Bug 513813 (CVE-2009-1725)
Summary: | CVE-2009-1725 kdelibs KHTML, WebKit-gtk, qt-4.5.2: improper handling of numeric character references (ACE, DoS) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kevin Kofler <kevin> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | jlieskov, jreznik, kreilly, ltinkl, rdieter, than, vdanen |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-05 08:00:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 514475, 514476, 514477, 514478, 514479 | ||
Bug Blocks: |
Description
Kevin Kofler
2009-07-26 08:20:03 UTC
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11 kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10 kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11 kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10 webkit changeset: http://trac.webkit.org/changeset/44799 PoC: ---- http://trac.webkit.org/browser/trunk/LayoutTests/fast/parser/eightdigithexentity.html?rev=44799&format=txt Expected PoC output: -------------------- http://trac.webkit.org/browser/trunk/LayoutTests/fast/parser/eightdigithexentity-expected.txt?rev=44799&format=txt Direct link to run the testcase in Konqueror: http://trac.webkit.org/export/46476/trunk/LayoutTests/fast/parser/eightdigithexentity.html kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. Created attachment 356315 [details]
Proposed patch for review
Proposed patch attached to this bug, please review it.
What was wrong?
1. size of ushort QChar -> changed to unsigned int (same as in WebKit)
0x00FFFFFF has been truncated to 0x0000FFFF
2. so there wasn't possible to check if entity is bigger than 0x0010FFFF
BTW: how to credit WebKit people in KHTML code as I used the code?
Official statement from Red Hat Security Response Team regarding this issue: ---------------------------------------------------------------------------- Not vulnerable. This issue did not affect the versions kdelibs package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. Explanation: ------------ The relevant parseEntity() routine, responsible for processing HTML entity content in KHTML, contains additional checks for the length of provided numeric (decimal, hexadecimal) and name representation of the HTML entity, which are preventing the occurrence of this flaw. The exact code rows are: ----------------------- 639 case Hexadecimal: 640 { ... 642 int ll = kMin<uint>(src.length(), 8); 658 case Decimal: 659 { ... 661 int ll = kMin(src.length(), 9-cBufferPos); 678 case EntityName: 679 { 680 int ll = kMin(src.length(), 9-cBufferPos); 694 // be IE compatible and interpret even unterminated entities 695 // outside tags. like "foo  stuff bla". 696 if ( tag == NoTag ) { 697 const entity* e = kde_findEntity(cBuffer, cBufferPos); 698 if ( e && e->code < 256 ) { 699 Entity = SearchSemicolon; 700 break; The above lines ensure, the resulting buffer is always at most 9 characters long, so checkBuffer(10) is sufficient check. In case longer entities are provided, they are handled as undefined HTML entities and [] sign is used for displaying them: 732 // ignore the sequence, add it to the buffer as plaintext ... 742 Entity = NoEntity; 743 EntityChar = QChar::null; Note: It's possible to experience the crash by removing the above "kMin" checks, rebuild kdelibs and provide HTML entity string longer than 10 characters. OK, so the upstream commit which bumped the buffer size to 11 is nonsense? jreznik says he has a fix to made the testcase pass, I guess that one should just be committed upstream (and possibly included in the Fedora KDE 4.3.0 update sets) as a regular bugfix, as it's just a minor rendering fix, not a security fix (as per the above analysis). Yes, upstream commit is nonsense as there's different handling in WebKit. For rendering patch - it should be OK but upstream doesn't care about this issue as there's little possibility to find affected websites. Even Firefox is not handling it. The question is if we really want it in Fedora then. This issue does NOT affect the version of WebKit-gtk package, as shipped with Fedora 10 (WebKit-gtk-1.0.0-0.15.svn37790.fc10.*) and the version of webkitgtk package, as shipped with Fedora 11 (webkitgtk-1.1.8-1.fc11.*). This issue does NOT affect the version (qt4-4.2.1-1) of qt4 package, as shipped with Red Hat Enterprise Linux 5. This issue affects the versions of qt-4.5.2 package, as shipped with Fedora 10 (qt-4.5.2-1.fc10.2.src.rpm) and Fedora 11 (qt-4.5.2-1.fc11.2.src.rpm). Please fix. it's fixed in qt-4.5.2-2. I will push it in F10/F11 update today Reopening to track the QtWebKit version of the issue. This is strange, I thought I checked Qt 4.5.2 and found this already fixed there. I must have either forgotten or not looked properly. qt-4.5.2-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/qt-4.5.2-2.fc11 qt-4.5.2-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/qt-4.5.2-2.fc10 qt-4.5.2-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. qt-4.5.2-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. Looks like this got taken care of eons ago, closing. |