Common Vulnerabilities and Exposures assigned an identifier of CVE-2009-2537 to the following vulnerability: KDE Konqueror allows remote attackers to cause a denial of service (memory consumption) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692. References: ----------- http://www.securityfocus.com/archive/1/archive/1/504989/100/0/threaded http://www.securityfocus.com/archive/1/archive/1/504988/100/0/threaded http://www.securityfocus.com/archive/1/archive/1/504969/100/0/threaded http://www.securityfocus.com/archive/1/archive/1/505006/100/0/threaded http://www.milw0rm.com/exploits/9160 http://www.g-sec.lu/one-bug-to-rule-them-all.html Credit: Thierry Zoller ------- Proof of Concept: ---------------- <script> function poc(o) { e = document.createElement("select"); e.length=2147483647; } function go() { poc(0); } </script> URL: ---- http://www.crashthisthing.com/select.html Upstream patch: --------------- http://websvn.kde.org/?view=rev&revision=1001060
I can confirm on KHTML 4.2.4, 3.5.4.
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10
kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11
kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10
My backported patch against KDE 3.5.10, may be useful for the RHEL update: http://cvs.fedoraproject.org/viewvc/rpms/kdelibs3/devel/kdelibs-3.5.10-cve-2009-2537-select-length.patch?revision=1.1&view=markup But be warned that the only testing I did was "it compiles".
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Official statement from Red Hat Security Response Team regarding this issue: ---------------------------------------------------------------------------- We do not consider a user-assisted crash of a client application such as Konqueror to be a security issue.