Bug 506469 (CVE-2009-1698) - CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE)
Summary: CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1698
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://trac.webkit.org/changeset/42081
Whiteboard:
Depends On: 505618 505619 505620 505621 505622 833918
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-17 13:08 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-24 15:41:53 UTC


Attachments (Terms of Use)
Untested patch against kdelibs 4.2.98 (1.79 KB, patch)
2009-07-26 02:21 UTC, Kevin Kofler
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1127 normal SHIPPED_LIVE Critical: kdelibs security update 2009-06-25 16:42:01 UTC
Red Hat Product Errata RHSA-2009:1128 normal SHIPPED_LIVE Important: kdelibs security update 2009-06-25 16:35:56 UTC

Description Jan Lieskovsky 2009-06-17 13:08:11 UTC
KDE's Cascading Style Sheets (CSS) parser incorrectly handled content, forming the value of CSS "style" attribute. A remote attacker could use this flaw to cause a denial of service (konqueror crash). or, potentially execute arbitrary
code with the privileges of the user running "konqueror" web browser,
if the victim visited a specially-crafted CSS equipped HTML page.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
http://support.apple.com/kb/HT3613

Upstream WebKit patch:
http://trac.webkit.org/changeset/42081

Reproducer:
http://trac.webkit.org/browser/trunk/LayoutTests/fast/css/attr-parsing.html?rev=42081

Expected reproducer output:
http://trac.webkit.org/browser/trunk/LayoutTests/fast/css/attr-parsing-expected.txt?rev=42081

Comment 1 Jan Lieskovsky 2009-06-17 13:09:44 UTC
This issue affects the versions of kdelibs package, as shipped with Red
Hat Enterprise Linux 3, 4, and 5.

Comment 12 errata-xmlrpc 2009-06-25 16:36:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1128 https://rhn.redhat.com/errata/RHSA-2009-1128.html

Comment 13 errata-xmlrpc 2009-06-25 16:42:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1127 https://rhn.redhat.com/errata/RHSA-2009-1127.html

Comment 14 Kevin Kofler 2009-07-25 22:48:13 UTC
This also affects kdelibs3 3.5.10 in Fedora. I was unable to verify whether kdelibs 4.2.4 is affected too because the code is significantly different.

Comment 15 Kevin Kofler 2009-07-25 23:14:52 UTC
(Note that if KDE 4 is still affected, then this is NOT fixed in KDE trunk. The WebKit patch and the KDE 3 patch are very different from each other, and in both cases the patched code is very different from the KDE 4 code.)

Comment 16 Kevin Kofler 2009-07-26 00:08:22 UTC
For QtWebKit, this is fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.

Comment 17 Kevin Kofler 2009-07-26 01:11:48 UTC
The reproducer also reports FAILURE in KDE 4.2.4's Konqueror. Looks like this is still unfixed in KDE 4.

Comment 18 Kevin Kofler 2009-07-26 01:18:52 UTC
Looks like I can port the KDE 3 fix.

Comment 19 Kevin Kofler 2009-07-26 02:21:29 UTC
Created attachment 355171 [details]
Untested patch against kdelibs 4.2.98

Here's an untested patch against kdelibs 4.2.98.

Comment 20 Fedora Update System 2009-07-26 08:29:23 UTC
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11

Comment 21 Fedora Update System 2009-07-26 08:30:57 UTC
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10

Comment 22 Fedora Update System 2009-07-26 08:35:10 UTC
kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11

Comment 23 Fedora Update System 2009-07-26 08:45:13 UTC
kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10

Comment 24 Fedora Update System 2009-07-28 18:23:05 UTC
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2009-07-28 18:26:36 UTC
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2009-07-28 18:27:22 UTC
kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2009-07-28 18:27:58 UTC
kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.