CVE-2009-1725

Published: 09 July 2009

WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms; KHTML in kdelibs in KDE; QtWebKit (aka Qt toolkit); and possibly other products do not properly handle numeric character references, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document.

Priority

Medium

Status

Package Release Status
kde4libs
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Upstream: http://websvn.kde.org/?view=rev&revision=1002162 (trunk)
Upstream: http://websvn.kde.org/?view=rev&revision=1002163 (4.3)
kdelibs
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Upstream: http://websvn.kde.org/?view=rev&revision=1002164 (3.5)
qt4-x11
Launchpad, Ubuntu, Debian
Upstream Needs triage

webkit
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Upstream: http://trac.webkit.org/changeset/44799

Notes

AuthorNote
jdstrand
webkit is a fork of khtml from kdelibs. kdelibs5 is farther from
it, while qt4-x11 attempts to unify khtml and webkit
mdeslaur
PoC: http://trac.webkit.org/browser/trunk/LayoutTests/fast/parser/eightdigithexentity.html?rev=44799&format=txt
expected output: http://trac.webkit.org/browser/trunk/LayoutTests/fast/parser/eightdigithexentity-expected.txt?rev=44799&format=txt
direct link: http://trac.webkit.org/export/46476/trunk/LayoutTests/fast/parser/eightdigithexentity.html
as per RH bug, in kde4libs, this is a rendering bug, not a security bug

References

Bugs