rpms/kdelibs/F-11 kdelibs-4.2.4-cve-2009-0945.patch, NONE, 1.1 kdelibs-4.2.4-cve-2009-1690.patch, NONE, 1.1 kdelibs-4.2.98-cve-2009-1687.patch, NONE, 1.1 kdelibs-4.2.98-cve-2009-1698.patch, NONE, 1.1 kdelibs-4.2.98-cve-2009-1725.patch, NONE, 1.1 kdelibs.spec, 1.485, 1.486
Kevin Kofler
kkofler at fedoraproject.org
Sun Jul 26 04:20:01 UTC 2009
Author: kkofler
Update of /cvs/pkgs/rpms/kdelibs/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5812/F-11
Modified Files:
kdelibs.spec
Added Files:
kdelibs-4.2.4-cve-2009-0945.patch
kdelibs-4.2.4-cve-2009-1690.patch
kdelibs-4.2.98-cve-2009-1687.patch
kdelibs-4.2.98-cve-2009-1698.patch
kdelibs-4.2.98-cve-2009-1725.patch
Log Message:
* Sun Jul 26 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.4-6
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
kdelibs-4.2.4-cve-2009-0945.patch:
SVGList.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- NEW FILE kdelibs-4.2.4-cve-2009-0945.patch ---
Index: khtml/svg/SVGList.h
===================================================================
--- khtml/svg/SVGList.h (revision 983301)
+++ khtml/svg/SVGList.h (revision 983302)
@@ -97,7 +97,11 @@
Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&)
{
- m_vector.insert(index, newItem);
+ if (index < m_vector.size()) {
+ m_vector.insert(index, newItem);
+ } else {
+ m_vector.append(newItem);
+ }
return newItem;
}
kdelibs-4.2.4-cve-2009-1690.patch:
htmlparser.cpp | 12 +++++-------
htmlparser.h | 2 +-
2 files changed, 6 insertions(+), 8 deletions(-)
--- NEW FILE kdelibs-4.2.4-cve-2009-1690.patch ---
Index: khtml/html/htmlparser.h
===================================================================
--- khtml/html/htmlparser.h (revision 983315)
+++ khtml/html/htmlparser.h (revision 983316)
@@ -157,7 +157,7 @@
/*
* the head element. Needed for crappy html which defines <base> after </head>
*/
- DOM::HTMLHeadElementImpl *head;
+ RefPtr<DOM::HTMLHeadElementImpl> head;
/*
* a possible <isindex> element in the head. Compatibility hack for
Index: khtml/html/htmlparser.cpp
===================================================================
--- khtml/html/htmlparser.cpp (revision 983315)
+++ khtml/html/htmlparser.cpp (revision 983316)
@@ -216,7 +216,6 @@
form = 0;
map = 0;
- head = 0;
end = false;
isindex = 0;
@@ -678,8 +677,7 @@
case ID_BASE:
if(!head) {
head = new HTMLHeadElementImpl(document);
- e = head;
- insertNode(e);
+ insertNode(head.get());
handled = true;
}
break;
@@ -894,7 +892,7 @@
case ID_HEAD:
if(!head && (current->id() == ID_HTML || current->isDocumentNode())) {
head = new HTMLHeadElementImpl(document);
- n = head;
+ n = head.get();
}
break;
case ID_BODY:
@@ -1907,19 +1905,19 @@
head = new HTMLHeadElementImpl(document);
HTMLElementImpl *body = doc()->body();
int exceptioncode = 0;
- doc()->documentElement()->insertBefore(head, body, exceptioncode);
+ doc()->documentElement()->insertBefore(head.get(), body, exceptioncode);
if ( exceptioncode ) {
#ifdef PARSER_DEBUG
kDebug( 6035 ) << "creation of head failed!!!!:" << exceptioncode;
#endif
- delete head;
+ delete head.get();
head = 0;
}
// If the body does not exist yet, then the <head> should be pushed as the current block.
if (head && !body) {
pushBlock(head->id(), tagPriority(head->id()));
- setCurrent(head);
+ setCurrent(head.get());
}
}
kdelibs-4.2.98-cve-2009-1687.patch:
collector.cpp | 4 ++++
1 file changed, 4 insertions(+)
--- NEW FILE kdelibs-4.2.98-cve-2009-1687.patch ---
diff -ur kdelibs-4.2.98/kjs/collector.cpp kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp
--- kdelibs-4.2.98/kjs/collector.cpp 2009-04-30 20:02:44.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp 2009-07-26 03:52:44.000000000 +0200
@@ -31,6 +31,7 @@
#include "value.h"
#include <setjmp.h>
+#include <limits.h>
#include <algorithm>
#if PLATFORM(DARWIN)
@@ -109,6 +110,9 @@
void append(CollectorBlock* block) {
if (m_used == m_capacity) {
+ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR;
+ if (m_capacity > maxNumBlocks)
+ CRASH();
m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR);
m_data = static_cast<CollectorBlock **>(fastRealloc(m_data, m_capacity * sizeof(CollectorBlock *)));
}
kdelibs-4.2.98-cve-2009-1698.patch:
css_valueimpl.cpp | 4 +++-
cssparser.cpp | 11 ++++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
--- NEW FILE kdelibs-4.2.98-cve-2009-1698.patch ---
diff -ur kdelibs-4.2.98/khtml/css/cssparser.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp
--- kdelibs-4.2.98/khtml/css/cssparser.cpp 2009-07-21 17:16:12.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp 2009-07-26 04:19:38.000000000 +0200
@@ -1513,6 +1513,14 @@
if ( args->size() != 1)
return false;
Value *a = args->current();
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+ isValid=false;
+ break;
+ }
+ if (qString(a->string)[0] == '-') {
+ isValid=false;
+ break;
+ }
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
}
else
@@ -1565,7 +1573,8 @@
CounterImpl *counter = new CounterImpl;
Value *i = args->current();
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (qString(i->string)[0] == '-') goto invalid;
counter->m_identifier = domString(i->string);
if (counters) {
i = args->next();
diff -ur kdelibs-4.2.98/khtml/css/css_valueimpl.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp
--- kdelibs-4.2.98/khtml/css/css_valueimpl.cpp 2009-05-14 19:27:35.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp 2009-07-26 04:17:28.000000000 +0200
@@ -1212,7 +1212,9 @@
text = getValueName(m_value.ident);
break;
case CSSPrimitiveValue::CSS_ATTR:
- // ###
+ text = "attr(";
+ text += DOMString( m_value.string );
+ text += ")";
break;
case CSSPrimitiveValue::CSS_COUNTER:
text = "counter(";
kdelibs-4.2.98-cve-2009-1725.patch:
htmltokenizer.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE kdelibs-4.2.98-cve-2009-1725.patch ---
Index: khtml/html/htmltokenizer.cpp
===================================================================
--- khtml/html/htmltokenizer.cpp (revision 1002162)
+++ khtml/html/htmltokenizer.cpp (revision 1002163)
@@ -1038,7 +1038,7 @@
#ifdef TOKEN_DEBUG
kDebug( 6036 ) << "unknown entity!";
#endif
- checkBuffer(10);
+ checkBuffer(11);
// ignore the sequence, add it to the buffer as plaintext
*dest++ = '&';
for(unsigned int i = 0; i < cBufferPos; i++)
Index: kdelibs.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kdelibs/F-11/kdelibs.spec,v
retrieving revision 1.485
retrieving revision 1.486
diff -u -p -r1.485 -r1.486
--- kdelibs.spec 23 Jul 2009 10:12:02 -0000 1.485
+++ kdelibs.spec 26 Jul 2009 04:20:01 -0000 1.486
@@ -1,6 +1,6 @@
Summary: K Desktop Environment 4 - Libraries
Version: 4.2.4
-Release: 5%{?dist}
+Release: 6%{?dist}
%if 0%{?fedora} > 8
Name: kdelibs
@@ -85,12 +85,21 @@ Patch50: kdelibs-4.2.3-fixPopupForPlasma
# upstream
# 4.2 branch
-
-# security
-Patch100: kdelibs-4.2.4-cve-2009-2537-select-length.patch
+# fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
+Patch100: kdelibs-4.2.4-cve-2009-1690.patch
+# fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
+Patch101: kdelibs-4.2.4-cve-2009-0945.patch
# 4.3 branch
Patch200: kdelibs-4.1.96-AllowExternalPaths.patch
+# fix CVE-2009-2537 - select length DoS
+Patch201: kdelibs-4.2.4-cve-2009-2537-select-length.patch
+# fix CVE-2009-1725 - crash, possible ACE in numeric character references
+Patch202: kdelibs-4.2.98-cve-2009-1725.patch
+# fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes)
+Patch203: kdelibs-4.2.98-cve-2009-1687.patch
+# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
+Patch204: kdelibs-4.2.98-cve-2009-1698.patch
BuildRequires: qt4-devel >= 4.4.0
# qt4%{_?_isa} isn't provided yet -- Rex
@@ -224,13 +233,17 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{versi
%patch50 -p1 -b .fixPopupForPlasmaboard
-%patch100 -p1 -b .cve-2009-2537-select-length
-
# upstream patches
# 4.2
+%patch100 -p0 -b .cve-2009-1690
+%patch101 -p0 -b .cve-2009-0945
# 4.3
%patch200 -p1 -b .AllowExternalPaths
+%patch201 -p1 -b .cve-2009-2537-select-length
+%patch202 -p0 -b .cve-2009-1725
+%patch203 -p1 -b .cve-2009-1687
+%patch204 -p1 -b .cve-2009-1698
%build
@@ -413,6 +426,13 @@ rm -rf %{buildroot}
%changelog
+* Sun Jul 26 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.4-6
+- fix CVE-2009-1725 - crash, possible ACE in numeric character references
+- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
+- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
+- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
+- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
+
* Thu Jul 23 2009 Jaroslav Reznik <jreznik at redhat.com> - 4.2.4-5
- CVE-2009-2537 - select length DoS
- correct fixPopupForPlasmaboard.patch
More information about the fedora-extras-commits
mailing list