Bug#409868: CVE-2007-0537: does not properly parse HTML comments in TITLE tag
Package: kdelibs
Version: 4:3.5.5a.dfsg.1-5
Severity: important
Tags: patch, security
Some TITLE-tag XSS attacks can work against Konqueror[1]. Upstream has
patched this problem[2].
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537
[2] http://websvn.kde.org/?view=rev&rev=626791
Attached is the patch used in Ubuntu against version 4:3.5.5-0ubuntu3.
--
Kees Cook @outflux.net
diff -Nur kdelibs-3.5.5/khtml/html/htmltokenizer.cpp kdelibs-3.5.5.new/khtml/html/htmltokenizer.cpp
--- kdelibs-3.5.5/khtml/html/htmltokenizer.cpp 2006-10-01 10:33:38.000000000 -0700
+++ kdelibs-3.5.5.new/khtml/html/htmltokenizer.cpp 2007-02-05 16:47:00.359410059 -0800
@@ -316,7 +316,7 @@
while ( !src.isEmpty() ) {
checkScriptBuffer();
unsigned char ch = src->latin1();
- if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && !title && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
+ if ( !scriptCodeResync && !brokenComments && !textarea && !xmp && ch == '-' && scriptCodeSize >= 3 && !src.escaped() && QConstString( scriptCode+scriptCodeSize-3, 3 ).string() == "<!-" ) {
comment = true;
scriptCode[ scriptCodeSize++ ] = ch;
++src;
@@ -495,7 +495,7 @@
if (canClose || handleBrokenComments || scriptEnd ){
++src;
- if ( !( script || xmp || textarea || style) ) {
+ if ( !( title || script || xmp || textarea || style) ) {
#ifdef COMMENTS_IN_DOM
checkScriptBuffer();
scriptCode[ scriptCodeSize ] = 0;
Reply to: