Bug 505571 (CVE-2009-1690)

Summary: CVE-2009-1690 kdelibs: KHTML Incorrect handling <head> element content once the <head> element was removed (DoS, ACE)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bressers, jreznik, kevin, kreilly, mjc, security-response-team, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://trac.webkit.org/changeset/42532
Whiteboard: public=20090625,reported=20090610,source=cve,impact=critical,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 12:23:03 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 505619, 505620, 505621, 505622, 833918    
Bug Blocks:    

Description Jan Lieskovsky 2009-06-12 09:45:56 EDT
KDE HTML parser incorrectly handled content, forming the HTML page 
<head> element. A remote attacker could use this flaw to cause a denial
of service (konqueror crash) or, potentially, execute arbitrary code, 
with the privileges of the user running "konqueror" web browser, if the
victim was tricked to open a specially-crafted HTML page.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
http://support.apple.com/kb/HT3613
http://secunia.com/advisories/35379/

Upstream patch:
http://trac.webkit.org/changeset/42532

Upstream PoC:
http://trac.webkit.org/browser/trunk/LayoutTests/fast/parser/head-content-after-head-removal.html?format=txt
Comment 6 Jan Lieskovsky 2009-06-18 06:24:36 EDT
Upstream KDE 4.2 patch:

http://websvn.kde.org/?view=rev&revision=983316
Comment 8 errata-xmlrpc 2009-06-25 12:42:05 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1127 https://rhn.redhat.com/errata/RHSA-2009-1127.html
Comment 9 Kevin Kofler 2009-07-25 18:46:58 EDT
This also affects kdelibs 4.2.4 and kdelibs3 3.5.10 in Fedora.
Comment 10 Kevin Kofler 2009-07-25 20:06:03 EDT
For QtWebKit, this is fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.
Comment 11 Kevin Kofler 2009-07-25 21:25:37 EDT
This one is fixed in Rawhide's kdelibs 4.2.98.
Comment 12 Fedora Update System 2009-07-26 04:29:13 EDT
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11
Comment 13 Fedora Update System 2009-07-26 04:30:46 EDT
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10
Comment 14 Fedora Update System 2009-07-26 04:35:00 EDT
kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11
Comment 15 Fedora Update System 2009-07-26 04:45:02 EDT
kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10
Comment 16 Fedora Update System 2009-07-28 14:22:55 EDT
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2009-07-28 14:26:25 EDT
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-07-28 14:27:11 EDT
kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-07-28 14:27:49 EDT
kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.