2_amd64.deb
d81539d6d812b5cda98d9d8908ee8f96e000cd604c5bf206026c616d8b6310cc 7698524
libwebkitgtk-3.0-0_2.4.7-2_amd64.deb
f5572bd732a6de69da9b0f2ecc7b3c0fb0933302c0e611988ea706a12659a5fe 295980
libwebkitgtk-3.0-dev_2.4.7-2_amd64.deb
c9d98e39021021187e570d1e36440b3129602a62f14b410023b9bff9aac6b07b 302025944
libwebkitgtk-3.0-0-dbg_2.4.7-2_amd64.deb
a346f501d73909f74aba62c347a14008db3f03bd0c985ee6c4db12704cb6153b 166290
gir1.2-webkit-3.0_2.4.7-2_amd64.deb
0fce47caa0f03732479aa91bbd2866453e1d493fe18765dc51beaa5e6838f61c 15181376
libwebkit2gtk-3.0-25_2.4.7-2_amd64.deb
9b9e12087ba3b6627d35892c96d935263946ba9441f1214c757368d09d26112c 276040
libwebkit2gtk-3.0-dev_2.4.7-2_amd64.deb
db01b8f6f224645a5aa512fa6aa31b99970816deab9776adad38ba4c5b441061 599387498
libwebkit2gtk-3.0-25-dbg_2.4.7-2_amd64.deb
8b40bf888c7f7f4ad411c1f0abfbeb5bfb3e1659a740917b3892174b3286b07b 132736
gir1.2-webkit2-3.0_2.4.7-2_amd64.deb
Files:
41618decabe1b7992ad69ae43e0fcfab 4627 web optional webkitgtk_2.4.7-2.dsc
9e263274b569bd6afb130b15c0594266 53248 web optional
webkitgtk_2.4.7-2.debian.tar.xz
66b3881d2f30d2c1a54c8292bf86972c 115992 oldlibs extra
libwebkit-dev_2.4.7-2_all.deb
c98129da5540fc28dadabfca54df2d54 449798 libs optional
libwebkitgtk-1.0-common_2.4.7-2_all.deb
0600c01f83ab4426ced935100c4e7e94 451426 libs optional
libwebkitgtk-3.0-common_2.4.7-2_all.deb
79e74d059e9bf9075e82f1254f0d4c67 166158 libdevel extra
libwebkitgtk-common-dev_2.4.7-2_all.deb
5f346d4d4bd98e82912bc74c02b17440 1996160 libs optional
libjavascriptcoregtk-1.0-0_2.4.7-2_amd64.deb
82f49c8580f69fd0d16b71c06e2dc15e 127410 libdevel extra
libjavascriptcoregtk-1.0-dev_2.4.7-2_amd64.deb
2b771bdc62b1ee3e892390d7e2d7a01f 78317198 debug extra
libjavascriptcoregtk-1.0-0-dbg_2.4.7-2_amd64.deb
e9e5540539c3b81bef314e889699f05a 7701204 libs optional
libwebkitgtk-1.0-0_2.4.7-2_amd64.deb
7d981b2a2c32194d10ab6921445c44b7 345016 libdevel extra
libwebkitgtk-dev_2.4.7-2_amd64.deb
81d2c0ea07230e56aed0bf76ea5ebbe0 301657432 debug extra
libwebkitgtk-1.0-0-dbg_2.4.7-2_amd64.deb
4e9e2c63d0a06eb61b790aa09db7e177 1994646 libs optional
libjavascriptcoregtk-3.0-0_2.4.7-2_amd64.deb
93bfecd42722b10927eec2f2937825e2 127448 libdevel extra
libjavascriptcoregtk-3.0-dev_2.4.7-2_amd64.deb
96b2660879ba6c23e3ff39e60fee650b 78334114 debug extra
libjavascriptcoregtk-3.0-0-dbg_2.4.7-2_amd64.deb
8f12865cfccee9a4ee3b8504a1259dd6 138546 interpreters optional
libjavascriptcoregtk-3.0-bin_2.4.7-2_amd64.deb
8c2cd972f555b0e41a5fbe9bdbfa348b 116632 introspection optional
gir1.2-javascriptcoregtk-3.0_2.4.7-2_amd64.deb
f71276a8ee44a9efcc7d20ef9b2f4635 7698524 libs optional
libwebkitgtk-3.0-0_2.4.7-2_amd64.deb
d8cb39bc90b6bf9c034c605db4d8402d 295980 libdevel extra
libwebkitgtk-3.0-dev_2.4.7-2_amd64.deb
a5eba0a344b77b9f9f3a004dfe1a10b2 302025944 debug extra
libwebkitgtk-3.0-0-dbg_2.4.7-2_amd64.deb
aae8a7adc58a996e1159e3f6918d5c2c 166290 introspection optional
gir1.2-webkit-3.0_2.4.7-2_amd64.deb
a3b8abd6689c1a1f021ea1628e5ea3ae 15181376 libs optional
libwebkit2gtk-3.0-25_2.4.7-2_amd64.deb
506859414e3620afbd175de0826ef9e4 276040 libdevel extra
libwebkit2gtk-3.0-dev_2.4.7-2_amd64.deb
86c3a1342f69408f54194c797ff606da 599387498 debug extra
libwebkit2gtk-3.0-25-dbg_2.4.7-2_amd64.deb
c052a218b91db10ae0d43e4ef4bd4697 132736 introspection optional
gir1.2-webkit2-3.0_2.4.7-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVGIVhr4yGa8+1BNBAQjssxAAgpJB/8Bew9OEMuuKIsKZaFym9DZdalCY
Xuw3Ek3kwf62tz1vJ43xKxapHkkpHG3jRi+H2UqvuBZRMXFw5XEt2rYjAbt+vjNO
Okg6JqikqPRnb7DNw+u4/QzQ2yqfbkS1/p3C2jg9d/Q00bcGmKrry1muClTT2wpV
gMGKqzvcjTRzdELqzXMPek4NuX5SpaTsJHdnpY/SoCEH9MFxuo4o2Z0E1O/NWl/s
cPeUowB3Ei5DKnVHrAo1S6t7lmBLRZwFCU+xJsR5nWdZHccMj6xNH/yybxmJG0oA
lLBspwZBN8uPn+bcUT8CFlzkJ5PN1Gem4oKtH+dVRUjXc0B2olPP3d2tojaW+zgh
DIPyaEJBHv8o43dSKV6Fs/UlfetWPA3p/vp5zdikDihti8fi44kO0R6vtSS1A3ni
S7Q+l54MlHiTCA5rbgwYSwWZAsDWhXuwdYg2dEwDxj8y5Xomrl5SviISpkn4x7yH
gM+/6Wzb0KAUKQ3PuIjBn//g1u220lKHV/jIj2ZrKngr4f1waO0WlpG46rvhu2Nx
NStZ/Osr3LLsXijxUJlhfXXj6I4j5rJhEMQoSKxyB1Pphor+Q4h2aOE7HKYDHkui
vmGr4UCTRqywX8RNdGNosDOV1UiTXkQMDHMJwvhT8PT8GnvIOIGa1Tnrd41m7dfI
WIur8GU1m28=
=fw8w
-----END PGP SIGNATURE-----
--- End Message ---
