This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 505571 - (CVE-2009-1690) CVE-2009-1690 kdelibs: KHTML Incorrect handling <head> element content once the <head> element was removed (DoS, ACE)
CVE-2009-1690 kdelibs: KHTML Incorrect handling <head> element content once t...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
http://trac.webkit.org/changeset/42532
public=20090625,reported=20090610,sou...
: Security
Depends On: 505619 505620 505621 505622 833918
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-12 09:45 EDT by Jan Lieskovsky
Modified: 2015-08-22 12:23 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 12:23:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-06-12 09:45:56 EDT
KDE HTML parser incorrectly handled content, forming the HTML page 
<head> element. A remote attacker could use this flaw to cause a denial
of service (konqueror crash) or, potentially, execute arbitrary code, 
with the privileges of the user running "konqueror" web browser, if the
victim was tricked to open a specially-crafted HTML page.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
http://support.apple.com/kb/HT3613
http://secunia.com/advisories/35379/

Upstream patch:
http://trac.webkit.org/changeset/42532

Upstream PoC:
http://trac.webkit.org/browser/trunk/LayoutTests/fast/parser/head-content-after-head-removal.html?format=txt
Comment 6 Jan Lieskovsky 2009-06-18 06:24:36 EDT
Upstream KDE 4.2 patch:

http://websvn.kde.org/?view=rev&revision=983316
Comment 8 errata-xmlrpc 2009-06-25 12:42:05 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1127 https://rhn.redhat.com/errata/RHSA-2009-1127.html
Comment 9 Kevin Kofler 2009-07-25 18:46:58 EDT
This also affects kdelibs 4.2.4 and kdelibs3 3.5.10 in Fedora.
Comment 10 Kevin Kofler 2009-07-25 20:06:03 EDT
For QtWebKit, this is fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.
Comment 11 Kevin Kofler 2009-07-25 21:25:37 EDT
This one is fixed in Rawhide's kdelibs 4.2.98.
Comment 12 Fedora Update System 2009-07-26 04:29:13 EDT
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11
Comment 13 Fedora Update System 2009-07-26 04:30:46 EDT
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10
Comment 14 Fedora Update System 2009-07-26 04:35:00 EDT
kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11
Comment 15 Fedora Update System 2009-07-26 04:45:02 EDT
kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10
Comment 16 Fedora Update System 2009-07-28 14:22:55 EDT
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2009-07-28 14:26:25 EDT
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-07-28 14:27:11 EDT
kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-07-28 14:27:49 EDT
kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.