oss-sec mailing list archives
Re: CVE request : client-side file creation via XSLT in Webkit
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Wed, 11 May 2011 12:47:49 +0200
Hi, it seems that there's some confusion about these different CVE identifiers. I'll try to clarify it : - CVE-2011-1774 was affected to the Webkit bug #52688 by Josh Bressers on May 9 (via oss-security and the private ticket). It seems to me to be actually the best choice to track this vulnerability. - CVE-2011-0195 was mistaken by Apple as affected internally to the Webkit bug #52688. In fact, this CVE is affected to an information leak about heap addresses, disclosed by Chris Evans. Unfortunately, this info leak is also tracked as CVE-2011-1202. This is probably the "Apple/Google confusion" Steve was talking about. - CVE-2011-1425 was assigned on March 14 to a xmlsec vulnerability, at my request. Both xmlsec and Webkit vulnerabilities have the same root cause, which is unrestricted access to libxslt features like file creation. In xmlsec, the vector is a "<ds:Transform>" tag in a signed file. In Webkit, it could a XML file, a XHTML page or a SVG image. In my opinion, having the same root cause isn't a sufficient reason to affect the same CVE to both xmlsec and Webkit vulnerabilities. Additionally, the fact that the xmlsec advisory about CVE-2011-1425 linked to a Webkit patch (in its **work-around** section) added some more confusion. So, i propose to : - remove references to Webkit from the CVE-2011-1425 page - affect CVE-2011-1774 to the Webkit bug #52688 Regards, Nicolas Grégoire
Current thread:
- CVE request : client-side file creation via XSLT in Webkit Nicolas Grégoire (May 09)
- Re: CVE request : client-side file creation via XSLT in Webkit Josh Bressers (May 09)
- Re: CVE request : client-side file creation via XSLT in Webkit Steven M. Christey (May 09)
- Re: CVE request : client-side file creation via XSLT in Webkit Deb Mazurek (May 09)
- Re: CVE request : client-side file creation via XSLT in Webkit Steven M. Christey (May 09)
- Re: CVE request : client-side file creation via XSLT in Webkit Steven M. Christey (May 09)
- Re: CVE request : client-side file creation via XSLT in Webkit Nicolas Grégoire (May 11)
- Re: CVE request : client-side file creation via XSLT in Webkit Nicolas Grégoire (May 17)
- Re: CVE request : client-side file creation via XSLT in Webkit Nicolas Grégoire (May 23)
- Re: CVE request : client-side file creation via XSLT in Webkit Nicolas Grégoire (May 11)
- Re: CVE request : client-side file creation via XSLT in Webkit Josh Bressers (May 09)