FS#15706 : KHTML/WebKit Numeric Character References Memory Corruption

FS#15706 - KHTML/WebKit Numeric Character References Memory Corruption

Attached to Project: Arch Linux
Opened by Roman Kyrylych (Romashka) - Tuesday, 28 July 2009, 08:12 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 13 October 2009, 12:27 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Andreas Radke (AndyRTR)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

http://secunia.com/advisories/35991/

A vulnerability has been reported in KDE, which can be exploited by malicious people to potentially compromise a user's system.
The vulnerability is caused due to an error in KHTML when processing numeric character references and can be exploited to corrupt memory.
Successful exploitation may allow execution of arbitrary code.

http://secunia.com/advisories/35758/

Two vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to conduct cross-site scripting attacks or potentially compromise a user's system.
1) An input validation error in the WebKit component when handling parent and top objects can be exploited to execute arbitrary HTML and script code in context of another site.
2) An error in the WebKit component when handling numeric character references can be exploited to corrupt memory via a specially crafted web page.

Additional information:

This has been fixed in KDE SVN already:
http://websvn.kde.org/?view=rev&revision=1002162
http://websvn.kde.org/?view=rev&revision=1002163
http://websvn.kde.org/?view=rev&revision=1002164

but I'm not sure if this is before or after RC3, so Pierre please check.

Most probably our versions of libwebkit and QtWebKit require patching.

This task depends upon

Closed by Andreas Radke (AndyRTR)
Tuesday, 13 October 2009, 12:27 GMT
Reason for closing: Fixed
Additional comments about closing: see comments

Comment by Pierre Schmitz (Pierre) - Tuesday, 28 July 2009, 09:01 GMT

Do you think we need to backport this to extra or can we wait until pacman 3.3 release? I'll fix Qt in kde-unstable; the bug in KHTML will be fixed when 4.3 is released.

Comment by Pierre Schmitz (Pierre) - Tuesday, 28 July 2009, 10:06 GMT

Task reassigned to Andreas Radke (AndyRTR), Andrea Scarpino (BaSh), Pierre Schmitz (Pierre)

@Andrea: Do you think a rebuild of kdelibs3 is needed, too? I am not sure if there is any app using khtml3.

Comment by Roman Kyrylych (Romashka) - Tuesday, 28 July 2009, 11:04 GMT

> Do you think we need to backport this to extra or can we wait until pacman 3.3 release?
I don't have a strong opinion on either choice.
Pacman 3.3 looks to be released really soon (strings freeze, translation waiting period now),
I don't have an idea if it's easy to backport the fix to Extra now if you already moved SVN trunk to splitted packages.

Comment by Pierre Schmitz (Pierre) - Tuesday, 28 July 2009, 17:01 GMT

Its doable; I can just update the repo dirs directly. The point is if its worth it because I'd expect the move to testing/extra in some days anyway. Do you have more information about how dangerous this bug is? The link above does not provide any information at all.

So far qt-4.5.2-5 is fixed.

Comment by Roman Kyrylych (Romashka) - Tuesday, 28 July 2009, 18:23 GMT

No, I don't have more information. I just saw a newsitem about it on one Linux community site.

Comment by Pierre Schmitz (Pierre) - Wednesday, 29 July 2009, 17:07 GMT

OK, do be safe I have uploaded the following packages:
qt-4.5.2-4-x86_64.pkg.tar.gz
kdelibs-4.2.4-5-i686.pkg.tar.gz
kdelibs3-3.5.10-5-x86_64.pkg.tar.gz
kdelibs3-3.5.10-5-i686.pkg.tar.gz
kdelibs-4.2.4-5-x86_64.pkg.tar.gz
qt-4.5.2-4-i686.pkg.tar.gz

So, just kde-unstable is remaining. But we release the final 4.3 next week anyway and its called "unstable" for a reason. :-)

Comment by Roman Kyrylych (Romashka) - Wednesday, 29 July 2009, 18:26 GMT

So this can be considered Fixed I think.

Comment by Pierre Schmitz (Pierre) - Wednesday, 29 July 2009, 18:54 GMT

I have no idea about the GTK version.

Comment by Roman Kyrylych (Romashka) - Wednesday, 29 July 2009, 20:07 GMT

ah, true, I forgot about that.

Comment by Andreas Radke (AndyRTR) - Wednesday, 29 July 2009, 21:03 GMT

is there a simple upstream commit intthe gtk tree i can add as patch to the webkitgtk pkg 1.1.10? anything from 1.1.11 on will require new libsoup from gnome unstable series and is a nogo for us as it breaks other stuff untill gnome 2.28 is out.

is the gtk tree affected in the same way?

Comment by Roman Kyrylych (Romashka) - Wednesday, 29 July 2009, 21:39 GMT

@Andy: please see the links to KDE's websvn.
The fix is very trivial, so I think there are high chances that it will be the same for webkit-gtk.

Comment by Pierre Schmitz (Pierre) - Thursday, 06 August 2009, 02:13 GMT

Task reassigned to Andreas Radke (AndyRTR)

KDE and Qt are fixed.

Comment by Andreas Radke (AndyRTR) - Tuesday, 13 October 2009, 12:26 GMT

I could get any helpful answer from upstream devs. They only said "K" part is something different and something about khtml is not webkit. If somebody has concern the gtk port is also affected they asked to send it to their webkit security list. I haven't seen any security announce for existing Debian or Fedora packages. So I expect gtk be safe.

Because I can't investigate this deeper this bug will be closed now.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#15706 - KHTML/WebKit Numeric Character References Memory Corruption

Details

Loading...