[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#538350: marked as done (CVE-2009-1725: WebKit in Apple Safari before 4.0.2 does not properly handle numeric ...)



Your message dated Sun, 09 Aug 2009 15:01:46 +0200
with message-id <4A7EC8BA.1080200@iuculano.it>
and subject line CVE-2009-1725: kde4libs and kdelibs are not affected
has caused the Debian Bug report #538350,
regarding CVE-2009-1725: WebKit in Apple Safari before 4.0.2 does not properly handle numeric ...
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
538350: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538350
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: kdelibs
Version: 4:3.5.10.dfsg.1-2
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for webkit.

CVE-2009-1725[0]:
| WebKit in Apple Safari before 4.0.2 does not properly handle numeric
| character references, which allows remote attackers to execute
| arbitrary code or cause a denial of service (memory corruption and
| application crash) via a crafted HTML document.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1725
    http://security-tracker.debian.net/tracker/CVE-2009-1725
[1] http://scarybeastsecurity.blogspot.com/2009/07/iphone-and-safari-advisories.html

The patch:
--- kdelibs-3.5.10.dfsg.1.old/khtml/html/htmltokenizer.cpp      2007-05-14 04:52:39.000000000 -0300
+++ kdelibs-3.5.10.dfsg.1/khtml/html/htmltokenizer.cpp  2009-07-24 22:10:11.000000000 -0300
@@ -736,7 +736,7 @@
 #ifdef TOKEN_DEBUG
                 kdDebug( 6036 ) << "unknown entity!" << endl;
 #endif
-                checkBuffer(10);
+                checkBuffer(11);
                 // ignore the sequence, add it to the buffer as plaintext
                 *dest++ = '&';
                 for(unsigned int i = 0; i < cBufferPos; i++)



--- End Message ---
--- Begin Message ---
Hi,

>  935         case Hexadecimal:
>  936         {
>  937             int uc = EntityChar.unicode();
>  938             int ll = qMin<uint>(src.length(), 8);
>  939             while(ll--) {
>  940                 QChar csrc(src->toLower());
>  941                 cc = csrc.cell();
>  942 
>  943                 if(csrc.row() || !((cc >= '0' && cc <= '9') || (cc >= 'a' && cc <= 'f'))) {
>  944                     break;
>  945                 }
>  946                 uc = uc*16 + (cc - ( cc < 'a' ? '0' : 'a' - 10));
>  947                 cBuffer[cBufferPos++] = cc;
>  948                 ++src;
>  949             }
>  950             EntityChar = QChar(uc);
>  951             Entity = SearchSemicolon;
>  952             break;
>  953         }
>  954         case Decimal:
>  955         {
>  956             int uc = EntityChar.unicode();
>  957             int ll = qMin(src.length(), 9-cBufferPos);
>  958             while(ll--) {
>  959                 cc = src->cell();
>  960 
>  961                 if(src->row() || !(cc >= '0' && cc <= '9')) {
>  962                     Entity = SearchSemicolon;
>  963                     break;
>  964                 }
>  965 
>  966                 uc = uc * 10 + (cc - '0');
>  967                 cBuffer[cBufferPos++] = cc;
>  968                 ++src;
>  969             }
>  970             EntityChar = QChar(uc);
>  971             if(cBufferPos == 9)  Entity = SearchSemicolon;
>  972             break;
>  973         }
>  974         case EntityName:
>  975         {
>  976             int ll = qMin(src.length(), 9-cBufferPos);
>  977             while(ll--) {
>  978                 QChar csrc = *src;
>  979                 cc = csrc.cell();
>  980 
>  981                 if(csrc.row() || !((cc >= 'a' && cc <= 'z') ||
>  982                                    (cc >= '0' && cc <= '9') || (cc >= 'A' && cc <= 'Z'))) {
>  983                     Entity = SearchSemicolon;
>  984                     break;
>  985                 }


The above lines ensure, the resulting buffer is always at most 9
characters long, so checkBuffer(10) is sufficient check.

https://bugzilla.redhat.com/show_bug.cgi?id=513813#c18

Cheers,
Giuseppe.

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---

Reply to: