Bug#409868: marked as done (CVE-2007-0537: does not properly parse HTML comments in TITLE tag)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 07 Feb 2007 02:32:10 +0000
with message-id <E1HEcbS-0006Va-Gs@ries.debian.org>
and subject line Bug#409868: fixed in kdelibs 4:3.5.5a.dfsg.1-6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bugs <submit@bugs.debian.org>
• Subject: CVE-2007-0537: does not properly parse HTML comments in TITLE tag
• From: Kees Cook <kees@outflux.net>
• Date: Mon, 5 Feb 2007 17:11:16 -0800
• Message-id: <[🔎] 20070206011116.GE14771@outflux.net>

Package: kdelibs
Version: 4:3.5.5a.dfsg.1-5
Severity: important
Tags: patch, security

Some TITLE-tag XSS attacks can work against Konqueror[1].  Upstream has 
patched this problem[2].

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537
[2] http://websvn.kde.org/?view=rev&rev=626791

Attached is the patch used in Ubuntu against version 4:3.5.5-0ubuntu3.

-- 
Kees Cook                                            @outflux.net

diff -Nur kdelibs-3.5.5/khtml/html/htmltokenizer.cpp kdelibs-3.5.5.new/khtml/html/htmltokenizer.cpp
--- kdelibs-3.5.5/khtml/html/htmltokenizer.cpp	2006-10-01 10:33:38.000000000 -0700
+++ kdelibs-3.5.5.new/khtml/html/htmltokenizer.cpp	2007-02-05 16:47:00.359410059 -0800
@@ -316,7 +316,7 @@
     while ( !src.isEmpty() ) {
         checkScriptBuffer();
         unsigned char ch = src->latin1();
-        if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && !title && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
+        if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
             comment = true;
             scriptCode[ scriptCodeSize++ ] = ch;
             ++src;
@@ -495,7 +495,7 @@
 
             if (canClose || handleBrokenComments || scriptEnd ){
                 ++src;
-                if ( !( script || xmp || textarea || style) ) {
+                if ( !( title || script || xmp || textarea || style) ) {
 #ifdef COMMENTS_IN_DOM
                     checkScriptBuffer();
                     scriptCode[ scriptCodeSize ] = 0;

--- End Message ---

--- Begin Message ---

• To: 409868-close@bugs.debian.org
• Subject: Bug#409868: fixed in kdelibs 4:3.5.5a.dfsg.1-6
• From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
• Date: Wed, 07 Feb 2007 02:32:10 +0000
• Message-id: <E1HEcbS-0006Va-Gs@ries.debian.org>

Source: kdelibs
Source-Version: 4:3.5.5a.dfsg.1-6

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-data_3.5.5a.dfsg.1-6_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.5.5a.dfsg.1-6_all.deb
kdelibs-dbg_3.5.5a.dfsg.1-6_i386.deb
  to pool/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-6_i386.deb
kdelibs4-dev_3.5.5a.dfsg.1-6_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-6_i386.deb
kdelibs4-doc_3.5.5a.dfsg.1-6_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.5.5a.dfsg.1-6_all.deb
kdelibs4c2a_3.5.5a.dfsg.1-6_i386.deb
  to pool/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-6_i386.deb
kdelibs_3.5.5a.dfsg.1-6.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-6.diff.gz
kdelibs_3.5.5a.dfsg.1-6.dsc
  to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-6.dsc
kdelibs_3.5.5a.dfsg.1-6_all.deb
  to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 409868@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 17 Jan 2007 09:55:20 -0500
Source: kdelibs
Binary: kdelibs4c2a kdelibs kdelibs4-doc kdelibs-dbg kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.5.5a.dfsg.1-6
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description: 
 kdelibs    - core libraries from the official KDE release
 kdelibs-data - core shared data for all KDE applications
 kdelibs-dbg - debugging symbols for kdelibs
 kdelibs4-dev - development files for the KDE core libraries
 kdelibs4-doc - developer documentation for the KDE core libraries
 kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 407272 408413 409868
Changes: 
 kdelibs (4:3.5.5a.dfsg.1-6) unstable; urgency=high
 .
   +++ Changes by Ana Beatriz Guerrero Lopez:
 .
   * Add patch 45_konqueror-CVE-2007-0537.diff which fixes: Konqueror does not
     properly parse HTML comments, which allows remote attackers to conduct
     cross-site scripting (XSS) attacks. CVE-2007-0537. (Closes: #409868).
     Thanks to Kees Cook for reporting and pointing to the fix.
 .
   +++ Changes by Modestas Vainius:
 .
   * New patch (No. 25) from KDE bug #128564. Fixes khtml crash on loading
     some non existing pages when javascript is disabled (Closes: #408413).
     Probably fixes these KDE bugs too: #126812, #127137, #135117, #138449.
 .
   * Add libc6-dbg to kdelibs-dbg dependencies on amd64. It seems to be
     needed to get a useful backtrace from drkonqi on this arch.
 .
   +++ Changes by Josh Metzler:
 .
   * Add 44_sync_kwallet_changes to make kwallet write changes to disk
     immediately, avoiding losing passwords if kwallet doesn't shutdown
     cleanly.  (Closes: #407272)
Files: 
 dfd18bd4d9bfbabcf06bd513ea133de3 1617 libs optional kdelibs_3.5.5a.dfsg.1-6.dsc
 e068f1839d651639e6192451bb72cc71 592375 libs optional kdelibs_3.5.5a.dfsg.1-6.diff.gz
 5eefa15aa79179c70aa0ba68c2a2620f 33962 libs optional kdelibs_3.5.5a.dfsg.1-6_all.deb
 2fcca2a2fe773592a5a73af70ba52ff5 8456324 libs optional kdelibs-data_3.5.5a.dfsg.1-6_all.deb
 07e942d7fb9f4814d5e3f8763d5663dd 38881862 doc optional kdelibs4-doc_3.5.5a.dfsg.1-6_all.deb
 4770540f25b2d130cfc7ff18c9fbfcb4 9733762 libs optional kdelibs4c2a_3.5.5a.dfsg.1-6_i386.deb
 9f1752055a7048f1497e4d18c39e76e1 1338988 libdevel optional kdelibs4-dev_3.5.5a.dfsg.1-6_i386.deb
 ac0fd0f0d8440cb2fbc123b41cb0714b 26254740 libdevel extra kdelibs-dbg_3.5.5a.dfsg.1-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero

iD8DBQFFySDen3j4POjENGERAtw4AJ9PWZc48vq8clRRXuUCxoeZWx2VDwCfSERn
Ogev4LCqkG3xdZS6ZFqTeIs=
=zc7x
-----END PGP SIGNATURE-----

--- End Message ---