Bug#516555: CVE-2008-6059: missing access restriction

Michael S. Gilbert michael.s.gilbert at gmail.com
Sun Apr 26 22:28:01 UTC 2009

On Sun, 26 Apr 2009 10:17:22 +0200 Moritz Muehlenhoff wrote:

> On Wed, Feb 25, 2009 at 12:38:12AM -0500, Michael Gilbert wrote:
> > does this problem (with cookies) really affect the version of webkit in
> > debian, which does not currently support cookies (or more accurately
> > the libraries in debian are not current enough to support cookies in
> > webkit)?  
> Gustavo, Mike,
> can you confirm that Webkit from Lenny isn't affected by this problem?

webkit 1.0.1-4 in lenny passes their regression test for this particular
issue.  after reviewing the code [1], the patches primarily appear to
fix the mac- and windows-specific cookie handling code and just "clean
up" the libsoup-related code. the linux-specific code relies on lipsoup
for cookies, and since webkit 1.0.1-4 does not depend on libsoup, i
would say that lenny is safe; unless webkit is falling back on one of
the other cookie handlers.

going forward, someone needs to check whether libsoup is vulnerable or

i have submitted some questions upstream [2] to get their opinion.

[1] http://trac.webkit.org/changeset/38566
[2] https://bugs.webkit.org/show_bug.cgi?id=10957

More information about the Pkg-webkit-maintainers mailing list