Bug 512911 (CVE-2009-2537)

Summary: CVE-2009-2537 Konqueror: DoS via large length property of a Select object
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jreznik, kevin, kreilly, ltinkl, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/archive/1/504969/100/0/threaded
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-06 15:12:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 514475, 514476, 514477, 514478, 514479    
Bug Blocks:    

Description Jan Lieskovsky 2009-07-21 10:14:22 UTC 
Common Vulnerabilities and Exposures assigned an identifier of CVE-2009-2537 to
the following vulnerability:

KDE Konqueror allows remote attackers to cause a denial of service
(memory consumption) via a large integer value for the length property
of a Select object, a related issue to CVE-2009-1692.

References:
-----------
http://www.securityfocus.com/archive/1/archive/1/504989/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/504988/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/504969/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/505006/100/0/threaded
http://www.milw0rm.com/exploits/9160
http://www.g-sec.lu/one-bug-to-rule-them-all.html

Credit: Thierry Zoller 
-------

Proof of Concept:
----------------
<script>
function poc(o) {
e = document.createElement("select");
e.length=2147483647;
}

function go() {
poc(0);
}
</script>

URL: 
----
http://www.crashthisthing.com/select.html

Upstream patch:
---------------
http://websvn.kde.org/?view=rev&revision=1001060
Comment 1 Jaroslav Reznik 2009-07-21 11:37:34 UTC 
I can confirm on KHTML 4.2.4, 3.5.4.
Comment 13 Fedora Update System 2009-07-26 08:29:33 UTC 
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11
Comment 14 Fedora Update System 2009-07-26 08:31:08 UTC 
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10
Comment 15 Fedora Update System 2009-07-26 08:35:14 UTC 
kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11
Comment 16 Fedora Update System 2009-07-26 08:45:17 UTC 
kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10
Comment 17 Kevin Kofler 2009-07-26 08:55:52 UTC 
My backported patch against KDE 3.5.10, may be useful for the RHEL update:
http://cvs.fedoraproject.org/viewvc/rpms/kdelibs3/devel/kdelibs-3.5.10-cve-2009-2537-select-length.patch?revision=1.1&view=markup

But be warned that the only testing I did was "it compiles".
Comment 18 Fedora Update System 2009-07-28 18:23:15 UTC 
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-07-28 18:26:46 UTC 
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2009-07-28 18:27:27 UTC 
kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2009-07-28 18:28:03 UTC 
kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Jan Lieskovsky 2009-08-06 14:30:34 UTC 
Official statement from Red Hat Security Response Team regarding this issue:
----------------------------------------------------------------------------

We do not consider a user-assisted crash of a client application such as
Konqueror to be a security issue.