Bug 506703 (CVE-2009-0945)

Summary: CVE-2009-0945 kdegraphics: KSVG NULL-pointer dereference in the SVGList interface implementation (ACE)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bressers, jreznik, kevin, security-response-team, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://websvn.kde.org/?view=rev&revision=983302
Whiteboard: public=20090625,reported=20090513,source=cve,impact=critical,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cwe=CWE-476[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 05:16:14 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 506302, 506303, 833915    
Bug Blocks:    

Description Jan Lieskovsky 2009-06-18 08:36:59 EDT
Null-pointer dereference due to an array index error was found in
the KDE KSVG SVGList interface implementation. A remote attacker
could create a specially-crafted SVG image, which once opened by
an unsuspecting user, would cause memory corruption leading
to a denial of service (Konqueror crash).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0945
http://lists.apple.com/archives/security-announce/2009/May/msg00001.html
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
http://trac.webkit.org/changeset/43590

WebKit reproducer:
http://trac.webkit.org/browser/trunk/LayoutTests/svg/dom/svglist-exception-on-out-bounds-error.html?rev=43590&format=txt

Expected WebKit reproducer output:
http://trac.webkit.org/browser/trunk/LayoutTests/svg/dom/svglist-exception-on-out-bounds-error-expected.txt?rev=43590&format=txt

Upstream KDE 4.2 patch:
http://websvn.kde.org/?view=rev&revision=983302
Comment 1 Jan Lieskovsky 2009-06-18 08:40:16 EDT
This issue does NOT affect the versions of the kdegraphics package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue affects the version of the kdegraphics package, as shipped
with Red Hat Enterprise Linux 5.
Comment 13 errata-xmlrpc 2009-06-25 12:19:18 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1130 https://rhn.redhat.com/errata/RHSA-2009-1130.html
Comment 14 Kevin Kofler 2009-07-25 19:17:43 EDT
This also affects kdelibs 4.2.4 in Fedora (the code is now in kdelibs).
Comment 15 Kevin Kofler 2009-07-25 20:12:35 EDT
For QtWebKit, this is fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.
Comment 16 Kevin Kofler 2009-07-25 21:26:50 EDT
This one is fixed in Rawhide's kdelibs 4.2.98.
Comment 17 Fedora Update System 2009-07-26 04:29:28 EDT
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11
Comment 18 Fedora Update System 2009-07-26 04:31:02 EDT
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10
Comment 19 Fedora Update System 2009-07-28 14:23:10 EDT
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2009-07-28 14:26:41 EDT
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.