Your message dated Sun, 09 Aug 2009 15:01:46 +0200 with message-id <4A7EC8BA.1080200@iuculano.it> and subject line CVE-2009-1725: kde4libs and kdelibs are not affected has caused the Debian Bug report #538350, regarding CVE-2009-1725: WebKit in Apple Safari before 4.0.2 does not properly handle numeric ... to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 538350: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538350 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: CVE-2009-1725: WebKit in Apple Safari before 4.0.2 does not properly handle numeric ...
- From: Luciano Bello <luciano@debian.org>
- Date: Fri, 24 Jul 2009 22:22:49 -0300
- Message-id: <200907242222.49428.luciano@debian.org>
Package: kdelibs Version: 4:3.5.10.dfsg.1-2 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for webkit. CVE-2009-1725[0]: | WebKit in Apple Safari before 4.0.2 does not properly handle numeric | character references, which allows remote attackers to execute | arbitrary code or cause a denial of service (memory corruption and | application crash) via a crafted HTML document. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1725 http://security-tracker.debian.net/tracker/CVE-2009-1725 [1] http://scarybeastsecurity.blogspot.com/2009/07/iphone-and-safari-advisories.html The patch: --- kdelibs-3.5.10.dfsg.1.old/khtml/html/htmltokenizer.cpp 2007-05-14 04:52:39.000000000 -0300 +++ kdelibs-3.5.10.dfsg.1/khtml/html/htmltokenizer.cpp 2009-07-24 22:10:11.000000000 -0300 @@ -736,7 +736,7 @@ #ifdef TOKEN_DEBUG kdDebug( 6036 ) << "unknown entity!" << endl; #endif - checkBuffer(10); + checkBuffer(11); // ignore the sequence, add it to the buffer as plaintext *dest++ = '&'; for(unsigned int i = 0; i < cBufferPos; i++)
--- End Message ---
--- Begin Message ---
- To: 538349-done@bugs.debian.org, 538350-done@bugs.debian.org
- Subject: CVE-2009-1725: kde4libs and kdelibs are not affected
- From: Giuseppe Iuculano <giuseppe@iuculano.it>
- Date: Sun, 09 Aug 2009 15:01:46 +0200
- Message-id: <4A7EC8BA.1080200@iuculano.it>
Hi, > 935 case Hexadecimal: > 936 { > 937 int uc = EntityChar.unicode(); > 938 int ll = qMin<uint>(src.length(), 8); > 939 while(ll--) { > 940 QChar csrc(src->toLower()); > 941 cc = csrc.cell(); > 942 > 943 if(csrc.row() || !((cc >= '0' && cc <= '9') || (cc >= 'a' && cc <= 'f'))) { > 944 break; > 945 } > 946 uc = uc*16 + (cc - ( cc < 'a' ? '0' : 'a' - 10)); > 947 cBuffer[cBufferPos++] = cc; > 948 ++src; > 949 } > 950 EntityChar = QChar(uc); > 951 Entity = SearchSemicolon; > 952 break; > 953 } > 954 case Decimal: > 955 { > 956 int uc = EntityChar.unicode(); > 957 int ll = qMin(src.length(), 9-cBufferPos); > 958 while(ll--) { > 959 cc = src->cell(); > 960 > 961 if(src->row() || !(cc >= '0' && cc <= '9')) { > 962 Entity = SearchSemicolon; > 963 break; > 964 } > 965 > 966 uc = uc * 10 + (cc - '0'); > 967 cBuffer[cBufferPos++] = cc; > 968 ++src; > 969 } > 970 EntityChar = QChar(uc); > 971 if(cBufferPos == 9) Entity = SearchSemicolon; > 972 break; > 973 } > 974 case EntityName: > 975 { > 976 int ll = qMin(src.length(), 9-cBufferPos); > 977 while(ll--) { > 978 QChar csrc = *src; > 979 cc = csrc.cell(); > 980 > 981 if(csrc.row() || !((cc >= 'a' && cc <= 'z') || > 982 (cc >= '0' && cc <= '9') || (cc >= 'A' && cc <= 'Z'))) { > 983 Entity = SearchSemicolon; > 984 break; > 985 } The above lines ensure, the resulting buffer is always at most 9 characters long, so checkBuffer(10) is sufficient check. https://bugzilla.redhat.com/show_bug.cgi?id=513813#c18 Cheers, Giuseppe.Attachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---