Slashdot Mirror

← Back to Stories (view on slashdot.org)

KDE Heap Overflow Vulnerability Found

Posted by CowboyNeal on from the holes-in-the-dike dept.

sayanchak writes "An incorrect bounds check has been discovered in kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE, that allows a heap based buffer overflow when decoding specially crafted UTF-8 encoded URI sequences. It might allow malicious Javascript code to perform a heap overflow and crash Konqueror or even execute arbitrary code. Source diff patches for KDE 3.2.0 - 3.3.2 and KDE 3.4.0 - 3.5.0 are available."

3 of 233 comments (clear)

  1. Well, I used to love KDE... by TyrelHaveman · · Score: 0, Flamebait

    I used to love KDE until I saw this. What the **** is wrong with their engineers? ****

  2. I've got news for you by Qbertino · · Score: 0, Flamebait

    1.) Windows does take longer to patch
    2.) Anything is more secure than windows
    3.) Odds are the people that discovered the bug are the same ones that patched it while discovering it. So, yes, this security hole is allready patched. That is more often the case than not with OSS.
    4.) Yes, believe it of not, it does NOT crash the OS when Konqueror goes down. Unlike IE on windows, the TCP/IP stack is not bound into the most inner workings of the OS. Which makes sense.

    The funny thing is that we ought to be laughing about windows when windows holes pop up. Then on the other hand, the trouble the windows family causes isn't funny anymore and hasn't been for years.

    --
    We suffer more in our imagination than in reality. - Seneca
  3. News just in... by kula.shinoda · · Score: 0, Flamebait

    All thirteen Konquerer users around the world have now been successfully patched, making this patch one of the only ones ever created that patched all users.

    --
    Real men don't write sigs