Bug 239565 (CVE-2008-4382)

Summary:	<=kde-base/konqueror-3.5.10 DOS via Javascript (CVE-2008-4382)
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED OBSOLETE
Severity:	normal	CC:	esigra
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A4 [upstream]
Package list:		Runtime testing required:	---
Bug Depends on:	271889
Bug Blocks:

Description Stefan Behte (RETIRED) gentoo-dev

2008-10-04 17:02:09 UTC

CVE-2008-4382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4382):
  Konqueror in KDE 3.5.9 allows remote attackers to cause a denial of
  service (application crash) via Javascript that calls the alert
  function with a URL-encoded string of a large number of invalid
  characters.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2008-10-04 17:18:16 UTC

The HTML code from http://www.securityfocus.com/archive/1/archive/1/496849/100/0/threaded will crash the whole os, it will eat up all your resources.

We've got 3.5.10 in the tree, please stabilize.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-10-04 17:25:48 UTC

Does 3.5.10 fix this bug?

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2008-10-04 17:51:45 UTC

Uhm, I thought so, verifying it now (I got in touch with security@kde.org).

Comment 4 Stefan Behte (RETIRED) gentoo-dev

2008-10-05 12:26:31 UTC

Their policy is that security bugs are not to be filed on the bugtracker:
http://kde.org/info/security/policy.php
No answer yet.

Comment 5 Stefan Behte (RETIRED) gentoo-dev

2008-10-06 19:21:24 UTC

Robert, I really should have thought about that myself.
My testing system crashes on 3.5.10, too.
Sorry, that it took a bit to set it up and test (slow pxe-booted system...).

Comment 6 Craig Goodrich 2008-11-22 09:43:14 UTC

(In reply to comment #5)
> My testing system crashes on 3.5.10, too.

On my system (3.5.9, amd64x2, 3G mem), this rather silly code slows things down, finally starts swapping, and then kills Konq.  Everything else then recovers nicely -- X, KDE, etc.  

Calling this a "DoS" is just dignifying stupidity.  All this code does is create an impossibly huge string and then try to display it.  But with 64-bit pointers and virtual memory, exactly when do we call it a day and return -ENOMEM?  

I note that Konq crashed long before I ran out of swap space, though...

Comment 7 Stefan Behte (RETIRED) gentoo-dev

2008-11-23 20:46:46 UTC

It may not crash *your* setup, but I've got a setup here that freezes, see comment #1. I have to confess that I did not make it clear that I verified what I wrote there - my fault.
I must point out that I expect you to be polite on the bugtacker, personal insults are inappropriate and I really don't know how they would help in resolving this issue.

Comment 8 Theo Chatzimichos (RETIRED) archtester

2009-05-30 17:18:32 UTC

i have opened stabilization bug for kde 3.5.10, adding it in depend buglist

Comment 9 Samuli Suominen (RETIRED) gentoo-dev

2009-11-07 20:06:30 UTC

=konqueror-3* is now masked for removal

Comment 10 Theo Chatzimichos (RETIRED) archtester

2010-01-23 15:22:05 UTC

KDE 3 is not in tree any more. CC us again if you need anything. thanks