Fri Dec 27 23:54:04 UTC 2013

author: Nicolás Reynolds <fauno@endefensadelsl.org> 2013-12-27 23:55:53 +0000
committer: Nicolás Reynolds <fauno@endefensadelsl.org> 2013-12-27 23:55:53 +0000
commit: 65eeff79fff8a1bfdf67ca51d147384f46f4d5c0 (patch)
tree: fbfdff322b28d9a3c37e6e31c94caf1d8e48dac1 /extra/qt4
parent: d53c44f055929b18d7d1b25f8367ee5836c435fc (diff)
3 files changed, 282 insertions, 6 deletions
diff --git a/extra/qt4/CVE-2013-4549.patch b/extra/qt4/CVE-2013-4549.patch
new file mode 100644
index 000000000..8084f4a41
--- /dev/null
+++ b/extra/qt4/CVE-2013-4549.patch
@@ -0,0 +1,233 @@
+From 512a1ce0698d370c313bb561bbf078935fa0342e Mon Sep 17 00:00:00 2001
+From: Mitch Curtis <mitch.curtis@digia.com>
+Date: Thu, 7 Nov 2013 09:36:29 +0100
+Subject: [PATCH] Disallow deep or widely nested entity references.
+
+Nested references with a depth of 2 or greater will fail. References
+that partially expand to greater than 1024 characters will also fail.
+
+This is a backport of 46a8885ae486e238a39efa5119c2714f328b08e4.
+
+Change-Id: I0c2e1fa13d6ccb5f88641dae2ed3f28bfdeaf609
+Reviewed-by: Richard J. Moore <rich@kde.org>
+Reviewed-by: Lars Knoll <lars.knoll@digia.com>
+
+From cecceb0cdd87482124a73ecf537f3445d68be13e Mon Sep 17 00:00:00 2001
+From: Mitch Curtis <mitch.curtis@digia.com>
+Date: Tue, 12 Nov 2013 13:44:56 +0100
+Subject: [PATCH] Fully expand entities to ensure deep or widely nested ones fail parsing
+
+With 512a1ce0698d370c313bb561bbf078935fa0342e, we failed when parsing
+entities whose partially expanded size was greater than 1024
+characters. That was not enough, so now we fully expand all entities.
+
+This is a backport of f1053d94f59f053ce4acad9320df14f1fbe4faac.
+
+Change-Id: I41dd6f4525c63e82fd320a22d19248169627f7e0
+Reviewed-by: Richard J. Moore <rich@kde.org>
+
+diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp
+index a1777c5..3904632 100644
+--- a/src/xml/sax/qxml.cpp
++++ b/src/xml/sax/qxml.cpp
+@@ -424,6 +424,10 @@ private:
+     int     stringValueLen;
+     QString emptyStr;
+ 
++    // The limit to the amount of times the DTD parsing functions can be called
++    // for the DTD currently being parsed.
++    int dtdRecursionLimit;
++
+     const QString &string();
+     void stringClear();
+     void stringAddC(QChar);
+@@ -492,6 +496,7 @@ private:
+     void unexpectedEof(ParseFunction where, int state);
+     void parseFailed(ParseFunction where, int state);
+     void pushParseState(ParseFunction function, int state);
++    bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage);
+ 
+     Q_DECLARE_PUBLIC(QXmlSimpleReader)
+     QXmlSimpleReader *q_ptr;
+@@ -2759,6 +2764,7 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader)
+     useNamespacePrefixes = false;
+     reportWhitespaceCharData = true;
+     reportEntities = false;
++    dtdRecursionLimit = 2;
+ }
+ 
+ QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate()
+@@ -5018,6 +5024,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype()
+                 }
+                 break;
+             case Mup:
++                if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) {
++                    reportParseError(QString::fromLatin1(
++                        "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit));
++                    return false;
++                }
+                 if (!parseMarkupdecl()) {
+                     parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state);
+                     return false;
+@@ -6627,6 +6638,37 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq()
+     return false;
+ }
+ 
++bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage)
++{
++    const QString value = string();
++    QMap<QString, int> referencedEntityCounts;
++    foreach (QString entityName, entities.keys()) {
++        for (int i = 0; i < value.size() && i != -1; ) {
++            i = value.indexOf(entityName, i);
++            if (i != -1) {
++                // The entityName we're currently trying to find
++                // was matched in this string; increase our count.
++                ++referencedEntityCounts[entityName];
++                i += entityName.size();
++            }
++        }
++    }
++
++    foreach (QString entityName, referencedEntityCounts.keys()) {
++        const int timesReferenced = referencedEntityCounts[entityName];
++        const QString entityValue = entities[entityName];
++        if (entityValue.size() * timesReferenced > 1024) {
++            if (errorMessage) {
++                *errorMessage = QString::fromLatin1("The XML entity \"%1\""
++                    "expands too a string that is too large to process when "
++                    "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced);
++            }
++            return true;
++        }
++    }
++    return false;
++}
++
+ /*
+   Parse a EntityDecl [70].
+ 
+@@ -6721,6 +6763,15 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl()
+         switch (state) {
+             case EValue:
+                 if ( !entityExist(name())) {
++                    QString errorMessage;
++                    if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) {
++                        // The entity at entityName is entityValue.size() characters
++                        // long in its unexpanded form, and was mentioned timesReferenced times,
++                        // resulting in a string that would be greater than 1024 characters.
++                        reportParseError(errorMessage);
++                        return false;
++                    }
++
+                     entities.insert(name(), string());
+                     if (declHnd) {
+                         if (!declHnd->internalEntityDecl(name(), string())) {
+diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp
+index 3904632..befa801 100644
+--- a/src/xml/sax/qxml.cpp
++++ b/src/xml/sax/qxml.cpp
+@@ -426,7 +426,9 @@ private:
+ 
+     // The limit to the amount of times the DTD parsing functions can be called
+     // for the DTD currently being parsed.
+-    int dtdRecursionLimit;
++    static const int dtdRecursionLimit = 2;
++    // The maximum amount of characters an entity value may contain, after expansion.
++    static const int entityCharacterLimit = 1024;
+ 
+     const QString &string();
+     void stringClear();
+@@ -496,7 +498,7 @@ private:
+     void unexpectedEof(ParseFunction where, int state);
+     void parseFailed(ParseFunction where, int state);
+     void pushParseState(ParseFunction function, int state);
+-    bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage);
++    bool isExpandedEntityValueTooLarge(QString *errorMessage);
+ 
+     Q_DECLARE_PUBLIC(QXmlSimpleReader)
+     QXmlSimpleReader *q_ptr;
+@@ -2764,7 +2766,6 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader)
+     useNamespacePrefixes = false;
+     reportWhitespaceCharData = true;
+     reportEntities = false;
+-    dtdRecursionLimit = 2;
+ }
+ 
+ QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate()
+@@ -6638,30 +6639,43 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq()
+     return false;
+ }
+ 
+-bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage)
++bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage)
+ {
+-    const QString value = string();
+-    QMap<QString, int> referencedEntityCounts;
+-    foreach (QString entityName, entities.keys()) {
+-        for (int i = 0; i < value.size() && i != -1; ) {
+-            i = value.indexOf(entityName, i);
+-            if (i != -1) {
+-                // The entityName we're currently trying to find
+-                // was matched in this string; increase our count.
+-                ++referencedEntityCounts[entityName];
+-                i += entityName.size();
++    QMap<QString, int> literalEntitySizes;
++    // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (int>) times.
++    QMap<QString, QMap<QString, int> > referencesToOtherEntities;
++    QMap<QString, int> expandedSizes;
++
++    // For every entity, check how many times all entity names were referenced in its value.
++    foreach (QString toSearch, entities.keys()) {
++        // The amount of characters that weren't entity names, but literals, like 'X'.
++        QString leftOvers = entities.value(toSearch);
++        // How many times was entityName referenced by toSearch?
++        foreach (QString entityName, entities.keys()) {
++            for (int i = 0; i < leftOvers.size() && i != -1; ) {
++                i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i);
++                if (i != -1) {
++                    leftOvers.remove(i, entityName.size() + 2);
++                    // The entityName we're currently trying to find was matched in this string; increase our count.
++                    ++referencesToOtherEntities[toSearch][entityName];
++                }
+             }
+         }
++        literalEntitySizes[toSearch] = leftOvers.size();
+     }
+ 
+-    foreach (QString entityName, referencedEntityCounts.keys()) {
+-        const int timesReferenced = referencedEntityCounts[entityName];
+-        const QString entityValue = entities[entityName];
+-        if (entityValue.size() * timesReferenced > 1024) {
++    foreach (QString entity, referencesToOtherEntities.keys()) {
++        expandedSizes[entity] = literalEntitySizes[entity];
++        foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) {
++            const int references = referencesToOtherEntities.value(entity).value(referenceTo);
++            // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size.
++            expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references;
++        }
++
++        if (expandedSizes[entity] > entityCharacterLimit) {
+             if (errorMessage) {
+-                *errorMessage = QString::fromLatin1("The XML entity \"%1\""
+-                    "expands too a string that is too large to process when "
+-                    "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced);
++                *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3).");
++                *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
+             }
+             return true;
+         }
+@@ -6764,10 +6778,7 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl()
+             case EValue:
+                 if ( !entityExist(name())) {
+                     QString errorMessage;
+-                    if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) {
+-                        // The entity at entityName is entityValue.size() characters
+-                        // long in its unexpanded form, and was mentioned timesReferenced times,
+-                        // resulting in a string that would be greater than 1024 characters.
++                    if (isExpandedEntityValueTooLarge(&errorMessage)) {
+                         reportParseError(errorMessage);
+                         return false;
+                     }
+-- 
+1.7.1
diff --git a/extra/qt4/PKGBUILD b/extra/qt4/PKGBUILD
index 807b5477e..2b52cfb95 100644
--- a/extra/qt4/PKGBUILD
+++ b/extra/qt4/PKGBUILD
@@ -1,17 +1,17 @@
-# $Id: PKGBUILD 197232 2013-10-24 13:09:09Z andrea $
+# $Id: PKGBUILD 201436 2013-12-11 15:31:04Z andrea $
 # Maintainer: Andrea Scarpino <andrea@archlinux.org>
 # Contributor: Pierre Schmitz <pierre@archlinux.de>
 
 pkgname=qt4
 pkgver=4.8.5
-pkgrel=6
+pkgrel=7
 arch=('i686' 'x86_64')
 url='http://qt-project.org/'
 license=('GPL3' 'LGPL' 'FDL' 'custom')
 pkgdesc='A cross-platform application and UI framework'
 depends=('libtiff' 'libpng' 'sqlite' 'ca-certificates' 'dbus'
         'fontconfig' 'libgl' 'libxrandr' 'libxv' 'libxi' 'alsa-lib'
-        'xdg-utils' 'hicolor-icon-theme' 'desktop-file-utils')
+        'xdg-utils' 'hicolor-icon-theme' 'desktop-file-utils' 'libmng')
 makedepends=('postgresql-libs' 'mariadb' 'unixodbc' 'cups' 'gtk2' 'libfbclient'
              'mesa')
 optdepends=('qtchooser: set the default Qt toolkit'
@@ -32,7 +32,8 @@ source=("http://download.qt-project.org/official_releases/qt/4.8/${pkgver}/${_pk
         'qtconfig-qt4.desktop' 'assistant-qt4.desktop' 'designer-qt4.desktop'
         'linguist-qt4.desktop' 'qdbusviewer-qt4.desktop'
         'improve-cups-support.patch'
-        'qtbug-31579.patch' 'qtbug-32534.patch' 'qtbug-32908.patch')
+        'qtbug-31579.patch' 'qtbug-32534.patch' 'qtbug-32908.patch'
+        'libmng2.patch' 'CVE-2013-4549.patch')
 md5sums=('1864987bdbb2f58f8ae8b350dfdbe133'
          'a16638f4781e56e7887ff8212a322ecc'
          '8a28b3f52dbeb685d4b69440b520a3e1'
@@ -42,7 +43,9 @@ md5sums=('1864987bdbb2f58f8ae8b350dfdbe133'
          'c439c7731c25387352d8453ca7574971'
          '6ed8d26a8e4a9bba1f6c08fb99cc8357'
          'bb0e0fa6ba953fa590d81ac612374e11'
-         'db343dcae522bc90d802ad1e83b7f5dd')
+         'db343dcae522bc90d802ad1e83b7f5dd'
+         '0ba4ffc9ff1acb9bf8a5f592ba956d48'
+         '8701bd7445426c1ad5da3ddbd72df6b4')
 
 prepare() {
   cd ${_pkgfqn}
@@ -57,6 +60,11 @@ prepare() {
   # (FS#36947) (QTBUG#32908)
   patch -p1 -i "${srcdir}"/qtbug-32908.patch
 
+  # (FS#38081)
+  patch -p1 -i "${srcdir}"/CVE-2013-4549.patch
+  # (QTBUG#34894)
+  patch -p1 -i "${srcdir}"/libmng2.patch
+
   sed -i "s|-O2|${CXXFLAGS}|" mkspecs/common/{g++,gcc}-base.conf
   sed -i "/^QMAKE_LFLAGS_RPATH/s| -Wl,-rpath,||g" mkspecs/common/gcc-base-unix.conf
   sed -i "/^QMAKE_LFLAGS\s/s|+=|+= ${LDFLAGS}|g" mkspecs/common/gcc-base.conf
@@ -69,7 +77,7 @@ prepare() {
 build() {
   export QT4DIR="${srcdir}"/${_pkgfqn}
   export LD_LIBRARY_PATH=${QT4DIR}/lib:${LD_LIBRARY_PATH}
-  
+
   cd ${_pkgfqn}
 
   ./configure -confirm-license -opensource \
diff --git a/extra/qt4/libmng2.patch b/extra/qt4/libmng2.patch
new file mode 100644
index 000000000..b6000fc0b
--- /dev/null
+++ b/extra/qt4/libmng2.patch
@@ -0,0 +1,35 @@
+From 515617e55be9a7bfa738a9c32ef8b19065de37d4 Mon Sep 17 00:00:00 2001
+From: aavit <eirik.aavitsland@digia.com>
+Date: Fri, 22 Nov 2013 15:49:44 +0100
+Subject: [PATCH] Recognize newer libmng versions in config test
+
+libmng 2.0.x has been released and is compatible and usable, but since
+it no longer provides a VERSION_MAJOR macro, the config test would fail.
+
+Task-number: QTBUG-34894
+Change-Id: I36f6ed9d69dbae88feb1b88ce099bf36c9283133
+Reviewed-by: Liang Qi <liang.qi@digia.com>
+(cherry picked from qtimageformats/9ae386653c321c8ddc10fad5ea88f32ebb3d3ffe)
+---
+ config.tests/unix/libmng/libmng.cpp |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/config.tests/unix/libmng/libmng.cpp b/config.tests/unix/libmng/libmng.cpp
+index 0fbe554..9db10ff 100644
+--- a/config.tests/unix/libmng/libmng.cpp
++++ b/config.tests/unix/libmng/libmng.cpp
+@@ -46,9 +46,11 @@ int main(int, char **)
+     mng_handle hMNG;
+     mng_cleanup(&hMNG);
+ 
++#if defined(MNG_VERSION_MAJOR)
+ #if MNG_VERSION_MAJOR < 1 || (MNG_VERSION_MAJOR == 1 && MNG_VERSION_MINOR == 0 && MNG_VERSION_RELEASE < 9)
+ #error System libmng version is less than 1.0.9; using built-in version instead.
+ #endif
++#endif
+ 
+     return 0;
+ }
+-- 
+1.7.1
+
author	Nicolás Reynolds <fauno@endefensadelsl.org>	2013-12-27 23:55:53 +0000
committer	Nicolás Reynolds <fauno@endefensadelsl.org>	2013-12-27 23:55:53 +0000
commit	65eeff79fff8a1bfdf67ca51d147384f46f4d5c0 (patch)
tree	fbfdff322b28d9a3c37e6e31c94caf1d8e48dac1 /extra/qt4
parent	d53c44f055929b18d7d1b25f8367ee5836c435fc (diff)