Bug 506246 (CVE-2009-1709) - CVE-2009-1709 kdegraphics: KSVG Pointer use-after-free error in the SVG animation element (DoS, ACE)
Summary: CVE-2009-1709 kdegraphics: KSVG Pointer use-after-free error in the SVG anima...
Keywords:
Status: VERIFIED
Alias: CVE-2009-1709
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL: http://trac.webkit.org/changeset/32039
Whiteboard:
Depends On: 506300 506301 506302 506303 833915
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-16 11:12 UTC by Jan Lieskovsky
Modified: 2023-07-07 08:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1130 0 normal SHIPPED_LIVE Critical: kdegraphics security update 2009-06-25 16:19:13 UTC

Description Jan Lieskovsky 2009-06-16 11:12:19 UTC
A pointer use-after-free flaw was found in the KDE's KSVG Scalable Vector Graphics (SVG) animation element implementation. A remote attacker
could use this flaw to cause a denial of service (konqueror crash) or,
potentially, execute arbitrary code, with the privileges of the user
running "konqueror" web browser, if the victim was tricked to open
a specially-crafted SVG image.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709
http://support.apple.com/kb/HT3613

Upstream patch: 
http://trac.webkit.org/changeset/32039

Reproducer:
http://trac.webkit.org/browser/trunk/LayoutTests/svg/W3C-SVG-1.1/animate-elem-63-t.svg?format=txt

Comment 2 Jan Lieskovsky 2009-06-16 11:14:46 UTC
This issue does NOT affect the version of the kdegraphics package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue affects the versions of the kdegraphics package, as shipped
with Red Hat Enterprise Linux 5.

Comment 6 Jan Lieskovsky 2009-06-16 11:44:49 UTC
Upstream bugzilla with more testcases:

https://bugs.webkit.org/show_bug.cgi?id=18551

Comment 11 errata-xmlrpc 2009-06-25 16:19:16 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1130 https://rhn.redhat.com/errata/RHSA-2009-1130.html

Comment 12 Kevin Kofler 2009-07-25 23:26:53 UTC
This one appears NOT to affect the KDE 4 code in kdelibs/khtml/svg. The WebKit flaw got fixed in April 2008, the SVG code was imported from there to kdelibs (KHTML) in October 2008.

Comment 13 Kevin Kofler 2009-07-26 00:11:19 UTC
For QtWebKit, this apparently got fixed ages ago too. It's definitely fixed in Qt 4.5.2 which got pushed to Fedora updates recently. I didn't check earlier versions.


Note You need to log in before you can comment on or make changes to this bug.