diff options
Diffstat (limited to 'extra/qt4')
-rw-r--r-- | extra/qt4/CVE-2013-4549.patch | 233 | ||||
-rw-r--r-- | extra/qt4/PKGBUILD | 20 | ||||
-rw-r--r-- | extra/qt4/libmng2.patch | 35 |
3 files changed, 282 insertions, 6 deletions
diff --git a/extra/qt4/CVE-2013-4549.patch b/extra/qt4/CVE-2013-4549.patch new file mode 100644 index 000000000..8084f4a41 --- /dev/null +++ b/extra/qt4/CVE-2013-4549.patch @@ -0,0 +1,233 @@ +From 512a1ce0698d370c313bb561bbf078935fa0342e Mon Sep 17 00:00:00 2001 +From: Mitch Curtis <mitch.curtis@digia.com> +Date: Thu, 7 Nov 2013 09:36:29 +0100 +Subject: [PATCH] Disallow deep or widely nested entity references. + +Nested references with a depth of 2 or greater will fail. References +that partially expand to greater than 1024 characters will also fail. + +This is a backport of 46a8885ae486e238a39efa5119c2714f328b08e4. + +Change-Id: I0c2e1fa13d6ccb5f88641dae2ed3f28bfdeaf609 +Reviewed-by: Richard J. Moore <rich@kde.org> +Reviewed-by: Lars Knoll <lars.knoll@digia.com> + +From cecceb0cdd87482124a73ecf537f3445d68be13e Mon Sep 17 00:00:00 2001 +From: Mitch Curtis <mitch.curtis@digia.com> +Date: Tue, 12 Nov 2013 13:44:56 +0100 +Subject: [PATCH] Fully expand entities to ensure deep or widely nested ones fail parsing + +With 512a1ce0698d370c313bb561bbf078935fa0342e, we failed when parsing +entities whose partially expanded size was greater than 1024 +characters. That was not enough, so now we fully expand all entities. + +This is a backport of f1053d94f59f053ce4acad9320df14f1fbe4faac. + +Change-Id: I41dd6f4525c63e82fd320a22d19248169627f7e0 +Reviewed-by: Richard J. Moore <rich@kde.org> + +diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp +index a1777c5..3904632 100644 +--- a/src/xml/sax/qxml.cpp ++++ b/src/xml/sax/qxml.cpp +@@ -424,6 +424,10 @@ private: + int stringValueLen; + QString emptyStr; + ++ // The limit to the amount of times the DTD parsing functions can be called ++ // for the DTD currently being parsed. ++ int dtdRecursionLimit; ++ + const QString &string(); + void stringClear(); + void stringAddC(QChar); +@@ -492,6 +496,7 @@ private: + void unexpectedEof(ParseFunction where, int state); + void parseFailed(ParseFunction where, int state); + void pushParseState(ParseFunction function, int state); ++ bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); + + Q_DECLARE_PUBLIC(QXmlSimpleReader) + QXmlSimpleReader *q_ptr; +@@ -2759,6 +2764,7 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) + useNamespacePrefixes = false; + reportWhitespaceCharData = true; + reportEntities = false; ++ dtdRecursionLimit = 2; + } + + QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() +@@ -5018,6 +5024,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype() + } + break; + case Mup: ++ if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) { ++ reportParseError(QString::fromLatin1( ++ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit)); ++ return false; ++ } + if (!parseMarkupdecl()) { + parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state); + return false; +@@ -6627,6 +6638,37 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() + return false; + } + ++bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) ++{ ++ const QString value = string(); ++ QMap<QString, int> referencedEntityCounts; ++ foreach (QString entityName, entities.keys()) { ++ for (int i = 0; i < value.size() && i != -1; ) { ++ i = value.indexOf(entityName, i); ++ if (i != -1) { ++ // The entityName we're currently trying to find ++ // was matched in this string; increase our count. ++ ++referencedEntityCounts[entityName]; ++ i += entityName.size(); ++ } ++ } ++ } ++ ++ foreach (QString entityName, referencedEntityCounts.keys()) { ++ const int timesReferenced = referencedEntityCounts[entityName]; ++ const QString entityValue = entities[entityName]; ++ if (entityValue.size() * timesReferenced > 1024) { ++ if (errorMessage) { ++ *errorMessage = QString::fromLatin1("The XML entity \"%1\"" ++ "expands too a string that is too large to process when " ++ "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); ++ } ++ return true; ++ } ++ } ++ return false; ++} ++ + /* + Parse a EntityDecl [70]. + +@@ -6721,6 +6763,15 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() + switch (state) { + case EValue: + if ( !entityExist(name())) { ++ QString errorMessage; ++ if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { ++ // The entity at entityName is entityValue.size() characters ++ // long in its unexpanded form, and was mentioned timesReferenced times, ++ // resulting in a string that would be greater than 1024 characters. ++ reportParseError(errorMessage); ++ return false; ++ } ++ + entities.insert(name(), string()); + if (declHnd) { + if (!declHnd->internalEntityDecl(name(), string())) { +diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp +index 3904632..befa801 100644 +--- a/src/xml/sax/qxml.cpp ++++ b/src/xml/sax/qxml.cpp +@@ -426,7 +426,9 @@ private: + + // The limit to the amount of times the DTD parsing functions can be called + // for the DTD currently being parsed. +- int dtdRecursionLimit; ++ static const int dtdRecursionLimit = 2; ++ // The maximum amount of characters an entity value may contain, after expansion. ++ static const int entityCharacterLimit = 1024; + + const QString &string(); + void stringClear(); +@@ -496,7 +498,7 @@ private: + void unexpectedEof(ParseFunction where, int state); + void parseFailed(ParseFunction where, int state); + void pushParseState(ParseFunction function, int state); +- bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); ++ bool isExpandedEntityValueTooLarge(QString *errorMessage); + + Q_DECLARE_PUBLIC(QXmlSimpleReader) + QXmlSimpleReader *q_ptr; +@@ -2764,7 +2766,6 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) + useNamespacePrefixes = false; + reportWhitespaceCharData = true; + reportEntities = false; +- dtdRecursionLimit = 2; + } + + QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() +@@ -6638,30 +6639,43 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() + return false; + } + +-bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) ++bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage) + { +- const QString value = string(); +- QMap<QString, int> referencedEntityCounts; +- foreach (QString entityName, entities.keys()) { +- for (int i = 0; i < value.size() && i != -1; ) { +- i = value.indexOf(entityName, i); +- if (i != -1) { +- // The entityName we're currently trying to find +- // was matched in this string; increase our count. +- ++referencedEntityCounts[entityName]; +- i += entityName.size(); ++ QMap<QString, int> literalEntitySizes; ++ // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (int>) times. ++ QMap<QString, QMap<QString, int> > referencesToOtherEntities; ++ QMap<QString, int> expandedSizes; ++ ++ // For every entity, check how many times all entity names were referenced in its value. ++ foreach (QString toSearch, entities.keys()) { ++ // The amount of characters that weren't entity names, but literals, like 'X'. ++ QString leftOvers = entities.value(toSearch); ++ // How many times was entityName referenced by toSearch? ++ foreach (QString entityName, entities.keys()) { ++ for (int i = 0; i < leftOvers.size() && i != -1; ) { ++ i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i); ++ if (i != -1) { ++ leftOvers.remove(i, entityName.size() + 2); ++ // The entityName we're currently trying to find was matched in this string; increase our count. ++ ++referencesToOtherEntities[toSearch][entityName]; ++ } + } + } ++ literalEntitySizes[toSearch] = leftOvers.size(); + } + +- foreach (QString entityName, referencedEntityCounts.keys()) { +- const int timesReferenced = referencedEntityCounts[entityName]; +- const QString entityValue = entities[entityName]; +- if (entityValue.size() * timesReferenced > 1024) { ++ foreach (QString entity, referencesToOtherEntities.keys()) { ++ expandedSizes[entity] = literalEntitySizes[entity]; ++ foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) { ++ const int references = referencesToOtherEntities.value(entity).value(referenceTo); ++ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size. ++ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references; ++ } ++ ++ if (expandedSizes[entity] > entityCharacterLimit) { + if (errorMessage) { +- *errorMessage = QString::fromLatin1("The XML entity \"%1\"" +- "expands too a string that is too large to process when " +- "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); ++ *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3)."); ++ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit); + } + return true; + } +@@ -6764,10 +6778,7 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() + case EValue: + if ( !entityExist(name())) { + QString errorMessage; +- if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { +- // The entity at entityName is entityValue.size() characters +- // long in its unexpanded form, and was mentioned timesReferenced times, +- // resulting in a string that would be greater than 1024 characters. ++ if (isExpandedEntityValueTooLarge(&errorMessage)) { + reportParseError(errorMessage); + return false; + } +-- +1.7.1 diff --git a/extra/qt4/PKGBUILD b/extra/qt4/PKGBUILD index 807b5477e..2b52cfb95 100644 --- a/extra/qt4/PKGBUILD +++ b/extra/qt4/PKGBUILD @@ -1,17 +1,17 @@ -# $Id: PKGBUILD 197232 2013-10-24 13:09:09Z andrea $ +# $Id: PKGBUILD 201436 2013-12-11 15:31:04Z andrea $ # Maintainer: Andrea Scarpino <andrea@archlinux.org> # Contributor: Pierre Schmitz <pierre@archlinux.de> pkgname=qt4 pkgver=4.8.5 -pkgrel=6 +pkgrel=7 arch=('i686' 'x86_64') url='http://qt-project.org/' license=('GPL3' 'LGPL' 'FDL' 'custom') pkgdesc='A cross-platform application and UI framework' depends=('libtiff' 'libpng' 'sqlite' 'ca-certificates' 'dbus' 'fontconfig' 'libgl' 'libxrandr' 'libxv' 'libxi' 'alsa-lib' - 'xdg-utils' 'hicolor-icon-theme' 'desktop-file-utils') + 'xdg-utils' 'hicolor-icon-theme' 'desktop-file-utils' 'libmng') makedepends=('postgresql-libs' 'mariadb' 'unixodbc' 'cups' 'gtk2' 'libfbclient' 'mesa') optdepends=('qtchooser: set the default Qt toolkit' @@ -32,7 +32,8 @@ source=("http://download.qt-project.org/official_releases/qt/4.8/${pkgver}/${_pk 'qtconfig-qt4.desktop' 'assistant-qt4.desktop' 'designer-qt4.desktop' 'linguist-qt4.desktop' 'qdbusviewer-qt4.desktop' 'improve-cups-support.patch' - 'qtbug-31579.patch' 'qtbug-32534.patch' 'qtbug-32908.patch') + 'qtbug-31579.patch' 'qtbug-32534.patch' 'qtbug-32908.patch' + 'libmng2.patch' 'CVE-2013-4549.patch') md5sums=('1864987bdbb2f58f8ae8b350dfdbe133' 'a16638f4781e56e7887ff8212a322ecc' '8a28b3f52dbeb685d4b69440b520a3e1' @@ -42,7 +43,9 @@ md5sums=('1864987bdbb2f58f8ae8b350dfdbe133' 'c439c7731c25387352d8453ca7574971' '6ed8d26a8e4a9bba1f6c08fb99cc8357' 'bb0e0fa6ba953fa590d81ac612374e11' - 'db343dcae522bc90d802ad1e83b7f5dd') + 'db343dcae522bc90d802ad1e83b7f5dd' + '0ba4ffc9ff1acb9bf8a5f592ba956d48' + '8701bd7445426c1ad5da3ddbd72df6b4') prepare() { cd ${_pkgfqn} @@ -57,6 +60,11 @@ prepare() { # (FS#36947) (QTBUG#32908) patch -p1 -i "${srcdir}"/qtbug-32908.patch + # (FS#38081) + patch -p1 -i "${srcdir}"/CVE-2013-4549.patch + # (QTBUG#34894) + patch -p1 -i "${srcdir}"/libmng2.patch + sed -i "s|-O2|${CXXFLAGS}|" mkspecs/common/{g++,gcc}-base.conf sed -i "/^QMAKE_LFLAGS_RPATH/s| -Wl,-rpath,||g" mkspecs/common/gcc-base-unix.conf sed -i "/^QMAKE_LFLAGS\s/s|+=|+= ${LDFLAGS}|g" mkspecs/common/gcc-base.conf @@ -69,7 +77,7 @@ prepare() { build() { export QT4DIR="${srcdir}"/${_pkgfqn} export LD_LIBRARY_PATH=${QT4DIR}/lib:${LD_LIBRARY_PATH} - + cd ${_pkgfqn} ./configure -confirm-license -opensource \ diff --git a/extra/qt4/libmng2.patch b/extra/qt4/libmng2.patch new file mode 100644 index 000000000..b6000fc0b --- /dev/null +++ b/extra/qt4/libmng2.patch @@ -0,0 +1,35 @@ +From 515617e55be9a7bfa738a9c32ef8b19065de37d4 Mon Sep 17 00:00:00 2001 +From: aavit <eirik.aavitsland@digia.com> +Date: Fri, 22 Nov 2013 15:49:44 +0100 +Subject: [PATCH] Recognize newer libmng versions in config test + +libmng 2.0.x has been released and is compatible and usable, but since +it no longer provides a VERSION_MAJOR macro, the config test would fail. + +Task-number: QTBUG-34894 +Change-Id: I36f6ed9d69dbae88feb1b88ce099bf36c9283133 +Reviewed-by: Liang Qi <liang.qi@digia.com> +(cherry picked from qtimageformats/9ae386653c321c8ddc10fad5ea88f32ebb3d3ffe) +--- + config.tests/unix/libmng/libmng.cpp | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/config.tests/unix/libmng/libmng.cpp b/config.tests/unix/libmng/libmng.cpp +index 0fbe554..9db10ff 100644 +--- a/config.tests/unix/libmng/libmng.cpp ++++ b/config.tests/unix/libmng/libmng.cpp +@@ -46,9 +46,11 @@ int main(int, char **) + mng_handle hMNG; + mng_cleanup(&hMNG); + ++#if defined(MNG_VERSION_MAJOR) + #if MNG_VERSION_MAJOR < 1 || (MNG_VERSION_MAJOR == 1 && MNG_VERSION_MINOR == 0 && MNG_VERSION_RELEASE < 9) + #error System libmng version is less than 1.0.9; using built-in version instead. + #endif ++#endif + + return 0; + } +-- +1.7.1 + |