[qt] bz#772128, CVE-2011-3922, Stack-based buffer overflow in embedded harfbuzz code
Than Ngo
than at fedoraproject.org
Mon Jan 9 09:29:57 UTC 2012
commit f1d2a1410f2a75a1fdc1436a20fdd0c67004a9f6
Author: Than Ngo <than at redhat.com>
Date: Mon Jan 9 10:29:49 2012 +0100
bz#772128, CVE-2011-3922, Stack-based buffer overflow in embedded harfbuzz code
qt-4.8.0-CVE-2011-3922-bz#772125.patch | 12 ++++++++++++
qt.spec | 8 +++++++-
2 files changed, 19 insertions(+), 1 deletions(-)
---
diff --git a/qt-4.8.0-CVE-2011-3922-bz#772125.patch b/qt-4.8.0-CVE-2011-3922-bz#772125.patch
new file mode 100644
index 0000000..48366de
--- /dev/null
+++ b/qt-4.8.0-CVE-2011-3922-bz#772125.patch
@@ -0,0 +1,12 @@
+--- src/3rdparty/harfbuzz/src/harfbuzz-myanmar.c.bz#772125 2012-01-09 10:16:08.000000000 +0100
++++ src/3rdparty/harfbuzz/src/harfbuzz-myanmar.c 2012-01-09 10:16:47.000000000 +0100
+@@ -359,7 +359,8 @@
+ if (kinzi >= 0 && i > base && (cc & Mymr_CF_AFTER_KINZI)) {
+ reordered[len] = Mymr_C_NGA;
+ reordered[len+1] = Mymr_C_VIRAMA;
+- properties[len-1] = AboveForm;
++ if (len > 0)
++ properties[len-1] = AboveForm;
+ properties[len] = AboveForm;
+ len += 2;
+ kinzi = -1;
diff --git a/qt.spec b/qt.spec
index b69ac59..f7585e8 100644
--- a/qt.spec
+++ b/qt.spec
@@ -11,7 +11,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.8.0
-Release: 5%{?dist}
+Release: 6%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@@ -110,6 +110,8 @@ Patch79: qt-everywhere-opensource-src-4.8.0-qvfb.patch
# upstream patches
# security patches
+# CVE-2011-3922 qt: Stack-based buffer overflow in embedded harfbuzz code
+Patch200: qt-4.8.0-CVE-2011-3922-bz#772125.patch
# desktop files
Source20: assistant.desktop
@@ -439,6 +441,7 @@ popd
# upstream patches
# security fixes
+%patch200 -p1 -b .CVE-2011-3922
# drop -fexceptions from $RPM_OPT_FLAGS
RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
@@ -1061,6 +1064,9 @@ fi
%changelog
+* Mon Jan 09 2012 Than Ngo <than at redhat.com> - 4.8.0-6
+- bz#772128, CVE-2011-3922, Stack-based buffer overflow in embedded harfbuzz code
+
* Tue Dec 27 2011 Rex Dieter <rdieter at fedoraproject.org> 4.8.0-5
- fix qvfb
More information about the scm-commits
mailing list