Bug 443766 (CVE-2008-1670) - CVE-2008-1670 kdelibs: Buffer overflow in KHTML's image loader
Summary: CVE-2008-1670 kdelibs: Buffer overflow in KHTML's image loader
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1670
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 444398 444399
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-23 08:01 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-25 10:16:15 UTC


Attachments (Terms of Use)
Upstream patch (739 bytes, patch)
2008-04-23 08:02 UTC, Tomas Hoger
no flags Details | Diff
PNG image from tapioca.sourceforge.net that crashes konqueror (386 bytes, image/png)
2008-04-23 11:49 UTC, Josh Bressers
no flags Details


Links
System ID Priority Status Summary Last Updated
KDE Software Compilation 156623 None None None Never

Description Tomas Hoger 2008-04-23 08:01:35 UTC
Upcoming KDE security advisory:

Systems affected:
	KHTML, as shipped with KDE 4.0 or newer. KDE 3.x is not affected.

Overview:
	The new progressive PNG Image loader in KHTML of KDE 4.0 and newer
	can be tricked into overrunning a heap allocated memory buffer
	by loading a specially encoded image.

Impact:
	A remote site can cause a denial of service and possibly execute
	arbitrary code in the context of the user.

Comment 1 Tomas Hoger 2008-04-23 08:02:16 UTC
Created attachment 303447 [details]
Upstream patch

Comment 2 Tomas Hoger 2008-04-23 08:06:15 UTC
This issue did not affect versions of kdelibs as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, or 5.

Affected versions of KDE are currently only shipped in Fedora 9/rawhide.

Comment 3 Josh Bressers 2008-04-23 11:49:35 UTC
Created attachment 303483 [details]
PNG image from tapioca.sourceforge.net that crashes konqueror

Comment 4 Tomas Hoger 2008-04-23 11:51:24 UTC
Upstream bug report: http://bugs.kde.org/show_bug.cgi?id=156623

Comment 5 Lukáš Tinkl 2008-04-23 14:00:07 UTC
The fix is present in CVS (both devel and F-9), kdelibs-4.0.3-7

Comment 7 Tomas Hoger 2008-04-28 07:37:20 UTC
Public now, lifting embargo:

http://www.kde.org/info/security/advisory-20080426-1.txt

Comment 9 Tomas Hoger 2008-04-28 07:53:47 UTC
As mentioned in comment #5, this was already fixed in F9 and rawhide.  It's
probably worth requesting freeze break for kdelibs-4.0.3-7.fc9.

There are kdelibs4 packages in F7 and F8, that should be affected as well, even
though I'm not sure if there's any application in F7 and F8 that may be using
vulnerable code at the moment.

Comment 10 Kevin Kofler 2008-04-28 16:01:08 UTC
kdelibs-4.0.3-7.fc9 tagged f9-final.

Comment 11 Fedora Update System 2008-04-29 20:57:29 UTC
kdelibs4-4.0.3-7.fc7, qt4-4.3.4-11.fc7, kdebase-runtime-4.0.3-10.fc7.1, kde-filesystem-4-14.fc7, kdebase4-4.0.3-9.fc7, kdepimlibs-4.0.3-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-04-29 21:00:07 UTC
kde-filesystem-4-14.fc8, kdebase4-4.0.3-9.fc8, kdebase-runtime-4.0.3-10.fc8.1, kdepimlibs-4.0.3-3.fc8, kdelibs4-4.0.3-7.fc8, qt4-4.3.4-11.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Red Hat Product Security 2008-07-25 10:16:15 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3412




Note You need to log in before you can comment on or make changes to this bug.