Bug 506246 (CVE-2009-1709)

Summary: CVE-2009-1709 kdegraphics: KSVG Pointer use-after-free error in the SVG animation element (DoS, ACE)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: VERIFIED --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bressers, jgrulich, jreznik, kevin, kreilly, security-response-team, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://trac.webkit.org/changeset/32039
Whiteboard: public=20090625,reported=20090610,source=cve,impact=critical,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cwe=CWE-416[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 506300, 506301, 506302, 506303, 833915    
Bug Blocks:    

Description Jan Lieskovsky 2009-06-16 07:12:19 EDT
A pointer use-after-free flaw was found in the KDE's KSVG Scalable Vector Graphics (SVG) animation element implementation. A remote attacker
could use this flaw to cause a denial of service (konqueror crash) or,
potentially, execute arbitrary code, with the privileges of the user
running "konqueror" web browser, if the victim was tricked to open
a specially-crafted SVG image.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709
http://support.apple.com/kb/HT3613

Upstream patch: 
http://trac.webkit.org/changeset/32039

Reproducer:
http://trac.webkit.org/browser/trunk/LayoutTests/svg/W3C-SVG-1.1/animate-elem-63-t.svg?format=txt
Comment 2 Jan Lieskovsky 2009-06-16 07:14:46 EDT
This issue does NOT affect the version of the kdegraphics package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue affects the versions of the kdegraphics package, as shipped
with Red Hat Enterprise Linux 5.
Comment 6 Jan Lieskovsky 2009-06-16 07:44:49 EDT
Upstream bugzilla with more testcases:

https://bugs.webkit.org/show_bug.cgi?id=18551
Comment 11 errata-xmlrpc 2009-06-25 12:19:16 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1130 https://rhn.redhat.com/errata/RHSA-2009-1130.html
Comment 12 Kevin Kofler 2009-07-25 19:26:53 EDT
This one appears NOT to affect the KDE 4 code in kdelibs/khtml/svg. The WebKit flaw got fixed in April 2008, the SVG code was imported from there to kdelibs (KHTML) in October 2008.
Comment 13 Kevin Kofler 2009-07-25 20:11:19 EDT
For QtWebKit, this apparently got fixed ages ago too. It's definitely fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.