506469 – (CVE-2009-1698) CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE)

Bug 506469 (CVE-2009-1698) - CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE)

Summary: CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attr...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-1698
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://trac.webkit.org/changeset/42081
Whiteboard:
Depends On:	505618 505619 505620 505621 505622 833918
Blocks:
TreeView+	depends on / blocked

Reported:	2009-06-17 13:08 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:30 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-24 15:41:53 UTC
Embargoed:

Attachments	(Terms of Use)
Untested patch against kdelibs 4.2.98 (1.79 KB, patch) 2009-07-26 02:21 UTC, Kevin Kofler	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1127	0	normal	SHIPPED_LIVE	Critical: kdelibs security update	2009-06-25 16:42:01 UTC
Red Hat Product Errata	RHSA-2009:1128	0	normal	SHIPPED_LIVE	Important: kdelibs security update	2009-06-25 16:35:56 UTC

Description Jan Lieskovsky 2009-06-17 13:08:11 UTC

KDE's Cascading Style Sheets (CSS) parser incorrectly handled content, forming the value of CSS "style" attribute. A remote attacker could use this flaw to cause a denial of service (konqueror crash). or, potentially execute arbitrary
code with the privileges of the user running "konqueror" web browser,
if the victim visited a specially-crafted CSS equipped HTML page.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
http://support.apple.com/kb/HT3613

Upstream WebKit patch:
http://trac.webkit.org/changeset/42081

Reproducer:
http://trac.webkit.org/browser/trunk/LayoutTests/fast/css/attr-parsing.html?rev=42081

Expected reproducer output:
http://trac.webkit.org/browser/trunk/LayoutTests/fast/css/attr-parsing-expected.txt?rev=42081

Comment 1 Jan Lieskovsky 2009-06-17 13:09:44 UTC

This issue affects the versions of kdelibs package, as shipped with Red
Hat Enterprise Linux 3, 4, and 5.

Comment 12 errata-xmlrpc 2009-06-25 16:36:00 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1128 https://rhn.redhat.com/errata/RHSA-2009-1128.html

Comment 13 errata-xmlrpc 2009-06-25 16:42:11 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1127 https://rhn.redhat.com/errata/RHSA-2009-1127.html

Comment 14 Kevin Kofler 2009-07-25 22:48:13 UTC

This also affects kdelibs3 3.5.10 in Fedora. I was unable to verify whether kdelibs 4.2.4 is affected too because the code is significantly different.

Comment 15 Kevin Kofler 2009-07-25 23:14:52 UTC

(Note that if KDE 4 is still affected, then this is NOT fixed in KDE trunk. The WebKit patch and the KDE 3 patch are very different from each other, and in both cases the patched code is very different from the KDE 4 code.)

Comment 16 Kevin Kofler 2009-07-26 00:08:22 UTC

For QtWebKit, this is fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.

Comment 17 Kevin Kofler 2009-07-26 01:11:48 UTC

The reproducer also reports FAILURE in KDE 4.2.4's Konqueror. Looks like this is still unfixed in KDE 4.

Comment 18 Kevin Kofler 2009-07-26 01:18:52 UTC

Looks like I can port the KDE 3 fix.

Comment 19 Kevin Kofler 2009-07-26 02:21:29 UTC

Created attachment 355171 [details]
Untested patch against kdelibs 4.2.98

Here's an untested patch against kdelibs 4.2.98.

Comment 20 Fedora Update System 2009-07-26 08:29:23 UTC

kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11

Comment 21 Fedora Update System 2009-07-26 08:30:57 UTC

kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10

Comment 22 Fedora Update System 2009-07-26 08:35:10 UTC

kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11

Comment 23 Fedora Update System 2009-07-26 08:45:13 UTC

kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10

Comment 24 Fedora Update System 2009-07-28 18:23:05 UTC

kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2009-07-28 18:26:36 UTC

kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2009-07-28 18:27:22 UTC

kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2009-07-28 18:27:58 UTC

kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.