[kdelibs/f15] CVE-2010-0046, security issue in khtml

Fri Nov 18 18:48:44 UTC 2011

commit 97bd6d867e53d28ec0c2052ab48d3f221906b56b
Author: Rex Dieter <rdieter at fedoraproject.org>
Date:   Fri Nov 18 12:49:27 2011 -0600

    CVE-2010-0046, security issue in khtml

 kdelibs-4.6.5-CVE-2010-0046.patch |   16 ++++++++++++++++
 kdelibs.spec                      |   10 +++++++++-
 2 files changed, 25 insertions(+), 1 deletions(-)
---

diff --git a/kdelibs-4.6.5-CVE-2010-0046.patch b/kdelibs-4.6.5-CVE-2010-0046.patch
new file mode 100644
index 0000000..9108d7a
--- /dev/null
+++ b/kdelibs-4.6.5-CVE-2010-0046.patch
@@ -0,0 +1,16 @@
+diff -up kdelibs-4.7.3/khtml/css/cssparser.cpp.orig kdelibs-4.7.3/khtml/css/cssparser.cpp
+--- kdelibs-4.7.3/khtml/css/cssparser.cpp.orig	2011-11-07 19:14:53.000000000 +0100
++++ kdelibs-4.7.3/khtml/css/cssparser.cpp	2011-11-09 16:02:11.000000000 +0100
+@@ -2275,8 +2275,11 @@ bool CSSParser::parseFontFaceSrc()
+             expectComma = true;
+         } else if (val->unit == Value::Function) {
+             // There are two allowed functions: local() and format().
++            // For both we expect a string argument
+             ValueList *args = val->function->args;
+-            if (args && args->size() == 1) {
++            if (args && args->size() == 1 &&
++                (args->current()->unit == CSSPrimitiveValue::CSS_STRING ||
++                 args->current()->unit == CSSPrimitiveValue::CSS_IDENT)) {
+                 if (!strcasecmp(domString(val->function->name), "local(") && !expectComma) {
+                     expectComma = true;
+                     allowFormat = false;
diff --git a/kdelibs.spec b/kdelibs.spec
index 8d81545..cfa31ee 100644
--- a/kdelibs.spec
+++ b/kdelibs.spec
@@ -20,7 +20,7 @@
 
 Summary: KDE Libraries
 Version: 4.6.5
-Release: 9%{?dist}
+Release: 10%{?dist}
 
 Name: kdelibs
 Epoch: 6
@@ -133,6 +133,10 @@ Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=743056
 Patch201: kdelibs-4.6.5-CVE-2011-3365-kio.patch
 Patch202: kdelibs-4.6.5-CVE-2011-3365-kssl.patch
+# CVE-2010-0046, The Cascading Style Sheets (CSS) implementation in khtml/WebKit
+# allows remote attackers to execute arbitrary code or cause a denial of service
+# (memory corruption and application crash) via crafted format arguments.
+Patch203: kdelibs-4.6.5-CVE-2010-0046.patch 
 
 ## Fedora specific patches
 # make forcefully hal-free build
@@ -323,6 +327,7 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
 %patch200 -p1 -b .CVE-2009-2702
 %patch201 -p1 -b .CVE-2011-3365-kio
 %patch202 -p1 -b .CVE-2011-3365-kssl
+%patch203 -p1 -b .CVE-2010-0046
 
 # Fedora patches
 %patch300 -p1 -b .halectomy
@@ -573,6 +578,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Fri Nov 18 2011 Rex Dieter <rdieter at fedoraproject.org> 4.6.5-10
+- CVE-2010-0046, security issue in khtml
+
 * Wed Nov 16 2011 Rex Dieter <rdieter at fedoraproject.org> 4.6.5-9
 - restore halectomy patch (sans fstab-removing pieces)
 
