Your message dated Tue, 02 Dec 2014 19:08:49 -0300
with message-id <2754602.LmK8ICqrYR@luna>
and subject line Not really applicable (or not anymore)
has caused the Debian Bug report #684251,
regarding webkit code embedded in qt4-11 and possibly may be out of date and
vulnerable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
684251: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684251
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: qt4-x11
Severity: important
Tags: security
I have been working on a tool called Clonewise to automatically identify
embedded code copies in Debian packages and determine if they are out of
date and vulnerable. Ideally, embedding code and libraries should be
avoided and a system wide library should be used instead.
I recently ran the tool on Debian 6 stable. The results are here at
http://www.foocodechu.com/downloads/Clonewise-report.txt*
*The qt4-x11 package reported potential issues appended to this message.
The analysis tries to justify why it believes a library or code is embedded
in the package and if the relationship is not already being tracked by
Debian in the embedded-code-copies database it shows the files that are
shared between the two pieces of software.
Apologies if these are false positives. Your help in advising me on whether
these issues are real will help me improve the analysis for the future.
--
Silvio Cesare
Deakin University
### Summary:
###
webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1386
webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1760
webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1766
### Reports by package:
###
# Package qt4-x11 may be vulnerable to the following issues:
#
CVE-2010-1386
CVE-2010-1760
CVE-2010-1766
# SUMMARY: page/Geolocation.cpp in WebCore in WebKit before r56188 and
before 1.2.5 does not properly restrict access to the lastPosition
function, which has unspecified impact and remote attack vectors, aka
rdar problem 7746357.
#
# CVE-2010-1386 relates to a vulnerability in package webkit.
# The following source filenames are likely responsible:
# geolocation.c
#
# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#
webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1386
# SUMMARY: loader/DocumentThreadableLoader.cpp in the XMLHttpRequest
implementation in WebCore in WebKit before r58409 does not properly
handle credentials during a cross-origin synchronous request, which
has unspecified impact and remote attack vectors, aka rdar problem
7905150.
#
# CVE-2010-1760 relates to a vulnerability in package webkit.
# The following source filenames are likely responsible:
# documentthreadableloader.c
#
# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#
webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1760
# SUMMARY: Off-by-one error in the
WebSocketHandshake::readServerHandshake function in
websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380,
as used in Qt and other products, allows remote websockets servers to
cause a denial of service (memory corruption) or possibly have
unspecified other impact via an upgrade header that is long and
invalid.
#
# CVE-2010-1766 relates to a vulnerability in package webkit.
# The following source filenames are likely responsible:
# websockethandshake.c
#
# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#
webkit CLONED_IN_SOURCE qt4-x11 <unfixed> CVE-2010-1766
--- End Message ---
--- Begin Message ---
Version: 4:4.8.6+git64-g5dc8b2b+dfsg-2
We are building qtwebkit from the latest upstream release, which is indeed a
Qt4 backport of the Qt5 version.
I think we are not shipping webkit's code in qt4-x11, but even so it's not
being built (a build would take ages).
So this bug is no longer applicable.
--
Cuando me preguntaron sobre algún arma capaz de contrarrestar el poder de la
bomba atómica, yo sugerí la mejor de todas: la paz.
Albert Einstein
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
