A pointer use-after-free flaw was found in the KDE's KSVG Scalable Vector Graphics (SVG) animation element implementation. A remote attacker could use this flaw to cause a denial of service (konqueror crash) or, potentially, execute arbitrary code, with the privileges of the user running "konqueror" web browser, if the victim was tricked to open a specially-crafted SVG image. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709 http://support.apple.com/kb/HT3613 Upstream patch: http://trac.webkit.org/changeset/32039 Reproducer: http://trac.webkit.org/browser/trunk/LayoutTests/svg/W3C-SVG-1.1/animate-elem-63-t.svg?format=txt
This issue does NOT affect the version of the kdegraphics package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue affects the versions of the kdegraphics package, as shipped with Red Hat Enterprise Linux 5.
Upstream bugzilla with more testcases: https://bugs.webkit.org/show_bug.cgi?id=18551
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1130 https://rhn.redhat.com/errata/RHSA-2009-1130.html
This one appears NOT to affect the KDE 4 code in kdelibs/khtml/svg. The WebKit flaw got fixed in April 2008, the SVG code was imported from there to kdelibs (KHTML) in October 2008.
For QtWebKit, this apparently got fixed ages ago too. It's definitely fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.