Bug#768929: libwebkit2gtk-3.0-25: plugin process vulnerable to stack buffer overflow

Mon Nov 10 09:15:26 UTC 2014

Package: libwebkit2gtk-3.0-25
Version: 2.4.7-1
Severity: normal
Tags: patch upstream

Like the 2.6 series of webkitgtk, this release is also vulnerable to
the same stack buffer overflow problem (#768341).

In short, we have this code to obtain the value of
NPPVpluginNeedsXEmbed from a plugin:

   uint64_t windowID = 0;
   bool needsXEmbed = false;
   NPP_GetValue(NPPVpluginNeedsXEmbed, &needsXEmbed);

The value of NPPVpluginNeedsXEmbed is boolean (1 byte), however some
plugins are using an int instead. This has been confirmed with the
Flash plugin at least.

Making needsXEmbed an int fixes the problem.

This is not reproducible in all situations because depending on
how the code is compiled it might just be overwriting the windowID
variable again with zeroes.

The patch has been applied upstream and will be available in the next
release from the 2.4 branch.

http://trac.webkit.org/changeset/175696
http://trac.webkit.org/wiki/WebKitGTK/2.4.x

Berto

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libwebkit2gtk-3.0-25 depends on:
ii  libatk1.0-0                     2.14.0-1
ii  libc6                           2.19-12
ii  libcairo-gobject2               1.14.0-2.1
ii  libcairo2                       1.14.0-2.1
ii  libenchant1c2a                  1.6.0-10.1
ii  libfontconfig1                  2.11.0-6.1
ii  libfreetype6                    2.5.2-2
ii  libgcc1                         1:4.9.1-19
ii  libgdk-pixbuf2.0-0              2.31.1-2+b1
ii  libgl1-mesa-glx [libgl1]        10.3.2-1
ii  libglib2.0-0                    2.42.0-2
ii  libgstreamer-plugins-base1.0-0  1.4.3-1.1
ii  libgstreamer1.0-0               1.4.3-1.2
ii  libgtk-3-0                      3.14.4-1
ii  libgtk2.0-0                     2.24.25-1
ii  libharfbuzz-icu0                0.9.35-2
ii  libharfbuzz0b                   0.9.35-2
ii  libicu52                        52.1-6
ii  libjavascriptcoregtk-3.0-0      2.4.7-1
ii  libjpeg62-turbo                 1:1.3.1-10
ii  libpango-1.0-0                  1.36.8-2
ii  libpangocairo-1.0-0             1.36.8-2
ii  libpangoft2-1.0-0               1.36.8-2
ii  libpng12-0                      1.2.50-2+b1
ii  libsecret-1-0                   0.18-1+b1
ii  libsoup2.4-1                    2.48.0-1
ii  libsqlite3-0                    3.8.7-1
ii  libstdc++6                      4.9.1-19
ii  libwebkitgtk-3.0-common         2.4.7-1
ii  libwebp5                        0.4.1-1.2+b2
ii  libx11-6                        2:1.6.2-3
ii  libxcomposite1                  1:0.4.4-1
ii  libxdamage1                     1:1.1.4-2
ii  libxfixes3                      1:5.0.1-2+b1
ii  libxml2                         2.9.1+dfsg1-4
ii  libxrender1                     1:0.9.8-1+b1
ii  libxslt1.1                      1.1.28-2+b2
ii  libxt6                          1:1.1.4-1+b1
ii  multiarch-support               2.19-12
ii  zlib1g                          1:1.2.8.dfsg-2

Versions of packages libwebkit2gtk-3.0-25 recommends:
ii  geoclue-2.0                2.1.10-2
ii  gstreamer1.0-plugins-base  1.4.3-1.1
ii  gstreamer1.0-plugins-good  1.4.3-2

libwebkit2gtk-3.0-25 suggests no packages.

-- no debconf information