Bug in Opera and Konqueror

/----------------±-------------------------------------±------------\
| sp00fed packet | | advisory #2 |
±---------------±-------------------------------------±------------+
| Product: multiply vendors browsers |
| Vulnerability: buffer overflow |
| Danger: low |
\---------------------------------------------------------------------/
::Description::
Sample HTML-code to crash browsers:
<img src="blank.gif" width=32759 height=132750>
blank.gif must be a working image. Its size can be about 2 kb.
Why width is 32759? It's the highest value Opera 6.01 allows for
width.
Height can be very big (maybe there are limits for height in Opera, but
I don't have such information).
The target is to generate buffer overflow by asking browser to display
scaled image with very big scale. Opera crashes in 1-2 seconds (and
displays error message in the console: "/usr/bin/opera: line 72: 17445
Segmentation fault $OPERA "$@""), Konqueror first loads system
very
much, then produces SIGSEGV. The tested versions are showed below. The
version of Opera was recent at the time of finding the bug, so (I
think)
the version is present in all earlier versions. My version of Konqueror
is out of date, and I do not have the recent release of it, so I will
be
glad if somebody tests this vulnerability and reports me the results.
In reality (as I think), the bug in Opera is present because of the
bug
in QImage (image engine), used in Opera to display images.

::Vulnerable::

[vulnerable] Opera v6.01 build 175 for Linux
[vulnerable] Konqueror v2.1.1

::Vendor::

Opera, Inc was informed 7 days ago. Answer was not received
KDE Development Group was informed 7 days ago. Answer:

From [email protected] Sun Sep 8 00:33:00 2002
From [email protected] Sun Sep 08 00:33:02 2002
Envelope-to: [email protected]
Delivery-date: Sun, 08 Sep 2002 00:33:02 +0400
Received: from drweb by mx5.mail.ru with drweb-scanned (Exim MX.5)
id 17nmGM-0000DA-00
for [email protected]; Sun, 08 Sep 2002 00:33:02 +0400
Received: from [131.246.103.200] (helo=ktown.kde.org)
by mx5.mail.ru with smtp (Exim MX.5)
id 17nmGL-0000CP-00
for [email protected]; Sun, 08 Sep 2002 00:33:01 +0400
Received: (qmail 22134 invoked by uid 1003); 7 Sep 2002 20:33:00 -0000
Date: 7 Sep 2002 20:33:00 -0000
From: [email protected] (Stephan Kulow)
To: [email protected]
Subject: Bug#47456 acknowledged by developer
(Konqueror bug)
References: <[email protected]>
<[email protected]>
In-Reply-To: <[email protected]>
Message-ID:
<[email protected]>
X-Envelope-To: [email protected]
Content-Type:
Status: RO
X-Status: O

Your report has been marked as closed by one of the developers, namely
Stephan Binner <[email protected]>.

The report is about a very old version of the software. Many
improvements
have been made and many bugs have been fixed in the meanwhile. Given
the huge
number of bug reports we receive, we are no longer investigating bug
reports
for this version of the software. Please upgrade to the latest official
release. If you find your problem still persisting, then we were
unable to reproduce it and you might need to provide more details on
your setup that may make the diffrence. Thanks in advance.

If you are pretty sure that something went wrong,
please contact Stephan Binner <[email protected]> directly.

Stephan Kulow
(administrator, KDE bugs database)

The creators of the packet did not even check the presence of this
vulnerability
on the new browser, so I ask you to check it on the Konqueror from
KDE3.

::Contacts::

[http://www.sp00fed.ru/] sp00fed packet
[[email protected]] Zeux (it's me ;)
[[email protected]] Spikir (team coordinator)