jreznik pushed to kdelibs3 (epel7). "- fix CVE-2009-2537 - select length DoS (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 2 15:35:10 UTC 2015
>From e57cb8baa23a680c54ea2f6a7583305ab4f61229 Mon Sep 17 00:00:00 2001
From: Kevin Kofler <kkofler at fedoraproject.org>
Date: Sun, 26 Jul 2009 03:09:15 +0000
Subject: - fix CVE-2009-2537 - select length DoS - fix CVE-2009-1725 - crash,
possible ACE in numeric character references - fix CVE-2009-1690 - crash,
possible ACE in KHTML (<head> use-after-free) - fix CVE-2009-1687 - possible
ACE in KJS (FIXME: still crashes?) - fix CVE-2009-1698 - crash, possible ACE
in CSS style attribute handling
diff --git a/kdelibs-3.5.10-cve-2009-1725.patch b/kdelibs-3.5.10-cve-2009-1725.patch
new file mode 100644
index 0000000..ee8fdbc
--- /dev/null
+++ b/kdelibs-3.5.10-cve-2009-1725.patch
@@ -0,0 +1,13 @@
+Index: khtml/html/htmltokenizer.cpp
+===================================================================
+--- khtml/html/htmltokenizer.cpp (revision 1002163)
++++ khtml/html/htmltokenizer.cpp (revision 1002164)
+@@ -736,7 +736,7 @@
+ #ifdef TOKEN_DEBUG
+ kdDebug( 6036 ) << "unknown entity!" << endl;
+ #endif
+- checkBuffer(10);
++ checkBuffer(11);
+ // ignore the sequence, add it to the buffer as plaintext
+ *dest++ = '&';
+ for(unsigned int i = 0; i < cBufferPos; i++)
diff --git a/kdelibs-3.5.10-cve-2009-2537-select-length.patch b/kdelibs-3.5.10-cve-2009-2537-select-length.patch
new file mode 100644
index 0000000..5972b0a
--- /dev/null
+++ b/kdelibs-3.5.10-cve-2009-2537-select-length.patch
@@ -0,0 +1,30 @@
+diff -ur kdelibs-3.5.10/khtml/ecma/kjs_html.cpp kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp
+--- kdelibs-3.5.10/khtml/ecma/kjs_html.cpp 2008-02-13 10:41:09.000000000 +0100
++++ kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp 2009-07-26 04:54:52.000000000 +0200
+@@ -62,6 +62,9 @@
+
+ #include <kdebug.h>
+
++// CVE-2009-2537 (vendors agreed on max 10000 elements)
++#define MAX_SELECT_LENGTH 10000
++
+ namespace KJS {
+
+ KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto)
+@@ -2550,8 +2553,14 @@
+ case SelectValue: { select.setValue(str); return; }
+ case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
+ Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) );
+- if ( coll.isValid() )
+- coll.put(exec,"length",value);
++
++ if ( coll.isValid() ) {
++ if (value.toInteger(exec) >= MAX_SELECT_LENGTH) {
++ Object err = Error::create(exec, RangeError);
++ exec->setException(err);
++ } else
++ coll.put(exec, "length", value);
++ }
+ return;
+ }
+ // read-only: form
diff --git a/kdelibs-3.5.4-CVE-2009-1687.patch b/kdelibs-3.5.4-CVE-2009-1687.patch
new file mode 100644
index 0000000..6ffc463
--- /dev/null
+++ b/kdelibs-3.5.4-CVE-2009-1687.patch
@@ -0,0 +1,20 @@
+--- kdelibs-3.5.4/kjs/collector.cpp.CVE-2009-1687 2009-06-17 15:07:33.000000000 +0200
++++ kdelibs-3.5.4/kjs/collector.cpp 2009-06-20 00:42:48.000000000 +0200
+@@ -23,6 +23,7 @@
+
+ #include "value.h"
+ #include "internal.h"
++#include <limits.h>
+
+ #ifndef MAX
+ #define MAX(a,b) ((a) > (b) ? (a) : (b))
+@@ -119,6 +120,9 @@
+ // didn't find one, need to allocate a new block
+
+ if (heap.usedBlocks == heap.numBlocks) {
++ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR;
++ if (heap.numBlocks > maxNumBlocks)
++ return 0L;
+ heap.numBlocks = MAX(MIN_ARRAY_SIZE, heap.numBlocks * GROWTH_FACTOR);
+ heap.blocks = (CollectorBlock **)realloc(heap.blocks, heap.numBlocks * sizeof(CollectorBlock *));
+ }
diff --git a/kdelibs-3.5.4-CVE-2009-1690.patch b/kdelibs-3.5.4-CVE-2009-1690.patch
new file mode 100644
index 0000000..2972d0e
--- /dev/null
+++ b/kdelibs-3.5.4-CVE-2009-1690.patch
@@ -0,0 +1,545 @@
+--- kdelibs-3.5.4/khtml/html/RefPtr.h.CVE-2009-1690 2009-06-17 14:19:00.000000000 +0200
++++ kdelibs-3.5.4/khtml/html/RefPtr.h 2009-06-17 14:19:00.000000000 +0200
+@@ -0,0 +1,202 @@
++// -*- mode: c++; c-basic-offset: 4 -*-
++/*
++ * Copyright (C) 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Library General Public
++ * License as published by the Free Software Foundation; either
++ * version 2 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Library General Public License for more details.
++ *
++ * You should have received a copy of the GNU Library General Public License
++ * along with this library; see the file COPYING.LIB. If not, write to
++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ *
++ */
++
++#ifndef WTF_RefPtr_h
++#define WTF_RefPtr_h
++
++#include <algorithm>
++#include "AlwaysInline.h"
++
++namespace WTF {
++
++ enum PlacementNewAdoptType { PlacementNewAdopt };
++
++ template <typename T> class PassRefPtr;
++
++ enum HashTableDeletedValueType { HashTableDeletedValue };
++
++ template <typename T> class RefPtr {
++ public:
++ RefPtr() : m_ptr(0) { }
++ RefPtr(T* ptr) : m_ptr(ptr) { if (ptr) ptr->ref(); }
++ RefPtr(const RefPtr& o) : m_ptr(o.m_ptr) { if (T* ptr = m_ptr) ptr->ref(); }
++ // see comment in PassRefPtr.h for why this takes const reference
++ template <typename U> RefPtr(const PassRefPtr<U>&);
++
++ // Special constructor for cases where we overwrite an object in place.
++ RefPtr(PlacementNewAdoptType) { }
++
++ // Hash table deleted values, which are only constructed and never copied or destroyed.
++ RefPtr(HashTableDeletedValueType) : m_ptr(hashTableDeletedValue()) { }
++ bool isHashTableDeletedValue() const { return m_ptr == hashTableDeletedValue(); }
++
++ ~RefPtr() { if (T* ptr = m_ptr) ptr->deref(); }
++
++ template <typename U> RefPtr(const RefPtr<U>& o) : m_ptr(o.get()) { if (T* ptr = m_ptr) ptr->ref(); }
++
++ T* get() const { return m_ptr; }
++
++ void clear() { if (T* ptr = m_ptr) ptr->deref(); m_ptr = 0; }
++ PassRefPtr<T> release() { PassRefPtr<T> tmp = adoptRef(m_ptr); m_ptr = 0; return tmp; }
++
++ T& operator*() const { return *m_ptr; }
++ ALWAYS_INLINE T* operator->() const { return m_ptr; }
++
++ bool operator!() const { return !m_ptr; }
++
++ // This conversion operator allows implicit conversion to bool but not to other integer types.
++ typedef T* RefPtr::*UnspecifiedBoolType;
++ operator UnspecifiedBoolType() const { return m_ptr ? &RefPtr::m_ptr : 0; }
++
++ RefPtr& operator=(const RefPtr&);
++ RefPtr& operator=(T*);
++ RefPtr& operator=(const PassRefPtr<T>&);
++ template <typename U> RefPtr& operator=(const RefPtr<U>&);
++ template <typename U> RefPtr& operator=(const PassRefPtr<U>&);
++
++ void swap(RefPtr&);
++
++ private:
++ static T* hashTableDeletedValue() { return reinterpret_cast<T*>(-1); }
++
++ T* m_ptr;
++ };
++
++ template <typename T> template <typename U> inline RefPtr<T>::RefPtr(const PassRefPtr<U>& o)
++ : m_ptr(o.releaseRef())
++ {
++ }
++
++ template <typename T> inline RefPtr<T>& RefPtr<T>::operator=(const RefPtr<T>& o)
++ {
++ T* optr = o.get();
++ if (optr)
++ optr->ref();
++ T* ptr = m_ptr;
++ m_ptr = optr;
++ if (ptr)
++ ptr->deref();
++ return *this;
++ }
++
++ template <typename T> template <typename U> inline RefPtr<T>& RefPtr<T>::operator=(const RefPtr<U>& o)
++ {
++ T* optr = o.get();
++ if (optr)
++ optr->ref();
++ T* ptr = m_ptr;
++ m_ptr = optr;
++ if (ptr)
++ ptr->deref();
++ return *this;
++ }
++
++ template <typename T> inline RefPtr<T>& RefPtr<T>::operator=(T* optr)
++ {
++ if (optr)
++ optr->ref();
++ T* ptr = m_ptr;
++ m_ptr = optr;
++ if (ptr)
++ ptr->deref();
++ return *this;
++ }
++
++ template <typename T> inline RefPtr<T>& RefPtr<T>::operator=(const PassRefPtr<T>& o)
++ {
++ T* ptr = m_ptr;
++ m_ptr = o.releaseRef();
++ if (ptr)
++ ptr->deref();
++ return *this;
++ }
++
++ template <typename T> template <typename U> inline RefPtr<T>& RefPtr<T>::operator=(const PassRefPtr<U>& o)
++ {
++ T* ptr = m_ptr;
++ m_ptr = o.releaseRef();
++ if (ptr)
++ ptr->deref();
++ return *this;
++ }
++
++ template <class T> inline void RefPtr<T>::swap(RefPtr<T>& o)
++ {
++ std::swap(m_ptr, o.m_ptr);
++ }
++
++ template <class T> inline void swap(RefPtr<T>& a, RefPtr<T>& b)
++ {
++ a.swap(b);
++ }
++
++ template <typename T, typename U> inline bool operator==(const RefPtr<T>& a, const RefPtr<U>& b)
++ {
++ return a.get() == b.get();
++ }
++
++ template <typename T, typename U> inline bool operator==(const RefPtr<T>& a, U* b)
++ {
++ return a.get() == b;
++ }
++
++ template <typename T, typename U> inline bool operator==(T* a, const RefPtr<U>& b)
++ {
++ return a == b.get();
++ }
++
++ template <typename T, typename U> inline bool operator!=(const RefPtr<T>& a, const RefPtr<U>& b)
++ {
++ return a.get() != b.get();
++ }
++
++ template <typename T, typename U> inline bool operator!=(const RefPtr<T>& a, U* b)
++ {
++ return a.get() != b;
++ }
++
++ template <typename T, typename U> inline bool operator!=(T* a, const RefPtr<U>& b)
++ {
++ return a != b.get();
++ }
++
++ template <typename T, typename U> inline RefPtr<T> static_pointer_cast(const RefPtr<U>& p)
++ {
++ return RefPtr<T>(static_cast<T*>(p.get()));
++ }
++
++ template <typename T, typename U> inline RefPtr<T> const_pointer_cast(const RefPtr<U>& p)
++ {
++ return RefPtr<T>(const_cast<T*>(p.get()));
++ }
++
++ template <typename T> inline T* getPtr(const RefPtr<T>& p)
++ {
++ return p.get();
++ }
++
++} // namespace WTF
++
++using WTF::RefPtr;
++using WTF::static_pointer_cast;
++using WTF::const_pointer_cast;
++
++#endif // WTF_RefPtr_h
+--- kdelibs-3.5.4/khtml/html/htmlparser.cpp.CVE-2009-1690 2006-07-22 10:16:43.000000000 +0200
++++ kdelibs-3.5.4/khtml/html/htmlparser.cpp 2009-06-17 11:51:15.000000000 +0200
+@@ -199,7 +199,6 @@
+
+ form = 0;
+ map = 0;
+- head = 0;
+ end = false;
+ isindex = 0;
+
+@@ -616,8 +615,7 @@
+ case ID_BASE:
+ if(!head) {
+ head = new HTMLHeadElementImpl(document);
+- e = head;
+- insertNode(e);
++ insertNode(head.get());
+ handled = true;
+ }
+ break;
+@@ -839,7 +837,7 @@
+ case ID_HEAD:
+ if(!head && current->id() == ID_HTML) {
+ head = new HTMLHeadElementImpl(document);
+- n = head;
++ n = head.get();
+ }
+ break;
+ case ID_BODY:
+@@ -1679,12 +1677,12 @@
+ head = new HTMLHeadElementImpl(document);
+ HTMLElementImpl *body = doc()->body();
+ int exceptioncode = 0;
+- doc()->firstChild()->insertBefore(head, body, exceptioncode);
++ doc()->firstChild()->insertBefore(head.get(), body, exceptioncode);
+ if ( exceptioncode ) {
+ #ifdef PARSER_DEBUG
+ kdDebug( 6035 ) << "creation of head failed!!!!" << endl;
+ #endif
+- delete head;
++ delete head.get();
+ head = 0;
+ }
+ }
+--- kdelibs-3.5.4/khtml/html/Platform.h.CVE-2009-1690 2009-06-17 14:19:07.000000000 +0200
++++ kdelibs-3.5.4/khtml/html/Platform.h 2009-06-17 14:19:07.000000000 +0200
+@@ -0,0 +1,218 @@
++/* -*- mode: c++; c-basic-offset: 4 -*- */
++/*
++ * Copyright (C) 2006 Apple Computer, Inc. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
++ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR
++ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
++ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
++ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
++ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
++ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef WTF_Platform_h
++#define WTF_Platform_h
++
++/* Force KDE build here in our tree... */
++#ifndef BUILDING_KDE__
++#define BUILDING_KDE__ 1
++#endif
++
++/* PLATFORM handles OS, operating environment, graphics API, and CPU */
++#define PLATFORM(WTF_FEATURE) (defined( WTF_PLATFORM_##WTF_FEATURE ) && WTF_PLATFORM_##WTF_FEATURE)
++#define COMPILER(WTF_FEATURE) (defined( WTF_COMPILER_##WTF_FEATURE ) && WTF_COMPILER_##WTF_FEATURE)
++#define HAVE(WTF_FEATURE) (defined( HAVE_##WTF_FEATURE ) && HAVE_##WTF_FEATURE)
++#define USE(WTF_FEATURE) (defined( WTF_USE_##WTF_FEATURE ) && WTF_USE_##WTF_FEATURE)
++#define ENABLE(WTF_FEATURE) (defined( ENABLE_##WTF_FEATURE ) && ENABLE_##WTF_FEATURE)
++
++/* Operating systems - low-level dependencies */
++
++/* PLATFORM(DARWIN) */
++/* Operating system level dependencies for Mac OS X / Darwin that should */
++/* be used regardless of operating environment */
++#ifdef __APPLE__
++#define WTF_PLATFORM_DARWIN 1
++#endif
++
++/* PLATFORM(WIN_OS) */
++/* Operating system level dependencies for Windows that should be used */
++/* regardless of operating environment */
++#if defined(WIN32) || defined(_WIN32)
++#define WTF_PLATFORM_WIN_OS 1
++#endif
++
++/* PLATFORM(UNIX) */
++/* Operating system level dependencies for Unix-like systems that */
++/* should be used regardless of operating environment */
++/* (includes PLATFORM(DARWIN)) */
++#if defined(__APPLE__) \
++ || defined(unix) \
++ || defined(__unix) \
++ || defined(__unix__) \
++ || defined (__NetBSD__) \
++ || defined(_AIX)
++#define WTF_PLATFORM_UNIX 1
++#endif
++
++/* PLATFORM(SOLARIS_OS) */
++/* Operating system level dependencies for Sun (Open)Solaris 10. */
++/* Studio 12 on Solaris defines __SunOS; gcc defines __sun__; */
++/* Both compilers define __sun and sun. */
++#if defined(__sun) || defined(sun)
++#define WTF_PLATFORM_SOLARIS_OS 1
++#endif
++
++/* Operating environments */
++
++/* I made the BUILDING_KDE__ macro up for the KDE build system to define */
++
++/* PLATFORM(KDE) */
++/* PLATFORM(MAC) */
++/* PLATFORM(WIN) */
++#if BUILDING_KDE__
++#define WTF_PLATFORM_KDE 1
++#elif PLATFORM(DARWIN)
++#define WTF_PLATFORM_MAC 1
++#elif PLATFORM(WIN_OS)
++#define WTF_PLATFORM_WIN 1
++#endif
++#if defined(BUILDING_GDK__)
++#define WTF_PLATFORM_GDK 1
++#endif
++
++
++/* CPU */
++
++/* PLATFORM(PPC) */
++#if defined(__ppc__) \
++ || defined(__PPC__) \
++ || defined(__powerpc__) \
++ || defined(__powerpc) \
++ || defined(__POWERPC__) \
++ || defined(_M_PPC) \
++ || defined(__PPC)
++#define WTF_PLATFORM_PPC 1
++#define WTF_PLATFORM_BIG_ENDIAN 1
++#endif
++
++/* PLATFORM(PPC64) */
++#if defined(__ppc64__) \
++ || defined(__PPC64__)
++#define WTF_PLATFORM_PPC64 1
++#define WTF_PLATFORM_BIG_ENDIAN 1
++#endif
++
++#if defined(arm)
++#define WTF_PLATFORM_ARM 1
++#if defined(__ARMEB__)
++#define WTF_PLATFORM_BIG_ENDIAN 1
++#elif !defined(__ARM_EABI__) && !defined(__ARMEB__)
++#define WTF_PLATFORM_MIDDLE_ENDIAN 1
++#endif
++#if !defined(__ARM_EABI__)
++#define WTF_PLATFORM_FORCE_PACK 1
++#endif
++#endif
++
++/* PLATFORM(X86) */
++#if defined(__i386__) \
++ || defined(i386) \
++ || defined(_M_IX86) \
++ || defined(_X86_) \
++ || defined(__THW_INTEL)
++#define WTF_PLATFORM_X86 1
++#endif
++
++/* PLATFORM(X86_64) */
++#if defined(__x86_64__) \
++ || defined(__ia64__)
++#define WTF_PLATFORM_X86_64 1
++#endif
++
++/* PLATFORM(SPARC) */
++#if defined(sparc)
++#define WTF_PLATFORM_SPARC 1
++#endif
++
++/* Compiler */
++
++/* COMPILER(CWP) */
++#if defined(__MWERKS__)
++#define WTF_COMPILER_CWP 1
++#endif
++
++/* COMPILER(MSVC) */
++#if defined(_MSC_VER)
++#define WTF_COMPILER_MSVC 1
++#endif
++
++/* COMPILER(GCC) */
++#if defined(__GNUC__)
++#define WTF_COMPILER_GCC 1
++#endif
++
++/* COMPILER(SUNPRO) */
++#if defined(__SUNPRO_CC)
++#define WTF_COMPILER_SUNPRO 1
++#endif
++
++/* COMPILER(BORLAND) */
++/* not really fully supported - is this relevant any more? */
++#if defined(__BORLANDC__)
++#define WTF_COMPILER_BORLAND 1
++#endif
++
++/* COMPILER(CYGWIN) */
++/* not really fully supported - is this relevant any more? */
++#if defined(__CYGWIN__)
++#define WTF_COMPILER_CYGWIN 1
++#endif
++
++/* multiple threads only supported on Mac for now */
++#if PLATFORM(MAC)
++#ifndef WTF_USE_MULTIPLE_THREADS
++#define WTF_USE_MULTIPLE_THREADS 1
++#endif
++#ifndef WTF_USE_BINDINGS
++#define WTF_USE_BINDINGS 1
++#endif
++#endif
++
++/* for Unicode, KDE uses Qt, everything else uses ICU */
++#if PLATFORM(KDE) || PLATFORM(QT)
++#define WTF_USE_QT4_UNICODE 1
++#elif PLATFORM(SYMBIAN)
++#define WTF_USE_SYMBIAN_UNICODE 1
++#else
++#define WTF_USE_ICU_UNICODE 1
++#endif
++
++#if PLATFORM(MAC)
++#define WTF_PLATFORM_CF 1
++#endif
++
++#if PLATFORM(WIN)
++#define WTF_USE_WININET 1
++#endif
++
++#if PLATFORM(GDK)
++#define WTF_USE_CURL 1
++#endif
++
++/* ENABLE macro defaults */
++
++#endif /* WTF_Platform_h */
+--- kdelibs-3.5.4/khtml/html/AlwaysInline.h.CVE-2009-1690 2009-06-17 14:18:52.000000000 +0200
++++ kdelibs-3.5.4/khtml/html/AlwaysInline.h 2009-06-17 13:56:36.000000000 +0200
+@@ -0,0 +1,49 @@
++/*
++ * Copyright (C) 2005, 2007 Apple Inc. All rights reserved.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Library General Public
++ * License as published by the Free Software Foundation; either
++ * version 2 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Library General Public License for more details.
++ *
++ * You should have received a copy of the GNU Library General Public License
++ * along with this library; see the file COPYING.LIB. If not, write to
++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ *
++ */
++
++#include "html/Platform.h"
++
++
++#ifndef ALWAYS_INLINE
++#if COMPILER(GCC) && defined(NDEBUG) && __GNUC__ > 3
++#define ALWAYS_INLINE inline __attribute__ ((__always_inline__))
++#elif COMPILER(MSVC) && defined(NDEBUG)
++#define ALWAYS_INLINE __forceinline
++#else
++#define ALWAYS_INLINE inline
++#endif
++#endif
++
++#ifndef ALWAYS_INLINE_INTO
++#if COMPILER(GCC) && defined(NDEBUG) && ((__GNUC__ == 4 && __GNUC_MINOR__ >= 1) || __GNUC__ > 4)
++#define ALWAYS_INLINE_INTO __attribute__ ((__flatten__))
++#else
++#define ALWAYS_INLINE_INTO
++#endif
++#endif
++
++
++#ifndef NEVER_INLINE
++#if COMPILER(GCC) && __GNUC__ > 3
++#define NEVER_INLINE __attribute__ ((__noinline__))
++#else
++#define NEVER_INLINE
++#endif
++#endif
+--- kdelibs-3.5.4/khtml/html/htmlparser.h.CVE-2009-1690 2005-10-10 17:06:04.000000000 +0200
++++ kdelibs-3.5.4/khtml/html/htmlparser.h 2009-06-17 14:42:27.000000000 +0200
+@@ -38,10 +38,10 @@
+ #include <qdatetime.h>
+ #endif
+
+-
+ #include "dom/dom_string.h"
+ #include "xml/dom_nodeimpl.h"
+ #include "html/html_documentimpl.h"
++#include "html/RefPtr.h"
+
+ class KHTMLView;
+ class HTMLStackElem;
+@@ -148,7 +148,7 @@
+ /*
+ * the head element. Needed for crappy html which defines <base> after </head>
+ */
+- DOM::HTMLHeadElementImpl *head;
++ RefPtr<DOM::HTMLHeadElementImpl> head;
+
+ /*
+ * a possible <isindex> element in the head. Compatibility hack for
diff --git a/kdelibs-3.5.4-CVE-2009-1698.patch b/kdelibs-3.5.4-CVE-2009-1698.patch
new file mode 100644
index 0000000..171f2e3
--- /dev/null
+++ b/kdelibs-3.5.4-CVE-2009-1698.patch
@@ -0,0 +1,57 @@
+--- kdelibs-3.5.4/khtml/css/css_valueimpl.cpp.CVE-2009-1698 2009-06-18 10:59:23.000000000 +0200
++++ kdelibs-3.5.4/khtml/css/css_valueimpl.cpp 2009-06-18 12:53:44.000000000 +0200
+@@ -736,7 +736,9 @@
+ text = getValueName(m_value.ident);
+ break;
+ case CSSPrimitiveValue::CSS_ATTR:
+- // ###
++ text = "attr(";
++ text += DOMString( m_value.string );
++ text += ")";
+ break;
+ case CSSPrimitiveValue::CSS_COUNTER:
+ text = "counter(";
+--- kdelibs-3.5.4/khtml/css/cssparser.cpp.CVE-2009-1698 2009-06-18 10:37:13.000000000 +0200
++++ kdelibs-3.5.4/khtml/css/cssparser.cpp 2009-06-23 13:05:20.000000000 +0200
+@@ -1318,6 +1318,7 @@
+
+ Value *val;
+ CSSValueImpl *parsedValue = 0;
++ bool valid = true;
+ while ( (val = valueList->current()) ) {
+ if ( val->unit == CSSPrimitiveValue::CSS_URI ) {
+ // url
+@@ -1336,6 +1337,14 @@
+ if ( args->size() != 1)
+ return false;
+ Value *a = args->current();
++ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
++ valid=false;
++ break;
++ }
++ if (qString(a->string)[0] == '-') {
++ valid=false;
++ break;
++ }
+ parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
+ }
+ else
+@@ -1367,7 +1376,7 @@
+ break;
+ valueList->next();
+ }
+- if ( values->length() ) {
++ if ( valid && values->length() ) {
+ addProperty( propId, values, important );
+ valueList->next();
+ return true;
+@@ -1384,7 +1393,8 @@
+
+ CounterImpl *counter = new CounterImpl;
+ Value *i = args->current();
+-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
++ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
++ if (qString(i->string)[0] == '-') goto invalid;
+ counter->m_identifier = domString(i->string);
+ if (counters) {
+ i = args->next();
diff --git a/kdelibs3.spec b/kdelibs3.spec
index c588e07..6a46930 100644
--- a/kdelibs3.spec
+++ b/kdelibs3.spec
@@ -36,7 +36,7 @@
Summary: K Desktop Environment 3 - Libraries
Version: 3.5.10
-Release: 12%{?dist}
+Release: 13%{?dist}
%if 0%{?fedora} > 8
Name: kdelibs3
@@ -97,7 +97,17 @@ Patch101: kde-3.5-libtool-shlibext.patch
Patch103: kdelibs-3.5.0-101956.patch
Patch104: kdelibs-3.5.10-gcc44.patch
-## upstream patches
+## security fixes
+# fix CVE-2009-2537 - select length DoS
+Patch200: kdelibs-3.5.10-cve-2009-2537-select-length.patch
+# fix CVE-2009-1725 - crash, possible ACE in numeric character references
+Patch201: kdelibs-3.5.10-cve-2009-1725.patch
+# fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
+Patch202: kdelibs-3.5.4-CVE-2009-1687.patch
+# fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
+Patch203: kdelibs-3.5.4-CVE-2009-1690.patch
+# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
+Patch204: kdelibs-3.5.4-CVE-2009-1698.patch
#{?arts:Requires: arts >= %{arts_ev}}
#Requires: %{qt3} >= %{qt3_ev}
@@ -273,7 +283,12 @@ format for easy browsing
%patch101 -p1 -b .libtool-shlibext
%patch104 -p1 -b .gcc44
-# upstream patches
+# security fixes
+%patch200 -p1 -b .cve-2009-2537
+%patch201 -p0 -b .cve-2009-1725
+%patch202 -p1 -b .cve-2009-1687
+%patch203 -p1 -b .cve-2009-1690
+%patch204 -p1 -b .cve-2009-1698
sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h
@@ -625,6 +640,13 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
%changelog
+* Sun Jul 26 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.5.10-13
+- fix CVE-2009-2537 - select length DoS
+- fix CVE-2009-1725 - crash, possible ACE in numeric character references
+- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
+- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
+- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
+
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.5.10-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/kdelibs3.git/commit/?h=epel7&id=e57cb8baa23a680c54ea2f6a7583305ab4f61229
More information about the scm-commits
mailing list