Bug 505571 (CVE-2009-1690) - CVE-2009-1690 kdelibs: KHTML Incorrect handling <head> element content once the <head> element was removed (DoS, ACE)
Summary: CVE-2009-1690 kdelibs: KHTML Incorrect handling <head> element content once t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://trac.webkit.org/changeset/42532
Whiteboard:
Depends On: 505619 505620 505621 505622 833918
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-12 13:45 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:30 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 16:23:03 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1127 0 normal SHIPPED_LIVE Critical: kdelibs security update 2009-06-25 16:42:01 UTC

Description Jan Lieskovsky 2009-06-12 13:45:56 UTC
KDE HTML parser incorrectly handled content, forming the HTML page 
<head> element. A remote attacker could use this flaw to cause a denial
of service (konqueror crash) or, potentially, execute arbitrary code, 
with the privileges of the user running "konqueror" web browser, if the
victim was tricked to open a specially-crafted HTML page.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
http://support.apple.com/kb/HT3613
http://secunia.com/advisories/35379/

Upstream patch:
http://trac.webkit.org/changeset/42532

Upstream PoC:
http://trac.webkit.org/browser/trunk/LayoutTests/fast/parser/head-content-after-head-removal.html?format=txt

Comment 6 Jan Lieskovsky 2009-06-18 10:24:36 UTC
Upstream KDE 4.2 patch:

http://websvn.kde.org/?view=rev&revision=983316

Comment 8 errata-xmlrpc 2009-06-25 16:42:05 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1127 https://rhn.redhat.com/errata/RHSA-2009-1127.html

Comment 9 Kevin Kofler 2009-07-25 22:46:58 UTC
This also affects kdelibs 4.2.4 and kdelibs3 3.5.10 in Fedora.

Comment 10 Kevin Kofler 2009-07-26 00:06:03 UTC
For QtWebKit, this is fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.

Comment 11 Kevin Kofler 2009-07-26 01:25:37 UTC
This one is fixed in Rawhide's kdelibs 4.2.98.

Comment 12 Fedora Update System 2009-07-26 08:29:13 UTC
kdelibs-4.2.4-6.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc11

Comment 13 Fedora Update System 2009-07-26 08:30:46 UTC
kdelibs-4.2.4-6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs-4.2.4-6.fc10

Comment 14 Fedora Update System 2009-07-26 08:35:00 UTC
kdelibs3-3.5.10-13.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc11

Comment 15 Fedora Update System 2009-07-26 08:45:02 UTC
kdelibs3-3.5.10-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kdelibs3-3.5.10-13.fc10

Comment 16 Fedora Update System 2009-07-28 18:22:55 UTC
kdelibs-4.2.4-6.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2009-07-28 18:26:25 UTC
kdelibs-4.2.4-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2009-07-28 18:27:11 UTC
kdelibs3-3.5.10-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2009-07-28 18:27:49 UTC
kdelibs3-3.5.10-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.