Slashdot Mirror

← Back to Stories (view on slashdot.org)

KDE Heap Overflow Vulnerability Found

Posted by CowboyNeal on from the holes-in-the-dike dept.

sayanchak writes "An incorrect bounds check has been discovered in kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE, that allows a heap based buffer overflow when decoding specially crafted UTF-8 encoded URI sequences. It might allow malicious Javascript code to perform a heap overflow and crash Konqueror or even execute arbitrary code. Source diff patches for KDE 3.2.0 - 3.3.2 and KDE 3.4.0 - 3.5.0 are available."

12 of 233 comments (clear)

  1. Bullet-proof JS by Anonymous Coward · · Score: 1, Interesting

    Man! It seems that no one can build a bullet-proof JS interpreter

  2. This is interesting... by Anonymous Coward · · Score: 1, Interesting

    .. because KDE is supposedly developed in the so-called "modern C++" using STL. Perhaps OSS developers should look into using code analysis tools to weed out any unsafe techniques.

  3. Malicious hackers around the world... by Anonymous Coward · · Score: 5, Interesting

    ...yawn and pay no heed. Have any vulnerabilities for Konqueror ever actually resulted in exploits in the wild?

  4. Rather incompetent by velco · · Score: 4, Interesting

    And the proposed patch leaks if realloc fails and does not check the return value of realloc. *sigh*

    Also, one may only wonder why didn't they use std::vector ...

    ~velco

    1. Re:Rather incompetent by m50d · · Score: 2, Interesting

      KDE began in a time when STL support in many C++ compilers wasn't up to much, so for cross-platform capability (always a design goal) they couldn't really rely on it. Not sure whether that has anything to do with this.

      --
      I am trolling
  5. Re:Ubuntu patched already by Anonymous Coward · · Score: 2, Interesting

    I'm not sure if "patch" is the correct word, since it basically re-downloads all of the kdelibs and the necessary data which weigh in at 10s of megabytes.
    Happily, the debian devels are said to be looking into a way of supplying binary diffs/ deltas of update .debs eventually, which will be nice. Shame it's taken such an incredibly long time, though - MS has had the technology for aeons.

  6. Re:And now the obligatory... by dioscaido · · Score: 1, Interesting

    While you have a point, this patch obviously didn't get too much review -- decbuf is reallocated using realloc, and as far as I can tell the value is never checked before being dereferenced to make sure the allocation didn't fail. So this patch needs another patch, and it is the kind of thing that 'the other operating systems' wouldn't be able to get away with.

  7. Plugging the "arbitrary code" hole? by G4from128k · · Score: 2, Interesting

    So many vulnerabilities seem to involve writing past the extents of a data structure (stack, heap, buffer, etc.). But how does this lead to the ability to execute arbitrary code? It would seem that the system must lack an ability to clearly segment memory in the distinct data spaces or to distinguish between data and code.

    Perhaps machines need a more secure memory management scheme (such as an execute disable bit or Data Execution Prevention).

    Yes, malware could still crash an application or machine (to the extent that the system has inadequate input checking and nongraceful failure modes) but arbitrary code execution wouldn't be possible.

    Why don't people use these concepts to plug a vast range of vulnerabilities?

    --
    Two wrongs don't make a right, but three lefts do.
  8. Re:Queue Linux Defense Responses! by laffer1 · · Score: 2, Interesting

    Yes, but most linux distros ship with an X11 desktop environment. I can't think of too many besides gentoo that don't come with either KDE or gnome. Its also a very common add-on to distros without one or bsd's that run in desktop mode. And if you think about it, running a gui is a comparable was to look at windows. Windows = command interpreter + kernel + gui
    Linux distro = command interpreter (login shell) + kernel (linux itself) + gui (x11 & window manager or desktop)

    In order to compare Windows and Linux from a desktop point of view, you must look at the whole package. An end user would.

    Of course you are right that its not a linux specific issue. It can affect linux distros, *bsd, or UNIX distros that include or have the environment installed. But, think of it this way.. it can affect all *nix installs that have KDE which is very popular.

    As for his list, I found it quite amusing. I'm not MS fanboy, but you have to admit that many people have this perception that MS has a lot more bugs. I think Microsoft screws up patching quite a bit. If you look at original vulnerabilities though, its no different than a full linux distro with gui (redhat for example), or OSX. I've had to patch my mac and freebsd machine just as much as my windows box lately. (freebsd has has 5 holes in the core os recently plus any ports like firefox or KDE)

    I think its about time to realize that open source has grown up. It has just as many holes as closed source software. People are starting to find them more often. Look at firefox. I no longer use firefox because i feel safer. I use it because I like the UI. The difference is that most OSS holes don't cause code to run as root since *nix developers are more likely to run code as a user vs system (root).

    Security minded people often forget that programmers are NOT taught about security in college and its not like the local BN has a book called "learn to code safely and check your input." There are a few security books out there, but they often are not written for everyday programmers. In college, I was taught what a buffer overflow is and told to check input. I've never been given an example besides a simple x > 2 check example in any class. Once a professor mentioned regular expressions, but didn't describe what they did. Its quite sad. I don't see how we can expect closed or open source developers to code securely if we don't teach them.

    --
    MidnightBSD: The BSD for Everyone
  9. Re:This is why I use Windows by Anonymous Coward · · Score: 2, Interesting
    Fact is, the term "Operating System" is far older than linux, dating back to the 1950s. On almost every processor ever built, it has a precise definition. The definition is hardware based.

    In the machine language, there's an opcode usually called SC (System Call). If you need to use a SC instruction to get to some subroutine, you're at the application level. If you don't need to call SC to get to that subroutine, you're in the operating system. It's as simple as that. (Well, except for a few machines with hardware support for multi-level OS security, by having multi-level SC opcodes.)

    I'm speechless. I'm trying to find a polite, non-patronising, way of answering this.

    FYI: few, if any, CPUs have an opcode called "SC". There are various CPUs with instructions I'd take to be an equivalent of what you're describing, such as TRAP on the 68000, but SC? Where did you get that one from?

    What you're describing is not an operating system but a kernel, and many kernels use regular subroutine calls rather than "SC" equivalents to get into them. If your definition of "operating system" were valid, many things we call operating systems today wouldn't be. The Amiga, for instance, far from having a revolutionary operating system as described by most of its enthusiasts, never came with one. (You called exec, the kernel, though standard subroutine calls, not through the TRAP instruction.)

    If your definition were true, it would also mean that the word "kernel" is redundant. Few operating systems require special access to any function but the kernel. Microkernels would be unusable operating systems, not tiny components of full operating systems.

    A modern operating system consists of a range of subsystems, some in the kernel, some outside of it. The goal of an operating system is to manage the resources of a computer, which includes providing a console for the user (modern systems use GUIs) to start and stop and interact with running programs, allocating memory and time to running programs, providing necessary intercommunication systems with different programs and subsystems, etc. Basing a definition of "operating system" in a 1950s definition that appears to be synomynous with kernel, and inaccurate to boot, strikes me as bizarre.

  10. Re:About the Patch by porneL · · Score: 2, Interesting

    Hey! But I have Konqueror compiled for OS X. Now I'll have to recompile everything using my half-speed single-core G5 :(

  11. Re:This is why I use Windows by Anonymous Coward · · Score: 1, Interesting

    Except that Microsoft takes the strategy much, much further than KDE does -- not only is explorer the component for rendering HTML, but it also renders the desktop, taskbar, start menu, etc. A better name for Vista would be "Explorer 2006." KHTML is present only in a few select KDE apps

    I suggest you look into the work being done on KDE 4. It will include something very much like Apple's Dashboard and Microsoft's Active Desktop. Implemented with KHTML and KJS.

    Consider that situation: a user with total control over the system, who can change or overwrite anything, is using a single component for everything they do.

    The same is true in Linux. Ever heard of a little thing called "glibc"?

    Seriously, there's nothing remarkable about Microsoft's code reuse. Everybody does it. It's a good thing.