Bug#976437: libwebkit2gtk-4.0-37: Websocket sends appens extra bytes to messages
Markus Demleitner
msdemlei at fsfe.org
Sat Dec 5 08:59:42 GMT 2020
Package: libwebkit2gtk-4.0-37
Version: 2.30.3-1~deb10u1
Severity: normal
Dear Maintainer,
Since the last libwebkit update in buster, there is a (possibly
information-disclosing) bug in the websockets implementation. For instance
when a client sends, in order, the strings "disabled", "d20", "NOP" and
"NOP", what the server receives in one run is
'disablede/im0'
'd20\x01\x17'
'NOPablede/im0'
'NOP\x01\x1e'
A repetition might yield
'disable'
'd20'
'enablee'
'NOPblee'
-- which not only breaks the websocket application but also might lead
to disclosing parts of memory that the server probably shouldn't be
seeing.
Steps to reproduce:
(1) get a browser using libwebkit2gtk-4.0.37 (I used luakit)
(2) connect to any websocket echo service (I used https://www.websocket.org/echo.html)
(3) Type a few messages of varying length and spot the replies contain extra bytes.
Actually, in these tests I noticed that there's probably more awry in that the websocket connection after a few messages apparently becomes unresponsive.
-- System Information:
Debian Release: 10.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 5.8.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)
Versions of packages libwebkit2gtk-4.0-37 depends on:
ii bubblewrap 0.3.1-4
ii libatk1.0-0 2.30.0-2
ii libc6 2.28-10
ii libcairo-gobject2 1.16.0-4
ii libcairo2 1.16.0-4
ii libegl1 1.1.0-1
ii libenchant1c2a 1.6.0-11.1+b1
ii libfontconfig1 2.13.1-2
ii libfreetype6 2.9.1-3+deb10u2
ii libgcc1 1:8.3.0-6
ii libgcrypt20 1.8.4-5
ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1
ii libgl1 1.1.0-1
ii libglib2.0-0 2.58.3-2+deb10u2
ii libgstreamer-gl1.0-0 1.14.4-2
ii libgstreamer-plugins-base1.0-0 1.14.4-2
ii libgstreamer1.0-0 1.14.4-1
ii libgtk-3-0 3.24.5-1
ii libharfbuzz-icu0 2.3.1-1
ii libharfbuzz0b 2.3.1-1
ii libhyphen0 2.8.8-7
ii libicu63 63.1-6+deb10u1
ii libjavascriptcoregtk-4.0-18 2.30.3-1~deb10u1
ii libjpeg62-turbo 1:1.5.2-2+b1
ii libnotify4 0.7.7-4
ii libopenjp2-7 2.3.0-2+deb10u1
ii libpango-1.0-0 1.42.4-8~deb10u1
ii libpangocairo-1.0-0 1.42.4-8~deb10u1
ii libpng16-16 1.6.36-6
ii libseccomp2 2.3.3-4
ii libsecret-1-0 0.18.7-1
ii libsoup2.4-1 2.64.2-2
ii libsqlite3-0 3.27.2-3
ii libstdc++6 8.3.0-6
ii libsystemd0 241-7~deb10u4
ii libtasn1-6 4.13-3
ii libwayland-client0 1.16.0-1
ii libwayland-egl1 1.16.0-1
ii libwayland-server0 1.16.0-1
ii libwebp6 0.6.1-2
ii libwebpdemux2 0.6.1-2
ii libwoff1 1.0.2-1
ii libx11-6 2:1.6.7-1+deb10u1
ii libxcomposite1 1:0.4.4-2
ii libxdamage1 1:1.1.4-3+b3
ii libxml2 2.9.4+dfsg1-7+b3
ii libxrender1 1:0.9.10-1
ii libxslt1.1 1.1.32-2.2~deb10u1
ii libxt6 1:1.1.5-1+b3
ii xdg-dbus-proxy 0.1.1-1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages libwebkit2gtk-4.0-37 recommends:
ii gstreamer1.0-alsa 1.14.4-2
pn gstreamer1.0-gl <none>
ii gstreamer1.0-libav 1.15.0.1+git20180723+db823502-2
ii gstreamer1.0-plugins-good 1.14.4-1
ii gstreamer1.0-pulseaudio 1.14.4-1
ii libgl1-mesa-dri 18.3.6-2+deb10u1
libwebkit2gtk-4.0-37 suggests no packages.
-- no debconf information
More information about the Pkg-webkit-maintainers
mailing list