Bug#409868: marked as done (CVE-2007-0537: does not properly parse HTML comments in TITLE tag)
Your message dated Wed, 07 Feb 2007 02:32:10 +0000
with message-id <E1HEcbS-0006Va-Gs@ries.debian.org>
and subject line Bug#409868: fixed in kdelibs 4:3.5.5a.dfsg.1-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: kdelibs
Version: 4:3.5.5a.dfsg.1-5
Severity: important
Tags: patch, security
Some TITLE-tag XSS attacks can work against Konqueror[1]. Upstream has
patched this problem[2].
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537
[2] http://websvn.kde.org/?view=rev&rev=626791
Attached is the patch used in Ubuntu against version 4:3.5.5-0ubuntu3.
--
Kees Cook @outflux.net
diff -Nur kdelibs-3.5.5/khtml/html/htmltokenizer.cpp kdelibs-3.5.5.new/khtml/html/htmltokenizer.cpp
--- kdelibs-3.5.5/khtml/html/htmltokenizer.cpp 2006-10-01 10:33:38.000000000 -0700
+++ kdelibs-3.5.5.new/khtml/html/htmltokenizer.cpp 2007-02-05 16:47:00.359410059 -0800
@@ -316,7 +316,7 @@
while ( !src.isEmpty() ) {
checkScriptBuffer();
unsigned char ch = src->latin1();
- if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && !title && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
+ if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
comment = true;
scriptCode[ scriptCodeSize++ ] = ch;
++src;
@@ -495,7 +495,7 @@
if (canClose || handleBrokenComments || scriptEnd ){
++src;
- if ( !( script || xmp || textarea || style) ) {
+ if ( !( title || script || xmp || textarea || style) ) {
#ifdef COMMENTS_IN_DOM
checkScriptBuffer();
scriptCode[ scriptCodeSize ] = 0;
--- End Message ---
--- Begin Message ---
Source: kdelibs
Source-Version: 4:3.5.5a.dfsg.1-6
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-data_3.5.5a.dfsg.1-6_all.deb
to pool/main/k/kdelibs/kdelibs-data_3.5.5a.dfsg.1-6_all.deb
kdelibs-dbg_3.5.5a.dfsg.1-6_i386.deb
to pool/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-6_i386.deb
kdelibs4-dev_3.5.5a.dfsg.1-6_i386.deb
to pool/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-6_i386.deb
kdelibs4-doc_3.5.5a.dfsg.1-6_all.deb
to pool/main/k/kdelibs/kdelibs4-doc_3.5.5a.dfsg.1-6_all.deb
kdelibs4c2a_3.5.5a.dfsg.1-6_i386.deb
to pool/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-6_i386.deb
kdelibs_3.5.5a.dfsg.1-6.diff.gz
to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-6.diff.gz
kdelibs_3.5.5a.dfsg.1-6.dsc
to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-6.dsc
kdelibs_3.5.5a.dfsg.1-6_all.deb
to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 409868@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 17 Jan 2007 09:55:20 -0500
Source: kdelibs
Binary: kdelibs4c2a kdelibs kdelibs4-doc kdelibs-dbg kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.5.5a.dfsg.1-6
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description:
kdelibs - core libraries from the official KDE release
kdelibs-data - core shared data for all KDE applications
kdelibs-dbg - debugging symbols for kdelibs
kdelibs4-dev - development files for the KDE core libraries
kdelibs4-doc - developer documentation for the KDE core libraries
kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 407272 408413 409868
Changes:
kdelibs (4:3.5.5a.dfsg.1-6) unstable; urgency=high
.
+++ Changes by Ana Beatriz Guerrero Lopez:
.
* Add patch 45_konqueror-CVE-2007-0537.diff which fixes: Konqueror does not
properly parse HTML comments, which allows remote attackers to conduct
cross-site scripting (XSS) attacks. CVE-2007-0537. (Closes: #409868).
Thanks to Kees Cook for reporting and pointing to the fix.
.
+++ Changes by Modestas Vainius:
.
* New patch (No. 25) from KDE bug #128564. Fixes khtml crash on loading
some non existing pages when javascript is disabled (Closes: #408413).
Probably fixes these KDE bugs too: #126812, #127137, #135117, #138449.
.
* Add libc6-dbg to kdelibs-dbg dependencies on amd64. It seems to be
needed to get a useful backtrace from drkonqi on this arch.
.
+++ Changes by Josh Metzler:
.
* Add 44_sync_kwallet_changes to make kwallet write changes to disk
immediately, avoiding losing passwords if kwallet doesn't shutdown
cleanly. (Closes: #407272)
Files:
dfd18bd4d9bfbabcf06bd513ea133de3 1617 libs optional kdelibs_3.5.5a.dfsg.1-6.dsc
e068f1839d651639e6192451bb72cc71 592375 libs optional kdelibs_3.5.5a.dfsg.1-6.diff.gz
5eefa15aa79179c70aa0ba68c2a2620f 33962 libs optional kdelibs_3.5.5a.dfsg.1-6_all.deb
2fcca2a2fe773592a5a73af70ba52ff5 8456324 libs optional kdelibs-data_3.5.5a.dfsg.1-6_all.deb
07e942d7fb9f4814d5e3f8763d5663dd 38881862 doc optional kdelibs4-doc_3.5.5a.dfsg.1-6_all.deb
4770540f25b2d130cfc7ff18c9fbfcb4 9733762 libs optional kdelibs4c2a_3.5.5a.dfsg.1-6_i386.deb
9f1752055a7048f1497e4d18c39e76e1 1338988 libdevel optional kdelibs4-dev_3.5.5a.dfsg.1-6_i386.deb
ac0fd0f0d8440cb2fbc123b41cb0714b 26254740 libdevel extra kdelibs-dbg_3.5.5a.dfsg.1-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero
iD8DBQFFySDen3j4POjENGERAtw4AJ9PWZc48vq8clRRXuUCxoeZWx2VDwCfSERn
Ogev4LCqkG3xdZS6ZFqTeIs=
=zc7x
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: