Bug#538350: CVE-2009-1725: WebKit in Apple Safari before 4.0.2 does not properly handle numeric ...

[Luciano Bello <luciano@debian.org>]

Package: kdelibs
Version: 4:3.5.10.dfsg.1-2
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for webkit.

CVE-2009-1725[0]:
| WebKit in Apple Safari before 4.0.2 does not properly handle numeric
| character references, which allows remote attackers to execute
| arbitrary code or cause a denial of service (memory corruption and
| application crash) via a crafted HTML document.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1725
    http://security-tracker.debian.net/tracker/CVE-2009-1725
[1] http://scarybeastsecurity.blogspot.com/2009/07/iphone-and-safari-advisories.html

The patch:
--- kdelibs-3.5.10.dfsg.1.old/khtml/html/htmltokenizer.cpp      2007-05-14 04:52:39.000000000 -0300
+++ kdelibs-3.5.10.dfsg.1/khtml/html/htmltokenizer.cpp  2009-07-24 22:10:11.000000000 -0300
@@ -736,7 +736,7 @@
 #ifdef TOKEN_DEBUG
                 kdDebug( 6036 ) << "unknown entity!" << endl;
 #endif
-                checkBuffer(10);
+                checkBuffer(11);
                 // ignore the sequence, add it to the buffer as plaintext
                 *dest++ = '&';
                 for(unsigned int i = 0; i < cBufferPos; i++)