[qt3] backport CVE-2013-4549 fix from Qt 4

Thu Dec 5 23:34:01 UTC 2013

commit 437bc95f6a4c62030d1e4d2859448b3a235e756b
Author: Kevin Kofler <Kevin at tigcc.ticalc.org>
Date:   Fri Dec 6 00:33:52 2013 +0100

    backport CVE-2013-4549 fix from Qt 4
    
    * Thu Dec 05 2013 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.3.8b-54
    - backport CVE-2013-4549 fix from Qt 4

 qt-x11-free-3.3.8b-CVE-2013-4549.patch |  111 ++++++++++++++++++++++++++++++++
 qt3.spec                               |   12 +++-
 2 files changed, 122 insertions(+), 1 deletions(-)
---

diff --git a/qt-x11-free-3.3.8b-CVE-2013-4549.patch b/qt-x11-free-3.3.8b-CVE-2013-4549.patch
new file mode 100644
index 0000000..bea1c7a
--- /dev/null
+++ b/qt-x11-free-3.3.8b-CVE-2013-4549.patch
@@ -0,0 +1,111 @@
+diff -ur qt-x11-free-3.3.8b/src/xml/qxml.cpp qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.cpp
+--- qt-x11-free-3.3.8b/src/xml/qxml.cpp	2008-01-15 20:09:13.000000000 +0100
++++ qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.cpp	2013-12-06 00:26:20.000000000 +0100
+@@ -4529,6 +4529,11 @@
+ 		}
+ 		break;
+ 	    case Mup:
++		if (dtdRecursionLimit > 0U && parameterEntities.size() > dtdRecursionLimit) {
++		    reportParseError(QString::fromLatin1(
++		        "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit));
++		    return FALSE;
++		}
+ 		if ( !parseMarkupdecl() ) {
+ 		    parseFailed( &QXmlSimpleReader::parseDoctype, state );
+ 		    return FALSE;
+@@ -6128,6 +6133,58 @@
+     }
+ }
+ 
++bool QXmlSimpleReader::isExpandedEntityValueTooLarge(QString *errorMessage)
++{
++    QMap<QString, uint> literalEntitySizes;
++    // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (uint>) times.
++    QMap<QString, QMap<QString, uint> > referencesToOtherEntities;
++    QMap<QString, uint> expandedSizes;
++
++    // For every entity, check how many times all entity names were referenced in its value.
++    QMap<QString,QString>::ConstIterator toSearchIterator;
++    for (toSearchIterator = d->entities.begin(); toSearchIterator != d->entities.end(); ++toSearchIterator) {
++        QString toSearch = toSearchIterator.key();
++        // The amount of characters that weren't entity names, but literals, like 'X'.
++        QString leftOvers = toSearchIterator.data();
++        QMap<QString,QString>::ConstIterator entityNameIterator;
++        // How many times was entityName referenced by toSearch?
++        for (entityNameIterator = d->entities.begin(); entityNameIterator != d->entities.end(); ++entityNameIterator) {
++            QString entityName = entityNameIterator.key();
++            for (int i = 0; i >= 0 && (uint) i < leftOvers.length(); ) {
++                i = leftOvers.find(QString::fromLatin1("&%1;").arg(entityName), i);
++                if (i != -1) {
++                    leftOvers.remove(i, entityName.length() + 2U);
++                    // The entityName we're currently trying to find was matched in this string; increase our count.
++                    ++referencesToOtherEntities[toSearch][entityName];
++                }
++            }
++        }
++        literalEntitySizes[toSearch] = leftOvers.length();
++    }
++
++    QMap<QString, QMap<QString, uint> >::ConstIterator entityIterator;
++    for (entityIterator = referencesToOtherEntities.begin(); entityIterator != referencesToOtherEntities.end(); ++entityIterator) {
++        QString entity = entityIterator.key();
++        expandedSizes[entity] = literalEntitySizes[entity];
++        QMap<QString, uint>::ConstIterator referenceToIterator;
++        for (referenceToIterator = entityIterator.data().begin(); referenceToIterator != entityIterator.data().end(); ++referenceToIterator) {
++            QString referenceTo = referenceToIterator.key();
++            const uint references = referenceToIterator.data();
++            // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size.
++            expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references;
++        }
++
++        if (expandedSizes[entity] > entityCharacterLimit) {
++            if (errorMessage) {
++                *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3).");
++                *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
++            }
++            return TRUE;
++        }
++    }
++    return FALSE;
++}
++
+ /*
+   Parse a EntityDecl [70].
+ 
+@@ -6222,6 +6279,12 @@
+ 	switch ( state ) {
+ 	    case EValue:
+ 		if (  !entityExist( name() ) ) {
++		    QString errorMessage;
++		    if (isExpandedEntityValueTooLarge(&errorMessage)) {
++		        reportParseError(errorMessage);
++		        return FALSE;
++		    }
++
+ 		    d->entities.insert( name(), string() );
+ 		    if ( declHnd ) {
+ 			if ( !declHnd->internalEntityDecl( name(), string() ) ) {
+diff -ur qt-x11-free-3.3.8b/src/xml/qxml.h qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.h
+--- qt-x11-free-3.3.8b/src/xml/qxml.h	2008-01-15 20:09:13.000000000 +0100
++++ qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.h	2013-12-05 23:53:14.000000000 +0100
+@@ -307,6 +307,12 @@
+ 
+     QXmlSimpleReaderPrivate* d;
+ 
++    // The limit to the amount of times the DTD parsing functions can be called
++    // for the DTD currently being parsed.
++    static const uint dtdRecursionLimit = 2U;
++    // The maximum amount of characters an entity value may contain, after expansion.
++    static const uint entityCharacterLimit = 1024U;
++
+     const QString &string();
+     void stringClear();
+     inline void stringAddC() { stringAddC(c); }
+@@ -378,6 +384,7 @@
+     void unexpectedEof( ParseFunction where, int state );
+     void parseFailed( ParseFunction where, int state );
+     void pushParseState( ParseFunction function, int state );
++    bool isExpandedEntityValueTooLarge(QString *errorMessage);
+ 
+     void setUndefEntityInAttrHack(bool b);
+ 
diff --git a/qt3.spec b/qt3.spec
index c70fa36..9da786a 100644
--- a/qt3.spec
+++ b/qt3.spec
@@ -6,7 +6,7 @@
 Name: qt3
 Summary: The shared library for the Qt 3 GUI toolkit
 Version: 3.3.8b
-Release: 53%{?dist}
+Release: 54%{?dist}
 License: QPL or GPLv2 or GPLv3
 Group: System Environment/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -82,6 +82,10 @@ Patch110: 0084-compositing-properties.patch
 Patch200: qt-x11-free-3.3.4-fullscreen.patch
 Patch201: qt-x11-free-3.3.8b-gcc43.patch
 
+# security patches
+# fix for CVE-2013-4549 backported from Qt 4
+Patch300: qt-x11-free-3.3.8b-CVE-2013-4549.patch
+
 %define qt_dirname qt-3.3
 %define qtdir %{_libdir}/%{qt_dirname}
 %define qt_docdir %{_docdir}/qt-devel-%{version}
@@ -328,6 +332,9 @@ sed -i.KDE3_PLUGIN_PATH \
 %patch200 -p1 -b .fullscreen
 %patch201 -p1 -b .gcc34
 
+# security patches
+%patch300 -p1 -b .CVE-2013-4549
+
 # convert to UTF-8
 iconv -f iso-8859-1 -t utf-8 < doc/man/man3/qdial.3qt > doc/man/man3/qdial.3qt_
 mv doc/man/man3/qdial.3qt_ doc/man/man3/qdial.3qt
@@ -623,6 +630,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Thu Dec 05 2013 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.3.8b-54
+- backport CVE-2013-4549 fix from Qt 4
+
 * Tue Aug 27 2013 Rex Dieter <rdieter at fedoraproject.org> 3.3.8b-53
 - trim changelog
 
