Version in base suite: 3.5.9-3+lenny1 Version in overlay suite: (not present) Base version: kdegraphics_3.5.9-3+lenny1 Target version: kdegraphics_3.5.9-3+lenny2 Base file: /org/ftp.debian.org/ftp/pool/main/k/kdegraphics/kdegraphics_3.5.9-3+lenny1.dsc Target file: /org/ftp.debian.org/queue/p-u-new/kdegraphics_3.5.9-3+lenny2.dsc debian/patches/fix-CVE-2009-0945.diff | 26 ++++++++++ debian/patches/fix-CVE-2009-1709.diff | 88 ++++++++++++++++++++++++++++++++++ kdegraphics-3.5.9/debian/changelog | 18 ++++++ 3 files changed, 132 insertions(+) diff -u kdegraphics-3.5.9/debian/changelog kdegraphics-3.5.9/debian/changelog --- kdegraphics-3.5.9/debian/changelog +++ kdegraphics-3.5.9/debian/changelog @@ -1,3 +1,21 @@ +kdegraphics (4:3.5.9-3+lenny2) stable-security; urgency=high + + * Non-maintainer upload. + * Fixed CVE-2009-0945: Null-pointer dereference due to an array index error + was found in the KDE KSVG SVGList interface implementation. A remote + attacker could create a specially-crafted SVG image, which once opened by + an unsuspecting user, would cause memory corruption leading to a denial of + service (Konqueror crash). (Closes: #534918) + * Fixed CVE-2009-1709: A pointer use-after-free flaw was found in the KDE's + KSVG Scalable Vector Graphics (SVG) animation element implementation. + A remote attacker could use this flaw to cause a denial of service + (konqueror crash) or, potentially, execute arbitrary code, with the + privileges of the user running "konqueror" web browser, if the victim was + tricked to open a specially-crafted SVG image. (Closes: #534951) + + + -- Giuseppe Iuculano Sun, 09 Aug 2009 19:33:05 +0200 + kdegraphics (4:3.5.9-3+lenny1) stable-security; urgency=high * Non-maintainer upload by the security team to fix several JBIG2 only in patch2: unchanged: --- kdegraphics-3.5.9.orig/debian/patches/fix-CVE-2009-1709.diff +++ kdegraphics-3.5.9/debian/patches/fix-CVE-2009-1709.diff @@ -0,0 +1,88 @@ +--- a/ksvg/core/DocumentFactory.cpp ++++ b/ksvg/core/DocumentFactory.cpp +@@ -38,7 +38,7 @@ namespace KSVG + Private() { m_docs.setAutoDelete(true); } + ~Private() { m_docs.clear(); } + +- void setup(bool bFit) { m_docs.append(new SVGDocumentImpl(!bFit /* animations */, bFit)); } ++ void setup(bool bFit) { m_docs.append(new SVGDocumentImpl(false /* animations */, bFit)); } + SVGDocumentImpl *doc() const { return m_docs.current(); } + + private: +--- a/ksvg/impl/SVGAnimationElementImpl.cc ++++ b/ksvg/impl/SVGAnimationElementImpl.cc +@@ -43,7 +43,6 @@ SVGAnimationElementImpl::SVGAnimationEle + KSVG_EMPTY_FLAGS + + m_connected = false; +- m_targetElement = 0; + + m_values = new SVGStringListImpl(); + m_keyTimes= new SVGStringListImpl(); +@@ -56,22 +55,18 @@ SVGAnimationElementImpl::SVGAnimationEle + + SVGAnimationElementImpl::~SVGAnimationElementImpl() + { +- if(m_targetElement) +- m_targetElement->deref(); + } + + SVGElementImpl *SVGAnimationElementImpl::targetElement() const + { +- if(!m_targetElement) ++ if (ownerDoc()) + { +- SVGAnimationElementImpl *modify = const_cast(this); +- if(!m_href.isEmpty()) +- modify->setTargetElement(ownerDoc()->getElementByIdRecursive(ownerSVGElement(), SVGURIReferenceImpl::getTarget(m_href))); +- else if(!parentNode().isNull()) +- modify->setTargetElement(ownerDoc()->getElementFromHandle(parentNode().handle())); ++ if (!m_href.isEmpty()) ++ return ownerDoc()->getElementByIdRecursive(ownerSVGElement(), SVGURIReferenceImpl::getTarget(m_href)); ++ else if (!parentNode().isNull()) ++ return ownerDoc()->getElementFromHandle(parentNode().handle()); + } +- +- return m_targetElement; ++ return 0; + } + + double SVGAnimationElementImpl::parseClockValue(const QString &data) const +@@ -215,7 +210,6 @@ Value SVGAnimationElementImpl::getValueP + switch(token) + { + case TargetElement: +- return m_targetElement->cache(exec); + default: + kdWarning() << "Unhandled token in " << k_funcinfo << " : " << token << endl; + return Undefined(); +@@ -384,7 +378,6 @@ void SVGAnimationElementImpl::putValuePr + Value SVGAnimationElementImplProtoFunc::call(ExecState *exec, Object &thisObj, const List &) + { + KSVG_CHECK_THIS(SVGAnimationElementImpl) +- + switch(id) + { + case SVGAnimationElementImpl::GetStartTime: +@@ -420,11 +413,6 @@ void SVGAnimationElementImpl::setAttribu + + void SVGAnimationElementImpl::setTargetElement(SVGElementImpl *target) + { +- if(m_targetElement) +- m_targetElement->deref(); +- +- m_targetElement = target; +- m_targetElement->ref(); + } + + void SVGAnimationElementImpl::applyAttribute(const QString &name, const QString &value) +--- a/ksvg/impl/SVGAnimationElementImpl.h ++++ b/ksvg/impl/SVGAnimationElementImpl.h +@@ -108,7 +108,6 @@ protected: + ECalcMode m_calcMode : 2; + ERestart m_restart : 2; + EAttributeType m_attributeType : 2; +- SVGElementImpl *m_targetElement; + + QString m_href; + QString m_attributeName; only in patch2: unchanged: --- kdegraphics-3.5.9.orig/debian/patches/fix-CVE-2009-0945.diff +++ kdegraphics-3.5.9/debian/patches/fix-CVE-2009-0945.diff @@ -0,0 +1,26 @@ +--- a/ksvg/impl/SVGList.h ++++ b/ksvg/impl/SVGList.h +@@ -139,13 +139,23 @@ public: + switch(id) + { + case SVGListDefs::GetItem: ++ if (static_cast(args[0].toNumber(exec)) >= m_impl.count()) ++ return KJS::Undefined(); + return obj->getItem(static_cast(args[0].toNumber(exec)))->cache(exec); + case SVGListDefs::RemoveItem: ++ if (static_cast(args[0].toNumber(exec)) >= m_impl.count()) ++ return KJS::Undefined(); + return obj->removeItem(static_cast(args[0].toNumber(exec)))->cache(exec); + case SVGListDefs::AppendItem: + return obj->appendItem(static_cast *>(args[0].imp())->impl())->cache(exec); + case SVGListDefs::InsertItemBefore: ++ if (static_cast(args[1].toNumber(exec)) >= m_impl.count()) ++ return KJS::Undefined(); + return obj->insertItemBefore(static_cast *>(args[0].imp())->impl(), static_cast(args[1].toNumber(exec)))->cache(exec); ++ case SVGListDefs::ReplaceItem: ++ if (static_cast(args[1].toNumber(exec)) >= m_impl.count()) ++ return KJS::Undefined(); ++ return obj->replaceItem(static_cast *>(args[0].imp())->impl(), static_cast(args[1].toNumber(exec)))->cache(exec); + case SVGListDefs::Initialize: + return obj->initialize(static_cast *>(args[0].imp())->impl())->cache(exec); + case SVGListDefs::Clear: