Slashdot Mirror
KDE Heap Overflow Vulnerability Found
sayanchak writes "An incorrect bounds check has been discovered in kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE, that allows a heap based buffer overflow when decoding specially crafted UTF-8 encoded URI sequences. It might allow malicious Javascript code to perform a heap overflow and crash Konqueror or even execute arbitrary code. Source diff patches for KDE 3.2.0 - 3.3.2 and KDE 3.4.0 - 3.5.0 are available."
Microsoft would never tie a web browser into the operating system... err, wait.
Man! It seems that no one can build a bullet-proof JS interpreter
Who has variables named "vvvv" and "uuuuu"? At least make them somewhat useful, even if they are temporary variables.
I'm going back to Windows!!!
.. because KDE is supposedly developed in the so-called "modern C++" using STL. Perhaps OSS developers should look into using code analysis tools to weed out any unsafe techniques.
The obvious question is - does the same bug exists in the KJS-derived Safari Javascript?
do i just make the .diff file executable and put a ./ in front when typing out the name of the file in a root shell???
...yawn and pay no heed. Have any vulnerabilities for Konqueror ever actually resulted in exploits in the wild?
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
There are patches already available. Fix it. Move on. Mind you, this is not like what happens with "some other operating systems," where they have to be berated by users into issuing patches...
GetOuttaMySpace - The Anti-Social Network
Patches for both 3.2.x - 3.3.x and 3.4.x-3.5.0 are the same except for the revision number. I think Slashdot got the link switched around.
Although Apple does use some of the Konqueror's core, I believe that the bug does not affect it at all. At least there is no such vulnerable function as in KDE is in their JS core code.
--
Error 500: Internal sig error
While i realize you were trying to be funny, KDE doesnt tie the browser into any OS. its tied into the DE.. Quite a difference there. ( still potentially dangerous, as the DE has a lot of rights at the system level, but it is different )
---- Booth was a patriot ----
Is it going to be able to run with root privileges or just as a user?
Victims of 9/11: <3000. Traffic in the US: >30,000/y
More Safari/KJS info. I took a look at the Apple code. It appears the URI encode/decode function were completely rewritten and have no resemblance to the KDE/KJS original functions.
JavaScriptCore
JavaScriptCore is a framework for Mac OS X that takes the cross-platform KJS library (part of the KDE project), combines it with the PCRE regular expression library, and makes it work with Mac OS X technologies.
The current version of JavaScriptCore is based on the KJS library from KDE 3.0.2. The few changes that are specific to JavaScriptCore are marked with #if APPLE_CHANGES. Other changes to improve performance and web page compatibility are intended for integration into future versions of the KJS library.
Probably, but expect silence until Tuesday, when a patch will suddenly appear to bump Safari to 2.0.4.
And the proposed patch leaks if realloc fails and does not check the return value of realloc. *sigh*
...
Also, one may only wonder why didn't they use std::vector
~velco
Does this affect Safari?
So many vulnerabilities seem to involve writing past the extents of a data structure (stack, heap, buffer, etc.). But how does this lead to the ability to execute arbitrary code? It would seem that the system must lack an ability to clearly segment memory in the distinct data spaces or to distinguish between data and code.
Perhaps machines need a more secure memory management scheme (such as an execute disable bit or Data Execution Prevention).
Yes, malware could still crash an application or machine (to the extent that the system has inadequate input checking and nongraceful failure modes) but arbitrary code execution wouldn't be possible.
Why don't people use these concepts to plug a vast range of vulnerabilities?
Two wrongs don't make a right, but three lefts do.
...what if it was actually a backdoor placed there intentionally by secret society agents?
Okay I'm kidding... really... go look at the source code or something.
Alright, here come the slashdot standard defense responses the moment anything is found bad about something related to Linux:
:)
1. Oh, but microsoft takes longer to patch
2. But it is still more secure than windows!
3. Ya, old news, it's already patched!
4. And, this isn't an OS problem it's the shell, windowing, daemon, whatever etc!
And hell yes, I will post this Anonymously as I expect this to be moded as Troll within 5 minutes and I got no karma to burn!
The only site that crashes my Knoq is ebay - thank god...
Apple's WebCore is a fork of KHTML and KJS, does anyone have information if Safari/WebCore is effected by this vulnerability?
that even with a relatively clean codebase, bugs happen. Konqueror is good code compared to a lot of things, but I guess complexity is unavoidable, and that leads to things like this.
I am trolling
kdelibs-3.4.3-r1 and kdelibs-3.5.0-r2 were both released yesterday with the former being marked stable on most archs.
This is the text of the patch. Look at the nice variable names :P
And this is the contents of the guilty source code file. It's filled with such variable names and obfuscated code! Some variable names -> zzzzzzz, yyyyy, xx, uuuuu.
I really never thought that this kind of code was in a project such as KDE. I assume that it's a fairly unique file, but even then it's just really stupid...
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
If you actually look at the code you'll see plenty of bad coding practices. vvvv and uuuuu as variable names? malloc and free in C++ code? Cut-n-paste code where a loop ought to be? It looks like something that I might find on the "Daily WTF" site.
On modern systems it is quite impossible to print an error (in a gui box) when you run out of memory. everything tries to allocate memory.
PLEASE don't put these checks in. Not everything you learned in COMPSCI-101 is correct. Random checks that people like you insist on putting in are misleading, making anybody reading the code think the zero is a legitimate return value. Directly on malloc it is not confusing, but when that function returns zero and the caller checks, it can mislead somebody maintaining the code into thinking zero is an important and useful value, and they then completely mangle the code trying to "fix" it so that zero works everywhere. I have seen this. Please avoid it! Not everything you learned in compsci-101 is correct.
You are trying to fake exceptions, and there is a reason exceptions have been added to modern languages, because you cannot fake it. Supporting exceptions everywhere may make out-of-memory work. An alternative that is practical right now is to make malloc call some code of your own at the moment it discovers out-of-memory so that you can try to free cached information or gracefully abort. In both of these solutions, malloc never returns zero, so testing is misleading and useless. So again, PLEASE don't do this!
I believe the variable names are an attempt to represent how many bytes were needed to produce that value. Not sure this is a great idea, rather than using a number suffix, but it seems likely this is why those names were chosen.
If you study the code a little, you'll see there is some logic to those names: The length of the variable name also reveals the number of bits stored by that variable. "xx" stores a 2 bit value, "zzzzzz" stores a six-bit value.
That's not obfuscated, since if you know the scheme, it improves readability.
(The code doesn't really look obfuscated to me, but OTOH I have been programming C++ for over 10 years.)
The letter in the variable name indicates the order. So if you put together the parts where the sub-bit sections come from, it looks like this:
yyyyzzzzzz
E.g. that stores the lower 10 bits of a value, where zzzzzz hold the lowest six bits and yyyy holds the next 4 bits. That seems like a pretty neat idea to improve the readability of what would otherwise inherently be fairly tricky to read code.
And its windows explorer like how? Besides the fact that it has a bug in it, I can't see any connections between the two.
Chances are any disscution on Slashdot will degrade into a flamewar about ID/Christianity within 14 posts.
By the time you and I heard about it, there was already a fix. On the other hand, if it's existed since 3.2 onward, that means this flaw has been in place since at least February, 2004. The fact that it's public now and there's a patch now doesn't mean that there wasn't some sharp-eyed and black-hearted soul who spotted this hole years ago, and has been quietly taking advantage of it ever since.
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
Working on embedded systems I'm used to checking every malloc(). It is fairly easy to do, but you need to design your application to handle out of memory situations gracefully. That is not as easy depending on what you are trying to do.
Yes, but on an embedded system, you almost always have an init phase where you allocate all the memory that you need at startup, and so you have an init() function or similar that either fails or succeeds at startup containing checked mallocs. Then you have *one* cleanup path. You only guarantee that your application handles up to N resources used of each type at runtime (100 connections, 30 open files, whatever).
Checking malloc in the middle of your code is essentially an obsolete practice for real-world systems -- it's essentially impossible to cleanly back out of all failures, and nobody is going to test all possible failure conditions. The fact that Linux uses an OOM killer and overcommits by default is just a recognition of this fact.
I know this goes against what some people learn, but let me ask those people who carefully check every failure:
* Do you actually test each bit of cleanup and error-recovery code? I mean, are you using a malloc()/free() wrapper that causes *every* path to be invoked? Otherwise, you're just bloating your application with masses of untested code.
* Are you certain that you can't run out of stack space, not just heap space? Particularly if you're using C++ and local objects, I'm pretty dubious that you're so sure. Do you really know, for certain, how much space a random STL object uses?
Systems these days have so much memory and virtual memory that running out of memory is almost *always* a bug. It's a pretty safe bet that the allocation that causes your app to run out of memory is the culprit. Even if Linux didn't have an OOM killer, I'd feel safe in almost all circumstances just wrapping malloc() with an abort() on failure.
Some applications might be fed huge workloads inadvertently. Those are better off adding checks specifically for those workloads. For example, if you load a huge image in the GIMP, you'll get a warning based on the size before the GIMP attempts to do memory allocation, not after the failure happens.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
And I'm on the opposite end of the spectrum, wher I've found that many malware packages don't know what do when they are denied systemwide file and registry access, and as a result they just crash or bail out. I manage a couple of small offices, and with all users running XP with LUAs, nothing ever gets infected. Plus, if there is a piece of malware or virus that does infect their account, it makes things a lot easier for me to clean up. I don't have to start picking through system files, so I keep my hair a bit longer.
Also there is the added benefit that when they visit a site with IE, the newest exploit of the month isn't running as Administrator. I'd love to use Firefox, but a) I doubt Firefox will end up being that much more secure in the long run b) most state law online databases they use need IE, so kinda no choice there.
hello dear sirs my name is jamesh i are india (bihar) can u guide me install red had linux 9?
Does taskbar, start menu, desktop all render in html. I know "Active Destop does", not the regular one. Also i know windows explorer uses html and js to render the taskpad, and other views while browsing files.
And if it does render in html, why is that a big deal, if anything it simplifies code, and removes one other area of coding to replicate existing functionality somewhere else.
If in a corporate network people are logging in as admin, you have a network/sys admin problem. NOT a windows issues, fire your sys admins and get better ones, that will put effort into making users log on as regular users.
If you look up SQL server documentation and best practices they tell you to switch the user it runas as. IIS and most other services run as network service, which has greatly reduced priviledges.
I'm no Windows fan, but technically, the same is true of IE. It's tied into the desktop environment the same way KHTML is. The two big differences (which help KDE) are (a) most users don't run as root in KDE, while most users run as root (Administrator) in Windows, and (b) KDE isn't the only DE for Linux, while Explorer is the only DE in Windows. That latter point is why people tend to think that IE is tied into the OS. It's not; it's tied into the only DE in Windows. Overall, not much different, but structurally, it's not much different from KDE.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
Check section 15.1.3 of the ECMA standard, which the source refers to. The algorithm is explained there, and the variable names are taken from the standard for readability.
Sheesh, do a little homework first.
Laws do not persuade just because they threaten. --Seneca
With current versions of windows the DE ( and thus IE ) is a bit lower level, as many of its libraries are required for the OS to actually function. True, there are some kernel level items that wont need DE/IE, but it doesnt leave you with much..
At least with KDE, you can drop it totally, and your system is still there and functioning.. Try that with windows somtime.
Not saying either way is right or wrong, just different paths to get to the same place.
---- Booth was a patriot ----
Show me a piece of code longer than 500 lines that ain't got a bug or two no matter the OS.
I am. Lower your shields and power down your weapons, they are useless. Your biological and technological distinctivenes
Wikipedia has a few articles that might interest you. Please look at Stack Smashing Protection to learn about canaries and tools such as ProPolice. ProPolice is part of gcc, so you can build practially any open source OS with this protection today. (This makes buffer overflows much more difficult, if not impossible.) It should not surprise any Slashdot reader to learn that OpenBSD uses this by default. OpenBSD also adds W^X protection to each page. It is ironic that you reference Intel on a no execution bit. If you read some of the developer comments from the OpenBSD team, it is pretty clear that AMD 's 64-bit processors and all RISC processors have better implementations of the no-execute bit than does Intel. It is doubly ironic that you mention Microsoft for Data Execution Prevention, since this sure seems like they are trying to appear to be the inovator of this technique. This is pretty typical for MS, and it explains why many people seem to believe that MS inovates and free software copies. The reality, in this case and many others, is often the opposite.
Think global, act loco
Worse, when there is a legitimate reasons for a superuser to log in, he is logging into an Explorer shell.
By the way, what about alternative shells like the Aston Shell? Do they completely replace explorer.exe or is the Explorer still running in the background? If they do replace the Explorer, installing an alternative shell might improve security on a Windows box.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Seems this thread attracted the anti-Linux-zealots or something. Your response is only as much flamebait as your parent post, which is far from interesting. In an ideal world, he would have been "modded into oblivion" in moments, and you would never have thought to waste your time responding to his very amateur flamebaiting.
Bad luck man.
KDE has KParts, which offer some nice possibilities. Also, you can have an OS X-style menu (ie. it does not appear in the application window but in a Kicker panel) - although those only wirk with Qt applications. Someone should put compatibility for this in GTK, as it is very nice to have (it saves valuable screen real estate).
Also you can have GTK use Qt as the rendering engine via gtk-qt, which makes running Gnome apps under KDE a bit more pleasant; I dont know if it also works vice versa.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
a) Because if you run out of memory in a JS interpereter in a graphical app, what are you going to do? You can't display anything, all you can do is exit. In which case an OOM segfault would have been more informative anyway. Sounds like this was posted by someone without much practical experience in GUI apps.
b) For one, KDE never uses STL, because for one when it was wirtten it was not available on all the platforms it needed, and for two Qt's containers are just better and more efficient than STL contains in general anyway.
I know Safari's HTML enginge was derived from KHTML. Does it also use the same Javascript engine?
Anm
...and you are misinformed about Microsoft's Windows 2000 support policy.
"I don't see this! I have two comparable machines running on a KVM switch. One runs Linux (Gentoo + 2.6 kernel) and the other runs win 2k. I run OpenOffice and Mozilla on both. In general, The Linux machine runs so much faster that I use it in preference to the Windows machine for everyday tasks."
And I don't see what you're seeing. I run OpenOffice on both FreeBSD 6 and WinXP and loading times are roughly the same. They very well might be faster on FreeBSD, but I don't think that was point of the parent. The parent was probably thinking of an OO/Microsoft Office comparison. On Windows, even with Open Office "quick launch" enabled (which makes it a fair comparison) Microsoft Office blows away OO as a far as loading times and memory footprint. When you compare Firefox to IE, IE takes up less memory when ideintical pages are loaded. One more thing. You said "comparable" machine. For a fair comparison, identical machines are needed.
"And isn't that the beauty of OSS? You can use the previous kernel without being forced to upgrade to keep your machine up to date with the latest security patches! Microsoft is dropping support for Win2k so I may be forced to upgrade just to keep my desktop secure! I personally use 2.4.x kernels on my servers because the latest improvements in the 2.6.x kernels seem to all be related to desktop performance improvements so it isn't really needed on my servers and, like you, I want the most stable for my servers. I have a lot of good experience with 2.4 kernels, why change now? Security issues are still being patched in the 2.4.x tree so I don't have to worry about that."
That's great, but Windows 2000 is a 6 year old OS, and contrary to what you're saying, Microsoft will be releasing security patches for it until *June 2010*. How many ten year old linux kernels do you use? If you do use any, are security patches still back ported to it? how about drivers? If you bought a new server would the hardware it contains have drivers that support the 2.4 kernel? I've seen some linux drivers that only support a specific *point* release of the 2.6 kernel. What if you buy some product that only supports the latest version of RHEL which uses a linux kernel that you don't trust? This broad assumption that older linux kernels don't become obsoleted due to support issues is at best, a half-truth.
Also, the overall quality (both security *and* stability) of Microsoft's server and desktop products has increased steadily from version to version. Aside from application support scenarios, there is no reason not to go with the latest Windows version when purchasing a new desktop or server. I'm not sure what your hang-up has been with moving from Win2k to Win XP on the desktop. It's more secure than Windows 2000, has more features, and supports more hardware. Do you use the same desktop machine you used in 2000, or have you been installing the same copy of 2000 on each desktop machine you purchased since 2000? Since XP will be ending around the same time as 2000 (It was released around the same time), I suggest you just wait for Vista and move to it after it comes out. After all, like I said before, you'll still have security patches for Win2K for quite some time.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I don't know about you, but this Debian security advisory (+ updated packages) was dated January 20. I ran apt-get update and it showed up on the package list before the advisory was even on the security RSS feed.
It will be patched before the number of talkbacks reaches 350, or 24 hours, which ever comes first.
t xt
Er, wait... it's already patched, and talkbacks are only at 194 !!!
http://kde.org/info/security/advisory-20060119-1.
Wow... announced yesterday and patched over night.
Running with Linux for over 20 years!
Thanks to Open Source, we can check ourselves whether Safari is affected.
You can see from the patch referenced from http://www.kde.org/info/security/advisory-20060119 -1.txt that the vulnerable functions are: encodeURI, decodeURI.
Now you can download JavaScriptCore from http://www.opensource.apple.com/darwinsource/10.4. 4.ppc/. It contains the affected source file kjs/function.cpp, but a quick look at it reveals that it doesn't have the same encodeURI, decodeURI functions nor the same flaw.
just curious - i was trained to treat laziness as a cardinal virtue in computing.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
God's teeth, but you people just don't get it. You install as secure as possible and allow the admin to open up, not the other way around.
Justin.
You're only jealous cos the little penguins are talking to me.