Version in base suite: 4.1.0-3 Version in overlay suite: (not present) Base version: kde4libs_4.1.0-3 Target version: kde4libs_4.1.0-3+lenny1 Base file: /org/ftp.debian.org/ftp/pool/main/k/kde4libs/kde4libs_4.1.0-3.dsc Target file: /org/ftp.debian.org/queue/p-u-new/kde4libs_4.1.0-3+lenny1.dsc debian/patches/CVE-2009-1687.diff | 20 +++++++++++ debian/patches/CVE-2009-1690.diff | 63 +++++++++++++++++++++++++++++++++++ debian/patches/CVE-2009-1698.diff | 40 ++++++++++++++++++++++ kde4libs-4.1.0/debian/changelog | 21 +++++++++++ kde4libs-4.1.0/debian/patches/series | 3 + 5 files changed, 147 insertions(+) diff -u kde4libs-4.1.0/debian/changelog kde4libs-4.1.0/debian/changelog --- kde4libs-4.1.0/debian/changelog +++ kde4libs-4.1.0/debian/changelog @@ -1,3 +1,24 @@ +kde4libs (4:4.1.0-3+lenny1) stable-security; urgency=high + + * Non-maintainer upload. + * Fixed CVE-2009-1687: An integer overflow, leading to heap-based buffer + overflow was found in the KDE implementation of garbage collector for the + JavaScript language (KJS). + * Fixed CVE-2009-1690: KDE HTML parser incorrectly handled content, forming + the HTML page element. A remote attacker could use this flaw to + cause a denial of service (konqueror crash) or, potentially, execute + arbitrary code, with the privileges of the user running "konqueror" web + browser, if the victim was tricked to open a specially-crafted HTML page. + (Closes: #534949) + * Fixed CVE-2009-1698: KDE's Cascading Style Sheets (CSS) parser incorrectly + handled content, forming the value of CSS "style" attribute. A remote + attacker could use this flaw to cause a denial of service (konqueror crash) + or potentially execute arbitrary code with the privileges of the user + running "konqueror" web browser, if the victim visited a specially-crafted + CSS equipped HTML page. (Closes: #534949) + + -- Giuseppe Iuculano Sun, 09 Aug 2009 14:00:33 +0200 + kde4libs (4:4.1.0-3) unstable; urgency=low +++ Changes by Fathi Boudra: diff -u kde4libs-4.1.0/debian/patches/series kde4libs-4.1.0/debian/patches/series --- kde4libs-4.1.0/debian/patches/series +++ kde4libs-4.1.0/debian/patches/series @@ -15,0 +16,3 @@ +CVE-2009-1690.diff +CVE-2009-1698.diff +CVE-2009-1687.diff only in patch2: unchanged: --- kde4libs-4.1.0.orig/debian/patches/CVE-2009-1690.diff +++ kde4libs-4.1.0/debian/patches/CVE-2009-1690.diff @@ -0,0 +1,63 @@ +--- a/khtml/html/htmlparser.cpp ++++ b/khtml/html/htmlparser.cpp +@@ -206,7 +206,6 @@ void KHTMLParser::reset() + + form = 0; + map = 0; +- head = 0; + end = false; + isindex = 0; + +@@ -669,8 +668,7 @@ bool KHTMLParser::insertNode(NodeImpl *n + case ID_BASE: + if(!head) { + head = new HTMLHeadElementImpl(document); +- e = head; +- insertNode(e); ++ insertNode(head.get()); + handled = true; + } + break; +@@ -892,7 +890,7 @@ NodeImpl *KHTMLParser::getElement(Token* + case ID_HEAD: + if(!head && current->id() == ID_HTML) { + head = new HTMLHeadElementImpl(document); +- n = head; ++ n = head.get(); + } + break; + case ID_BODY: +@@ -1796,19 +1794,19 @@ void KHTMLParser::createHead() + head = new HTMLHeadElementImpl(document); + HTMLElementImpl *body = doc()->body(); + int exceptioncode = 0; +- doc()->firstChild()->insertBefore(head, body, exceptioncode); ++ doc()->documentElement()->insertBefore(head.get(), body, exceptioncode); + if ( exceptioncode ) { + #ifdef PARSER_DEBUG + kDebug( 6035 ) << "creation of head failed!!!!"; + #endif +- delete head; ++ delete head.get(); + head = 0; + } + + // If the body does not exist yet, then the should be pushed as the current block. + if (head && !body) { + pushBlock(head->id(), tagPriority(head->id())); +- setCurrent(head); ++ setCurrent(head.get()); + } + } + +--- a/khtml/html/htmlparser.h ++++ b/khtml/html/htmlparser.h +@@ -155,7 +155,7 @@ private: + /* + * the head element. Needed for crappy html which defines after + */ +- DOM::HTMLHeadElementImpl *head; ++ RefPtr head; + + /* + * a possible element in the head. Compatibility hack for only in patch2: unchanged: --- kde4libs-4.1.0.orig/debian/patches/CVE-2009-1698.diff +++ kde4libs-4.1.0/debian/patches/CVE-2009-1698.diff @@ -0,0 +1,40 @@ +--- a/khtml/css/css_valueimpl.cpp ++++ b/khtml/css/css_valueimpl.cpp +@@ -1126,7 +1126,9 @@ DOM::DOMString CSSPrimitiveValueImpl::cs + text = getValueName(m_value.ident); + break; + case CSSPrimitiveValue::CSS_ATTR: +- // ### ++ text = "attr("; ++ text += DOMString( m_value.string ); ++ text += ")"; + break; + case CSSPrimitiveValue::CSS_COUNTER: + text = "counter("; +--- a/khtml/css/cssparser.cpp ++++ b/khtml/css/cssparser.cpp +@@ -1375,6 +1375,14 @@ bool CSSParser::parseContent( int propId + if ( args->size() != 1) + return false; + Value *a = args->current(); ++ if (a->unit != CSSPrimitiveValue::CSS_IDENT) { ++ isValid=false; ++ break; ++ } ++ if (qString(a->string)[0] == '-') { ++ isValid=false; ++ break; ++ } + parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR); + } + else +@@ -1427,7 +1435,8 @@ CSSValueImpl* CSSParser::parseCounterCon + + CounterImpl *counter = new CounterImpl; + Value *i = args->current(); +-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; ++ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; ++ if (qString(i->string)[0] == '-') goto invalid; + counter->m_identifier = domString(i->string); + if (counters) { + i = args->next(); only in patch2: unchanged: --- kde4libs-4.1.0.orig/debian/patches/CVE-2009-1687.diff +++ kde4libs-4.1.0/debian/patches/CVE-2009-1687.diff @@ -0,0 +1,20 @@ +--- a/kjs/collector.cpp ++++ b/kjs/collector.cpp +@@ -31,6 +31,7 @@ + #include "value.h" + + #include ++#include + #include + + #if PLATFORM(DARWIN) +@@ -109,6 +110,9 @@ struct BlockList { + + void append(CollectorBlock* block) { + if (m_used == m_capacity) { ++ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR; ++ if (m_capacity > maxNumBlocks) ++ CRASH(); + m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR); + m_data = static_cast(fastRealloc(m_data, m_capacity * sizeof(CollectorBlock *))); + }