Read the attached advisory.
--
WBR, Zeux.
Origin: I say evolve, let the chips fall where they may.
--- Zeux<zeux@inbox.ru> from sp00fed packet
Mail: zeux@inbox.ru zeux@secforum.net zeux@undergrounda.net
/----------------+--------------------------------------+-------------\
| sp00fed packet | | advisory #2 |
+----------------+--------------------------------------+-------------+
| Product: multiply vendors browsers |
| Vulnerability: buffer overflow |
| Danger: low |
\---------------------------------------------------------------------/
::Description::
Sample HTML-code to crash browsers:
<img src="blank.gif" width=32759 height=132750>
blank.gif must be a working image. Its size can be about 2 kb.
Why width is 32759? It's the highest value Opera 6.01 allows for width.
Height can be very big (maybe there are limits for height in Opera, but
I don't have such information).
The target is to generate buffer overflow by asking browser to display
scaled image with very big scale. Opera crashes in 1-2 seconds (and
displays error message in the console: "/usr/bin/opera: line 72: 17445
Segmentation fault $OPERA "$@""), Konqueror first loads system very
much, then produces SIGSEGV. The tested versions are showed below. The
version of Opera was recent at the time of finding the bug, so (I think)
the version is present in all earlier versions. My version of Konqueror
is out of date, and I do not have the recent release of it, so I will be
glad if somebody tests this vulnerability and reports me the results.
In reality (as I think), the bug in Opera is present because of the bug
in QImage (image engine), used in Opera to display images.
::Vulnerable::
[vulnerable] Opera v6.01 build 175 for Linux
[vulnerable] Konqueror v2.1.1
::Vendor::
Opera, Inc was informed 7 days ago. Answer was not received
KDE Development Group was informed 7 days ago. Answer:
----
From owner@bugs.kde.org Sun Sep 8 00:33:00 2002
From coolo@kde.org Sun Sep 08 00:33:02 2002
Envelope-to: zeux@inbox.ru
Delivery-date: Sun, 08 Sep 2002 00:33:02 +0400
Received: from drweb by mx5.mail.ru with drweb-scanned (Exim MX.5)
id 17nmGM-0000DA-00
for zeux@inbox.ru; Sun, 08 Sep 2002 00:33:02 +0400
Received: from [131.246.103.200] (helo=ktown.kde.org)
by mx5.mail.ru with smtp (Exim MX.5)
id 17nmGL-0000CP-00
for zeux@inbox.ru; Sun, 08 Sep 2002 00:33:01 +0400
Received: (qmail 22134 invoked by uid 1003); 7 Sep 2002 20:33:00 -0000
Date: 7 Sep 2002 20:33:00 -0000
From: owner@bugs.kde.org (Stephan Kulow)
To: zeux@inbox.ru
Subject: Bug#47456 acknowledged by developer
(Konqueror bug)
References: <200209072229.01403.binner@kde.org> <02090508174301.01204@sp00fed.zx>
In-Reply-To: <02090508174301.01204@sp00fed.zx>
Message-ID: <handler.47456.C.103143051820946.notifdonectrl.0@bugs.kde.org>
X-Envelope-To: zeux@inbox.ru
Content-Type:
Status: RO
X-Status: O
Your report has been marked as closed by one of the developers, namely
Stephan Binner <binner@kde.org>.
The report is about a very old version of the software. Many improvements
have been made and many bugs have been fixed in the meanwhile. Given the huge
number of bug reports we receive, we are no longer investigating bug reports
for this version of the software. Please upgrade to the latest official
release. If you find your problem still persisting, then we were unable to reproduce it and you might need to provide more details on your setup that may make the diffrence. Thanks in advance.
If you are pretty sure that something went wrong,
please contact Stephan Binner <binner@kde.org> directly.
Stephan Kulow
(administrator, KDE bugs database)
----
The creators of the packet did not even check the presence of this vulnerability
on the new browser, so I ask you to check it on the Konqueror from KDE3.
::Contacts::
[http://www.sp00fed.ru/] sp00fed packet
[zeux@inbox.ru] Zeux (it's me ;)
[spikir@rbcmail.ru] Spikir (team coordinator)
