Your message dated Sun, 09 Aug 2009 15:01:46 +0200
with message-id <4a7ec8ba.1080...@iuculano.it>
and subject line CVE-2009-1725: kde4libs and kdelibs are not affected
has caused the Debian Bug report #538349,
regarding CVE-2009-1725: WebKit in Apple Safari before 4.0.2 does not properly
handle numeric ...
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
538349: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538349
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: kde4libs
Version: 4:4.2.96-1
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for webkit.
CVE-2009-1725[0]:
| WebKit in Apple Safari before 4.0.2 does not properly handle numeric
| character references, which allows remote attackers to execute
| arbitrary code or cause a denial of service (memory corruption and
| application crash) via a crafted HTML document.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1725
http://security-tracker.debian.net/tracker/CVE-2009-1725
[1]
http://scarybeastsecurity.blogspot.com/2009/07/iphone-and-safari-advisories.html
The patch:
--- kde4libs-4.2.96.old/khtml/html/htmltokenizer.cpp 2009-05-14
14:27:29.000000000 -0300
+++ kde4libs-4.2.96/khtml/html/htmltokenizer.cpp 2009-07-24
22:20:11.000000000 -0300
@@ -1038,7 +1038,7 @@
#ifdef TOKEN_DEBUG
kDebug( 6036 ) << "unknown entity!";
#endif
- checkBuffer(10);
+ checkBuffer(11);
// ignore the sequence, add it to the buffer as plaintext
*dest++ = '&';
for(unsigned int i = 0; i < cBufferPos; i++)
--- End Message ---
--- Begin Message ---
Hi,
> 935 case Hexadecimal:
> 936 {
> 937 int uc = EntityChar.unicode();
> 938 int ll = qMin<uint>(src.length(), 8);
> 939 while(ll--) {
> 940 QChar csrc(src->toLower());
> 941 cc = csrc.cell();
> 942
> 943 if(csrc.row() || !((cc >= '0' && cc <= '9') || (cc >=
> 'a' && cc <= 'f'))) {
> 944 break;
> 945 }
> 946 uc = uc*16 + (cc - ( cc < 'a' ? '0' : 'a' - 10));
> 947 cBuffer[cBufferPos++] = cc;
> 948 ++src;
> 949 }
> 950 EntityChar = QChar(uc);
> 951 Entity = SearchSemicolon;
> 952 break;
> 953 }
> 954 case Decimal:
> 955 {
> 956 int uc = EntityChar.unicode();
> 957 int ll = qMin(src.length(), 9-cBufferPos);
> 958 while(ll--) {
> 959 cc = src->cell();
> 960
> 961 if(src->row() || !(cc >= '0' && cc <= '9')) {
> 962 Entity = SearchSemicolon;
> 963 break;
> 964 }
> 965
> 966 uc = uc * 10 + (cc - '0');
> 967 cBuffer[cBufferPos++] = cc;
> 968 ++src;
> 969 }
> 970 EntityChar = QChar(uc);
> 971 if(cBufferPos == 9) Entity = SearchSemicolon;
> 972 break;
> 973 }
> 974 case EntityName:
> 975 {
> 976 int ll = qMin(src.length(), 9-cBufferPos);
> 977 while(ll--) {
> 978 QChar csrc = *src;
> 979 cc = csrc.cell();
> 980
> 981 if(csrc.row() || !((cc >= 'a' && cc <= 'z') ||
> 982 (cc >= '0' && cc <= '9') || (cc >=
> 'A' && cc <= 'Z'))) {
> 983 Entity = SearchSemicolon;
> 984 break;
> 985 }
The above lines ensure, the resulting buffer is always at most 9
characters long, so checkBuffer(10) is sufficient check.
https://bugzilla.redhat.com/show_bug.cgi?id=513813#c18
Cheers,
Giuseppe.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
