Re: CVE request : client-side file creation via XSLT in Webkit

[Nicolas Grégoire <nicolas.gregoire () agarri fr>]

Hi,

it seems that there's some confusion about these different CVE
identifiers. I'll try to clarify it :

- CVE-2011-1774 was affected to the Webkit bug #52688 by Josh Bressers
on May 9 (via oss-security and the private ticket). It seems to me to be
actually the best choice to track this vulnerability.

- CVE-2011-0195 was mistaken by Apple as affected internally to the
Webkit bug #52688. In fact, this CVE is affected to an information leak
about heap addresses, disclosed by Chris Evans. Unfortunately, this info
leak is also tracked as CVE-2011-1202. This is probably the
"Apple/Google confusion" Steve was talking about.

- CVE-2011-1425 was assigned on March 14 to a xmlsec vulnerability, at
my request. Both xmlsec and Webkit vulnerabilities have the same root
cause, which is unrestricted access to libxslt features like file
creation. In xmlsec, the vector is a "<ds:Transform>" tag in a signed
file. In Webkit, it could a XML file, a XHTML page or a SVG image.

In my opinion, having the same root cause isn't a sufficient reason to
affect the same CVE to both xmlsec and Webkit vulnerabilities.

Additionally, the fact that the xmlsec advisory about CVE-2011-1425
linked to a Webkit patch (in its **work-around** section) added some
more confusion.

So, i propose to :
- remove references to Webkit from the CVE-2011-1425 page
- affect CVE-2011-1774 to the Webkit bug #52688

Regards,
Nicolas Grégoire