Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apple Safari WebKit Selections Use-After-Free Vulnerability in tui-editor-Editor-full.js #1625

Closed
ebicoglu opened this issue Jul 1, 2021 · 5 comments
Closed

Apple Safari WebKit Selections Use-After-Free Vulnerability in tui-editor-Editor-full.js #1625

ebicoglu opened this issue Jul 1, 2021 · 5 comments
Labels
Bug

Comments

@ebicoglu
Copy link

ebicoglu commented Jul 1, 2021
edited
Loading

I'm one of the lead developers of the ABP Framework.
We are using Tui Editor and Tui Code Snippet in some modules of the framework. See https://www.npmjs.com/package/@abp/tui-editor
One of our clients reported that, their security team doesn't allow downloading Tui Editor packages because of a vulnerability in the source-code.
I'm not fully aware what's the under hood of this vulnerability.
But it's called Apple Safari WebKit Selections Use-After-Free Vulnerability and reported in tui-editor-Editor-full.js
Can you please check out this issue?
image

Related links:
@ebicoglu ebicoglu added the Bug label Jul 1, 2021
@js87zz
Copy link
Contributor

js87zz commented Jul 5, 2021

@ebicoglu
We do not provide 'tui-editor-Editor-full.js' after v2.x.
v1.x is currently in a difficult situation to maintain, so upgrade is recommended if possible.

@davidskuza
Copy link

This was in a WebKit. Good security team. If those kids could read they'd be very upset.

@js87zz
Copy link
Contributor

js87zz commented Jul 8, 2021

@davidskuza
Yes, that's right, Webkit is a great security team, but we may not be able to respond well to it.
I want to respond to all errors in the legacy version, but it is difficult to respond realistically.
How about you? What did you contribute here before you criticized it? We are doing our best for our open source quality. Please respect the open source community before making this blind criticism.

@davidskuza
Copy link

You also do not understand what you read. The reported bug (CVE) is a bug in WebKit's HTTP response parser. This has nothing even to do with JavaScript. You cannot access or modify WebKit's parser from JS. You cannot trigger it from frontend (maybe today with web services, idk). It's not tui.editor bug, it was WebKit's. This company has missconfigured their software which detects JS, frontend code as a bug in WebKit's HTTP response parser from 2010... If this would be a bug in tui.editor that would mean every developer could craft such JS code to take over your device which is obviously not the case. I guess tui.editor has some parts of code which were also used 11 years ago in some exploit for WebKit so their firewall thinks tui is a malware. This is classic false positive.

@js87zz
Copy link
Contributor

js87zz commented Jul 8, 2021

@davidskuza
Well, I see. I misunderstood because there was no clear subject to talk about. I'm sorry.

@js87zz js87zz closed this as completed Jul 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ebicoglu @davidskuza @js87zz