Bug#378962: konqueror: CVE-2006-3672: remote denial of service (crash)
Package: konqueror
Version: 4:3.5.3-2
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3672: "KDE Konqueror 3.5.1 and earlier allows remote attackers
to cause a denial of service (application crash) by calling the
replaceChild method on a DOM object, which triggers a null dereference,
as demonstrated by calling document.replaceChild with a 0 (zero)
argument."
I have reproduced this with 4:3.5.3-2 using [1]. A backtrace is
attached.
I have not yet confirmed if this issue affects sarge.
Please mention the CVE in your changelog.
Thanks,
Alec
[1] http://metasploit.com/users/hdm/tools/browserfun/mobb_014.html
- -- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.17-1-amd64-k8-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages konqueror depends on:
ii kcontrol 4:3.5.3-2 control center for KDE
ii kdebase-kio-plugins 4:3.5.3-2 core I/O slaves for KDE
ii kdelibs4c2a 4:3.5.3-1 core libraries and binaries for al
ii kdesktop 4:3.5.3-2 miscellaneous binaries and files f
ii kfind 4:3.5.3-2 file-find utility for KDE
ii libacl1 2.2.39-1 Access control list shared library
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libattr1 2.4.32-1 Extended attribute shared library
ii libaudio2 1.8-1 The Network Audio System (NAS). (s
ii libc6 2.3.6-15 GNU C Library: Shared libraries
ii libfam0 2.7.0-10 Client library to control the FAM
ii libfontconfig1 2.3.2-7 generic font configuration library
ii libfreetype6 2.2.1-2 FreeType 2 font engine, shared lib
ii libgcc1 1:4.1.1-9 GCC support library
ii libice6 1:1.0.0-3 X11 Inter-Client Exchange library
ii libidn11 0.6.5-1 GNU libidn library, implementation
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libkonq4 4:3.5.3-2 core libraries for Konqueror
ii libpng12-0 1.2.8rel-5.2 PNG library - runtime
ii libqt3-mt 3:3.3.6-2 Qt GUI Library (Threaded runtime v
ii libsm6 1:1.0.0-4 X11 Session Management library
ii libstdc++6 4.1.1-9 The GNU Standard C++ Library v3
ii libx11-6 2:1.0.0-7 X11 client-side library
ii libxcursor1 1.1.5.2-5 X cursor management library
ii libxext6 1:1.0.0-4 X11 miscellaneous extension librar
ii libxft2 2.1.8.2-8 FreeType-based font drawing librar
ii libxi6 1:1.0.0-5 X11 Input extension library
ii libxinerama1 1:1.0.1-4 X11 Xinerama extension library
ii libxrandr2 2:1.1.0.2-4 X11 RandR extension library
ii libxrender1 1:0.9.0.2-4 X Rendering Extension client libra
ii libxt6 1:1.0.0-5 X11 toolkit intrinsics library
ii zlib1g 1:1.2.3-13 compression library - runtime
konqueror recommends no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEvvC8Aud/2YgchcQRAo/2AKChFs6+E6k4GV9JMwPiHPv3DyxySQCeM+zY
EZadE1TP020YZSiSut77Q34=
=NET8
-----END PGP SIGNATURE-----
Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 47085047916336 (LWP 22488)]
[KCrash handler]
#5 0x00002ad2d906d9ef in DOM::Node::replaceChild (
this=<value optimized out>, newChild=@0x7fffd7e9aa40,
oldChild=<value optimized out>)
at /tmp/buildd/kdelibs-3.5.3/./khtml/dom/dom_node.cpp:276
#6 0x00002ad2d9045517 in KJS::DOMNodeProtoFunc::tryCall (
this=<value optimized out>, exec=0x7fffd7e9b520,
thisObj=<value optimized out>, args=<value optimized out>)
at /tmp/buildd/kdelibs-3.5.3/./khtml/ecma/kjs_dom.cpp:518
#7 0x00002ad2d9011894 in KJS::DOMFunction::call (this=0x0, exec=0x0,
thisObj=@0x7fffd7e9a85c, args=@0x7fffd7e9b100)
at /tmp/buildd/kdelibs-3.5.3/./khtml/ecma/kjs_binding.cpp:114
#8 0x00002ad2d92b5f27 in KJS::Object::call (this=<value optimized out>,
exec=0x7fffd7e9b520, thisObj=@0x7fffd7e9a85c, args=@0x7fffd7e9b100)
at /tmp/buildd/kdelibs-3.5.3/./kjs/object.cpp:73
#9 0x00002ad2d92c18de in KJS::FunctionCallNode::evaluate (
this=<value optimized out>, exec=0x7fffd7e9b520)
at /tmp/buildd/kdelibs-3.5.3/./kjs/nodes.cpp:870
#10 0x00002ad2d92c36b0 in KJS::ExprStatementNode::execute (this=0xd31470,
exec=0x7fffd7e9b520) at /tmp/buildd/kdelibs-3.5.3/./kjs/nodes.cpp:1980
#11 0x00002ad2d92c7325 in KJS::SourceElementsNode::execute (this=0xd31240,
exec=0x7fffd7e9b520) at /tmp/buildd/kdelibs-3.5.3/./kjs/nodes.cpp:3091
#12 0x00002ad2d92c351e in KJS::BlockNode::execute (this=0xd38490,
exec=0x7fffd7e9b520) at /tmp/buildd/kdelibs-3.5.3/./kjs/nodes.cpp:1942
#13 0x00002ad2d92c812b in KJS::DeclaredFunctionImp::execute (
this=<value optimized out>, exec=0x0)
at /tmp/buildd/kdelibs-3.5.3/./kjs/function.cpp:588
#14 0x00002ad2d92b3211 in KJS::FunctionImp::call (this=0xcdd460,
exec=0x7fffd7e9bab0, thisObj=@0x7fffd7e9b6b0, args=@0x7fffd7e9b690)
at /tmp/buildd/kdelibs-3.5.3/./kjs/function.cpp:363
#15 0x00002ad2d92b5f27 in KJS::Object::call (this=<value optimized out>,
exec=0x7fffd7e9bab0, thisObj=@0x7fffd7e9a85c, args=@0x7fffd7e9b100)
at /tmp/buildd/kdelibs-3.5.3/./kjs/object.cpp:73
#16 0x00002ad2d92c18de in KJS::FunctionCallNode::evaluate (
this=<value optimized out>, exec=0x7fffd7e9bab0)
at /tmp/buildd/kdelibs-3.5.3/./kjs/nodes.cpp:870
#17 0x00002ad2d92c36b0 in KJS::ExprStatementNode::execute (this=0xcdc3d0,
exec=0x7fffd7e9bab0) at /tmp/buildd/kdelibs-3.5.3/./kjs/nodes.cpp:1980
#18 0x00002ad2d92c7325 in KJS::SourceElementsNode::execute (this=0xd0c4c0,
exec=0x7fffd7e9bab0) at /tmp/buildd/kdelibs-3.5.3/./kjs/nodes.cpp:3091
#19 0x00002ad2d92c351e in KJS::BlockNode::execute (this=0xcd4960,
exec=0x7fffd7e9bab0) at /tmp/buildd/kdelibs-3.5.3/./kjs/nodes.cpp:1942
#20 0x00002ad2d92c812b in KJS::DeclaredFunctionImp::execute (
this=<value optimized out>, exec=0x0)
at /tmp/buildd/kdelibs-3.5.3/./kjs/function.cpp:588
#21 0x00002ad2d92b3211 in KJS::FunctionImp::call (this=0xcd4f60,
exec=0xd31610, thisObj=@0x7fffd7e9bc80, args=@0x7fffd7e9bc30)
at /tmp/buildd/kdelibs-3.5.3/./kjs/function.cpp:363
#22 0x00002ad2d92b5f27 in KJS::Object::call (this=<value optimized out>,
exec=0xd31610, thisObj=@0x7fffd7e9a85c, args=@0x7fffd7e9b100)
at /tmp/buildd/kdelibs-3.5.3/./kjs/object.cpp:73
#23 0x00002ad2d9012669 in KJS::JSEventListener::handleEvent (this=0xc9af00,
evt=@0x7fffd7e9bcf0)
at /tmp/buildd/kdelibs-3.5.3/./khtml/ecma/kjs_events.cpp:95
#24 0x00002ad2d8eef3c3 in DOM::NodeImpl::handleLocalEvents (
this=<value optimized out>, evt=0xcd9a90, useCapture=false)
at /tmp/buildd/kdelibs-3.5.3/./khtml/xml/dom_nodeimpl.cpp:621
#25 0x00002ad2d8f07ce6 in DOM::NodeImpl::dispatchGenericEvent (this=0xc69b10,
evt=0xcd9a90)
at /tmp/buildd/kdelibs-3.5.3/./khtml/xml/dom_nodeimpl.cpp:385
#26 0x00002ad2d8f07f91 in DOM::NodeImpl::dispatchEvent (this=0xc69b10,
evt=0xcd9a90, exceptioncode=@0x7fffd7e9bf4c, tempEvent=true)
at /tmp/buildd/kdelibs-3.5.3/./khtml/xml/dom_nodeimpl.cpp:348
#27 0x00002ad2d8e9a226 in KHTMLView::dispatchMouseEvent (this=0xcf6680,
eventId=4, targetNode=0xc69b10,
targetNodeNonShared=<value optimized out>, cancelable=true, detail=1,
_mouse=0x7fffd7e9c080, setUnder=true, mouseEventType=0)
at /tmp/buildd/kdelibs-3.5.3/./khtml/khtmlview.cpp:3186
#28 0x00002ad2d8e9f646 in KHTMLView::viewportMouseReleaseEvent (
this=0xcf6680, _mouse=0x7fffd7e9c160)
at /tmp/buildd/kdelibs-3.5.3/./khtml/khtmlview.cpp:1280
#29 0x00002ad2d8e98b41 in KHTMLView::eventFilter (this=0xcf6680, o=0xc94be0,
e=0x7fffd7e9c810) at /tmp/buildd/kdelibs-3.5.3/./khtml/khtmlview.cpp:1949
#30 0x00002ad2d5b01805 in QObject::activate_filters (this=0xc94be0,
e=0x7fffd7e9c810) at kernel/qobject.cpp:903
#31 0x00002ad2d5b0187e in QObject::event (this=0xc94be0, e=0x7fffd7e9c810)
at kernel/qobject.cpp:735
#32 0x00002ad2d5b3c1f1 in QWidget::event (this=0xc94be0, e=0x7fffd7e9c810)
at kernel/qwidget.cpp:4678
#33 0x00002ad2d5a9dc0c in QApplication::internalNotify (this=0x7fffd7e9d1b0,
receiver=0xc94be0, e=0x7fffd7e9c810) at kernel/qapplication.cpp:2635
#34 0x00002ad2d5a9e255 in QApplication::notify (this=0x7fffd7e9d1b0,
receiver=0xc94be0, e=0x7fffd7e9c810) at kernel/qapplication.cpp:2421
#35 0x00002ad2d4c27f1e in KApplication::notify (this=0x7fffd7e9d1b0,
receiver=0xc94be0, event=0x7fffd7e9c810)
at /tmp/buildd/kdelibs-3.5.3/./kdecore/kapplication.cpp:550
#36 0x00002ad2d5a2f3d8 in QApplication::sendSpontaneousEvent (
receiver=0xc94be0, event=0x7fffd7e9c810) at kernel/qapplication.h:523
#37 0x00002ad2d5a2aba8 in QETWidget::translateMouseEvent (this=0xc94be0,
event=0x7fffd7e9cdb0) at kernel/qapplication_x11.cpp:4301
#38 0x00002ad2d5a28fcb in QApplication::x11ProcessEvent (this=0x7fffd7e9d1b0,
event=0x7fffd7e9cdb0) at kernel/qapplication_x11.cpp:3478
#39 0x00002ad2d5a41e7b in QEventLoop::processEvents (this=0x60ceb0, flags=4)
at kernel/qeventloop_x11.cpp:192
#40 0x00002ad2d5ab5aa2 in QEventLoop::enterLoop (this=0x60ceb0)
at kernel/qeventloop.cpp:198
#41 0x00002ad2d5ab59ab in QEventLoop::exec (this=0x60ceb0)
at kernel/qeventloop.cpp:145
#42 0x00002ad2d5a9c878 in QApplication::exec (this=0x7fffd7e9d1b0)
at kernel/qapplication.cpp:2758
#43 0x00002ad2d2de786e in kdemain (argc=<value optimized out>,
argv=<value optimized out>)
at /build/buildd/kdebase-3.5.3/./konqueror/konq_main.cc:206
#44 0x00002ad2d33de4ca in __libc_start_main () from /lib/libc.so.6
#45 0x000000000040051a in _start () at ../sysdeps/x86_64/elf/start.S:113
Reply to: