Bug 506469 - (CVE-2009-1698) CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE)
CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attr...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://trac.webkit.org/changeset/42081
public=20090625,reported=20090610,sou...
: Security
Depends On: 505618 505619 505620 505621 505622 833918
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-17 09:08 EDT by Jan Lieskovsky
Modified: 2015-08-24 11:41 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-24 11:41:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Untested patch against kdelibs 4.2.98 (1.79 KB, patch)
2009-07-25 22:21 EDT, Kevin Kofler
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2009-06-17 09:08:11 EDT
KDE's Cascading Style Sheets (CSS) parser incorrectly handled content, forming the value of CSS "style" attribute. A remote attacker could use this flaw to cause a denial of service (konqueror crash). or, potentially execute arbitrary
code with the privileges of the user running "konqueror" web browser,
if the victim visited a specially-crafted CSS equipped HTML page.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
http://support.apple.com/kb/HT3613

Upstream WebKit patch:
http://trac.webkit.org/changeset/42081

Reproducer:
http://trac.webkit.org/browser/trunk/LayoutTests/fast/css/attr-parsing.html?rev=42081

Expected reproducer output:
http://trac.webkit.org/browser/trunk/LayoutTests/fast/css/attr-parsing-expected.txt?rev=42081
Comment 1 Jan Lieskovsky 2009-06-17 09:09:44 EDT
This issue affects the versions of kdelibs package, as shipped with Red
Hat Enterprise Linux 3, 4, and 5.
Comment 12 errata-xmlrpc 2009-06-25 12:36:00 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1128 https://rhn.redhat.com/errata/RHSA-2009-1128.html
Comment 13 errata-xmlrpc 2009-06-25 12:42:11 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1127 https://rhn.redhat.com/errata/RHSA-2009-1127.html
Comment 14 Kevin Kofler 2009-07-25 18:48:13 EDT
This also affects kdelibs3 3.5.10 in Fedora. I was unable to verify whether kdelibs 4.2.4 is affected too because the code is significantly different.
Comment 15 Kevin Kofler 2009-07-25 19:14:52 EDT
(Note that if KDE 4 is still affected, then this is NOT fixed in KDE trunk. The WebKit patch and the KDE 3 patch are very different from each other, and in both cases the patched code is very different from the KDE 4 code.)
Comment 16 Kevin Kofler 2009-07-25 20:08:22 EDT
For QtWebKit, this is fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.
Comment 17 Kevin Kofler 2009-07-25 21:11:48 EDT
The reproducer also reports FAILURE in KDE 4.2.4's Konqueror. Looks like this is still unfixed in KDE 4.
Comment 18 Kevin Kofler 2009-07-25 21:18:52 EDT
Looks like I can port the KDE 3 fix.
Comment 19 Kevin Kofler 2009-07-25 22:21:29 EDT
Created attachment 355171 [details]
Untested patch against kdelibs 4.2.98

Here's an untested patch against kdelibs 4.2.98.
Comment 20 Fedora Update System 2009-07-26 04:29:23 EDT
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11
Comment 21 Fedora Update System 2009-07-26 04:30:57 EDT
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10
Comment 22 Fedora Update System 2009-07-26 04:35:10 EDT
kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11
Comment 23 Fedora Update System 2009-07-26 04:45:13 EDT
kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10
Comment 24 Fedora Update System 2009-07-28 14:23:05 EDT
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2009-07-28 14:26:36 EDT
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2009-07-28 14:27:22 EDT
kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2009-07-28 14:27:58 EDT
kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.