Bug 506246 - (CVE-2009-1709) CVE-2009-1709 kdegraphics: KSVG Pointer use-after-free error in the SVG animation element (DoS, ACE)
CVE-2009-1709 kdegraphics: KSVG Pointer use-after-free error in the SVG anima...
Status: VERIFIED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
http://trac.webkit.org/changeset/32039
public=20090625,reported=20090610,sou...
: Security
Depends On: 506300 506301 506302 506303 833915
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-16 07:12 EDT by Jan Lieskovsky
Modified: 2016-03-04 05:43 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-06-16 07:12:19 EDT
A pointer use-after-free flaw was found in the KDE's KSVG Scalable Vector Graphics (SVG) animation element implementation. A remote attacker
could use this flaw to cause a denial of service (konqueror crash) or,
potentially, execute arbitrary code, with the privileges of the user
running "konqueror" web browser, if the victim was tricked to open
a specially-crafted SVG image.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709
http://support.apple.com/kb/HT3613

Upstream patch: 
http://trac.webkit.org/changeset/32039

Reproducer:
http://trac.webkit.org/browser/trunk/LayoutTests/svg/W3C-SVG-1.1/animate-elem-63-t.svg?format=txt
Comment 2 Jan Lieskovsky 2009-06-16 07:14:46 EDT
This issue does NOT affect the version of the kdegraphics package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue affects the versions of the kdegraphics package, as shipped
with Red Hat Enterprise Linux 5.
Comment 6 Jan Lieskovsky 2009-06-16 07:44:49 EDT
Upstream bugzilla with more testcases:

https://bugs.webkit.org/show_bug.cgi?id=18551
Comment 11 errata-xmlrpc 2009-06-25 12:19:16 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1130 https://rhn.redhat.com/errata/RHSA-2009-1130.html
Comment 12 Kevin Kofler 2009-07-25 19:26:53 EDT
This one appears NOT to affect the KDE 4 code in kdelibs/khtml/svg. The WebKit flaw got fixed in April 2008, the SVG code was imported from there to kdelibs (KHTML) in October 2008.
Comment 13 Kevin Kofler 2009-07-25 20:11:19 EDT
For QtWebKit, this apparently got fixed ages ago too. It's definitely fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.

Note You need to log in before you can comment on or make changes to this bug.