Version: Konqueror 3.5.8 (Using KDD 3.5.8) (using KDE 3.5.8) Installed from: Ubuntu Packages OS: Linux When loading an HTML file containing flash and javascript (see attached below) and the default operation for flash is to show embedded, but ask beforehand to save file on disk, konqi crashes about 85% of the time. On page load, the file is rendered but the question pops up asking whether to open or save the flash file. Regardless of hitting save, open, or cancel, the browser crashes. At times, I have experienced the EIP jumping to arbitrary locations, so it might be possible to exploit this vulnerability!!! GDB trace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1235188032 (LWP 30215)] 0xb6ba9adf in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3 (gdb) x/i $eip 0xb6ba9adf <_ZN12QApplication14internalNotifyEP7QObjectP6QEvent+611>: mov (%eax),%edx (gdb) bt #0 0xb6ba9adf in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3 #1 0xb6bab91f in QApplication::notify () from /usr/lib/libqt-mt.so.3 #2 0xb7382cd2 in KApplication::notify () from /usr/lib/libkdecore.so.4 #3 0xb6b3c209 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3 #4 0xb6b9c53b in QEventLoop::activateTimers () from /usr/lib/libqt-mt.so.3 #5 0xb6b50d49 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3 #6 0xb6bc41ce in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3 #7 0xb6bc3fde in QEventLoop::exec () from /usr/lib/libqt-mt.so.3 #8 0xb6bab699 in QApplication::exec () from /usr/lib/libqt-mt.so.3 #9 0xb7edb594 in kdemain () from /usr/lib/libkdeinit_konqueror.so #10 0x080484b2 in ?? () #11 0x00000002 in ?? () #12 0xbf9110f4 in ?? () #13 0xbf911068 in ?? () #14 0x080484e9 in ?? () #15 0xb7f39800 in ?? () from /lib/ld-linux.so.2 #16 0xbf911070 in ?? () #17 0xbf9110c8 in ?? () #18 0xb7bd7050 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6 Backtrace stopped: frame did not save the PC EXAMPLE file: <html> <head> <style type="text/css"> td.right { } </style> </head> <body class="nonexisting"> <iframe id="framename" src="foo2.swf"></iframe> <link rel="stylesheet" type="text/css" href="nonexisting.css" /> <script language="javascript" type="text/javascript"> function mosDHTML() { this.foo = function(name) { document.getElementById(name).className = "foobar"; } return this; } new mosDHTML().foo('framename'); </script> </body> </html> for the flash file, it is sufficient to use perl: $ perl -e "print 'A'x1000;" > foo2.swf
Crash confirmed on 3.5.8
This bug has been fixed on KDE 4.4 trunk.