Bug 513813 (CVE-2009-1725) - CVE-2009-1725 kdelibs KHTML, WebKit-gtk, qt-4.5.2: improper handling of numeric character references (ACE, DoS)
Summary: CVE-2009-1725 kdelibs KHTML, WebKit-gtk, qt-4.5.2: improper handling of numer...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 514475 514476 514477 514478 514479
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-26 08:20 UTC by Kevin Kofler
Modified: 2019-09-29 12:31 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-06-05 08:00:42 UTC


Attachments (Terms of Use)

Description Kevin Kofler 2009-07-26 08:20:03 UTC
Common Vulnerabilities and Exposures assigned an identifier of CVE-2009-1725 to
the following vulnerability:

KDE Konqueror allows remote attackers to cause a denial of service and potentially execute arbitrary code via a buffer overflow due to improper handling of numeric character references. This issue was first discovered in WebKit and fixed in KHTML (trunk, 4.3 branch and 3.5 branch) a few hours ago:
http://websvn.kde.org/?view=rev&revision=1002162
http://websvn.kde.org/?view=rev&revision=1002163
http://websvn.kde.org/?view=rev&revision=1002164

I am already working on Fedora updates.

Comment 1 Fedora Update System 2009-07-26 08:29:09 UTC
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11

Comment 2 Fedora Update System 2009-07-26 08:30:41 UTC
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10

Comment 3 Fedora Update System 2009-07-26 08:34:56 UTC
kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11

Comment 4 Fedora Update System 2009-07-26 08:44:58 UTC
kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10

Comment 5 Vincent Danen 2009-07-27 20:28:57 UTC
webkit changeset: http://trac.webkit.org/changeset/44799

Comment 8 Kevin Kofler 2009-07-28 13:19:20 UTC
Direct link to run the testcase in Konqueror:
http://trac.webkit.org/export/46476/trunk/LayoutTests/fast/parser/eightdigithexentity.html

Comment 9 Fedora Update System 2009-07-28 18:22:50 UTC
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-07-28 18:26:20 UTC
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2009-07-28 18:27:06 UTC
kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2009-07-28 18:27:44 UTC
kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Jaroslav Reznik 2009-08-05 13:25:33 UTC
Created attachment 356315 [details]
Proposed patch for review

Proposed patch attached to this bug, please review it.

What was wrong?
1. size of ushort QChar -> changed to unsigned int (same as in WebKit)
    0x00FFFFFF has been truncated to 0x0000FFFF
2. so there wasn't possible to check if entity is bigger than 0x0010FFFF

BTW: how to credit WebKit people in KHTML code as I used the code?

Comment 17 Jan Lieskovsky 2009-08-06 14:08:56 UTC
Official statement from Red Hat Security Response Team regarding this issue:
----------------------------------------------------------------------------

Not vulnerable. This issue did not affect the versions kdelibs package,
as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Explanation:
------------
The relevant parseEntity() routine, responsible for processing HTML
entity content in KHTML, contains additional checks for the length
of provided numeric (decimal, hexadecimal) and name representation
of the HTML entity, which are preventing the occurrence of this flaw.

Comment 18 Jan Lieskovsky 2009-08-06 14:18:06 UTC
The exact code rows are:
-----------------------

    639         case Hexadecimal:
    640         {
    ...
    642             int ll = kMin<uint>(src.length(), 8);
    
    658         case Decimal:
    659         {
    ...
    661             int ll = kMin(src.length(), 9-cBufferPos);

    678         case EntityName:
    679         {
    680             int ll = kMin(src.length(), 9-cBufferPos);

    
    694         // be IE compatible and interpret even unterminated entities
    695         // outside tags. like "foo &nbspstuff bla".
    696           if ( tag == NoTag ) {
    697             const entity* e = kde_findEntity(cBuffer, cBufferPos);
    698               if ( e && e->code < 256 ) {
    699                         Entity = SearchSemicolon;
    700                         break;

The above lines ensure, the resulting buffer is always at most 9
characters long, so checkBuffer(10) is sufficient check. In case
longer entities are provided, they are handled as undefined HTML
entities and [] sign is used for displaying them:

     732        // ignore the sequence, add it to the buffer as plaintext
     ...
     742             Entity = NoEntity;
     743             EntityChar = QChar::null;

Note: It's possible to experience the crash by removing the above 
      "kMin" checks, rebuild kdelibs and provide HTML entity string
      longer than 10 characters.

Comment 19 Kevin Kofler 2009-08-06 15:28:48 UTC
OK, so the upstream commit which bumped the buffer size to 11 is nonsense?

jreznik says he has a fix to made the testcase pass, I guess that one should just be committed upstream (and possibly included in the Fedora KDE 4.3.0 update sets) as a regular bugfix, as it's just a minor rendering fix, not a security fix (as per the above analysis).

Comment 20 Jaroslav Reznik 2009-08-07 11:48:58 UTC
Yes, upstream commit is nonsense as there's different handling in WebKit. For rendering patch - it should be OK but upstream doesn't care about this issue as there's little possibility to find affected websites. Even Firefox is not handling it. The question is if we really want it in Fedora then.

Comment 21 Jan Lieskovsky 2009-08-18 10:05:05 UTC
This issue does NOT affect the version of WebKit-gtk package, as shipped
with Fedora 10 (WebKit-gtk-1.0.0-0.15.svn37790.fc10.*) and the version
of webkitgtk package, as shipped with Fedora 11 (webkitgtk-1.1.8-1.fc11.*).

This issue does NOT affect the version (qt4-4.2.1-1) of qt4 package,
as shipped with Red Hat Enterprise Linux 5.

This issue affects the versions of qt-4.5.2 package, as shipped with
Fedora 10 (qt-4.5.2-1.fc10.2.src.rpm) and Fedora 11
(qt-4.5.2-1.fc11.2.src.rpm).

Please fix.

Comment 22 Than Ngo 2009-08-18 10:29:30 UTC
it's fixed in qt-4.5.2-2. I will push it in F10/F11 update today

Comment 23 Kevin Kofler 2009-08-18 12:31:19 UTC
Reopening to track the QtWebKit version of the issue.

This is strange, I thought I checked Qt 4.5.2 and found this already fixed there. I must have either forgotten or not looked properly.

Comment 24 Fedora Update System 2009-08-18 13:47:23 UTC
qt-4.5.2-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/qt-4.5.2-2.fc11

Comment 25 Fedora Update System 2009-08-18 13:52:48 UTC
qt-4.5.2-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/qt-4.5.2-2.fc10

Comment 26 Fedora Update System 2009-08-20 21:00:20 UTC
qt-4.5.2-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2009-08-20 21:01:03 UTC
qt-4.5.2-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Kevin Kofler 2013-06-05 08:00:42 UTC
Looks like this got taken care of eons ago, closing.


Note You need to log in before you can comment on or make changes to this bug.