From yavor ¡÷ gnu.org  Mon Dec 14 02:44:38 2009
From: yavor ¡÷ gnu.org (Yavor Doganov)
Date: Sun, 13 Dec 2009 19:44:38 +0200
Subject: [Kazehakase-devel 2936]  [SECURITY] Remote info disclosure via CSS
Message-ID: <87my1mkbuh.GNU's_Not_Unix!%yavor@gnu.org>

Hi,

The following security bug [1] was reported for the Debian package:

| it has been disclosed that it is possible for any website to query the
| user's site viewing history via css.  please see [0].  i have not
| personally checked whether this package is vulnerable, but it seems to
| be a general css design issue, so all css-supporting browsers are
| likely affected. please check, and feel free to close the bug if the
| package is not affected.  thanks.
|
| [0] http://thecoffeedesk.com/news/index.php/2009/08/02/view-remote-browser-history/

[1] http://bugs.debian.org/560871

There is no CVE assigned (yet).  The issue can be reproduced by
visiting slashdot.org, and then http://thecoffeedesk.com/css-exploit.
The problem appears to be that any site can perform checks for certain
URLs the user has visited, which violates basic privacy as it can
happen without user's consent.

AFAICS, Kazehakase doesn't do any special CSS handling (except for the
history search module, which is all local and not a problem at all),
so the only way to fix this is to address the problem in xulrunner and
webkit.  Please confirm that is indeed the case, thanks.