rpms
/
kdelibs
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Sync from F11: 

* Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-6
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl

* Thu Jul 23 2009 Jaroslav Reznik <jreznik@redhat.com> - 4.2.4-5
- CVE-2009-2537 - select length DoS
- correct fixPopupForPlasmaboard.patch

* Wed Jul 08 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-4
- fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki)

* Mon Jun 15 2009 Rex Dieter <rdieter@fedoraproject.org> 4.2.4-3
- fixPopupForPlasmaboard.patch
This commit is contained in:
Kevin Kofler 2009-07-26 05:28:18 +00:00
parent 9f0c4697df
commit 0ee6ccbd82
9 changed files with 308 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
kdelibs-4.1.96-parallel_devel.patch
View File

@ -208,3 +208,12 @@ diff -up kdelibs-4.1.96/kdewidgets/CMakeLists.txt.parallel_devel kdelibs-4.1.96/
set(kdewidgets_PART_SRCS
classpreviews.cpp
@@ -66,7 +66,7 @@
add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/kde3supportwidgets.cpp
COMMAND "${MAKEKDEWIDGETS_EXECUTABLE}" -o ${CMAKE_CURRENT_BINARY_DIR}/kde3supportwidgets.cpp ${CMAKE_CURRENT_SOURCE_DIR}/kde3support.widgets
- MAIN_DEPENDENCY kde3support.widgets DEPENDS makekdewidgets)
+ MAIN_DEPENDENCY kde3support.widgets DEPENDS makekdewidgets4)
set(kde3supportwidgets_PART_SRCS
classpreviews.cpp

71
kdelibs-4.2.3-fixPopupForPlasmaboard.patch Normal file
View File

@ -0,0 +1,71 @@
From: =?iso-8859-1?q?Bj=F6rn_Ruberg?= <bjoern@ruberg-wegener.de>
To: kde-packager@kde.org
Subject: kdelibs patch for making virtual keyboard work
Date: Sat, 6 Jun 2009 23:40:47 +0200
Message-Id: <200906062340.47628.bjoern@ruberg-wegener.de>
Hello,
I want you to have a look at the patch attached. It's from current KDE 4.2 and
4.3 trunk. It didn't make it into KDE 4.2.4, but maybe you want to apply it to
your KDE packages.
It is needed for making the plasmoid plasmaboard working. Plasmaboard is a
virtual keyboard for plasma. Find it here:
http://www.kde-look.org/content/show.php/Plasmaboard?content=101822
Without the patch, opening plasmaboard will steal window focus, what makes the
plasmoid useless.
Please notify me if this patch find its way in your distribution so I can
maintain a list for the plasmaboard users.
Regards,
Björn Ruberg
Index: kdelibs/plasma/popupapplet.cpp
===================================================================
--- kdelibs/plasma/popupapplet.cpp (Revision 976120)
+++ kdelibs/plasma/popupapplet.cpp (Arbeitskopie)
@@ -275,11 +275,7 @@
//stuff out of your Dialog (extenders). Monitor WindowDeactivate events so we can
//emulate the same kind of behavior as Qt::Popup (close when you click somewhere
//else.
- dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint);
- updateDialogFlags();
- KWindowSystem::setState(dialog->winId(), NET::SkipTaskbar | NET::SkipPager);
- dialog->installEventFilter(q);
-
+
q->setMinimumSize(QSize(0, 0));
if (gWidget) {
Corona *corona = qobject_cast<Corona *>(gWidget->scene());
@@ -289,14 +285,25 @@
corona->addOffscreenWidget(gWidget);
dialog->setGraphicsWidget(gWidget);
}
+
+ dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint | (gWidget->windowFlags() & Qt::X11BypassWindowManagerHint));
} else if (qWidget) {
QVBoxLayout *l_layout = new QVBoxLayout(dialog);
l_layout->setSpacing(0);
l_layout->setMargin(0);
l_layout->addWidget(qWidget);
dialog->adjustSize();
+
+ dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint | (qWidget->windowFlags() & Qt::X11BypassWindowManagerHint));
}
+ else {
+ dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint);
+ }
+ updateDialogFlags();
+ KWindowSystem::setState(dialog->winId(), NET::SkipTaskbar | NET::SkipPager);
+ dialog->installEventFilter(q);
+
QObject::connect(dialog, SIGNAL(dialogResized()), q, SLOT(dialogSizeChanged()));
QObject::connect(dialog, SIGNAL(dialogVisible(bool)), q, SLOT(dialogStatusChanged(bool)));
}

17
kdelibs-4.2.4-cve-2009-0945.patch Normal file
View File

@ -0,0 +1,17 @@
Index: khtml/svg/SVGList.h
===================================================================
--- khtml/svg/SVGList.h (revision 983301)
+++ khtml/svg/SVGList.h (revision 983302)
@@ -97,7 +97,11 @@
Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&)
{
- m_vector.insert(index, newItem);
+ if (index < m_vector.size()) {
+ m_vector.insert(index, newItem);
+ } else {
+ m_vector.append(newItem);
+ }
return newItem;
}

67
kdelibs-4.2.4-cve-2009-1690.patch Normal file
View File

@ -0,0 +1,67 @@
Index: khtml/html/htmlparser.h
===================================================================
--- khtml/html/htmlparser.h (revision 983315)
+++ khtml/html/htmlparser.h (revision 983316)
@@ -157,7 +157,7 @@
/*
* the head element. Needed for crappy html which defines <base> after </head>
*/
- DOM::HTMLHeadElementImpl *head;
+ RefPtr<DOM::HTMLHeadElementImpl> head;
/*
* a possible <isindex> element in the head. Compatibility hack for
Index: khtml/html/htmlparser.cpp
===================================================================
--- khtml/html/htmlparser.cpp (revision 983315)
+++ khtml/html/htmlparser.cpp (revision 983316)
@@ -216,7 +216,6 @@
form = 0;
map = 0;
- head = 0;
end = false;
isindex = 0;
@@ -678,8 +677,7 @@
case ID_BASE:
if(!head) {
head = new HTMLHeadElementImpl(document);
- e = head;
- insertNode(e);
+ insertNode(head.get());
handled = true;
}
break;
@@ -894,7 +892,7 @@
case ID_HEAD:
if(!head && (current->id() == ID_HTML || current->isDocumentNode())) {
head = new HTMLHeadElementImpl(document);
- n = head;
+ n = head.get();
}
break;
case ID_BODY:
@@ -1907,19 +1905,19 @@
head = new HTMLHeadElementImpl(document);
HTMLElementImpl *body = doc()->body();
int exceptioncode = 0;
- doc()->documentElement()->insertBefore(head, body, exceptioncode);
+ doc()->documentElement()->insertBefore(head.get(), body, exceptioncode);
if ( exceptioncode ) {
#ifdef PARSER_DEBUG
kDebug( 6035 ) << "creation of head failed!!!!:" << exceptioncode;
#endif
- delete head;
+ delete head.get();
head = 0;
}
// If the body does not exist yet, then the <head> should be pushed as the current block.
if (head && !body) {
pushBlock(head->id(), tagPriority(head->id()));
- setCurrent(head);
+ setCurrent(head.get());
}
}

27
kdelibs-4.2.4-cve-2009-2537-select-length.patch Normal file
View File

@ -0,0 +1,27 @@
diff -up kdelibs-4.2.4/khtml/ecma/kjs_html.cpp.cve-2009-2537-select-length kdelibs-4.2.4/khtml/ecma/kjs_html.cpp
--- kdelibs-4.2.4/khtml/ecma/kjs_html.cpp.cve-2009-2537-select-length 2009-03-26 15:44:13.000000000 +0100
+++ kdelibs-4.2.4/khtml/ecma/kjs_html.cpp 2009-07-23 10:35:55.908865609 +0200
@@ -69,6 +69,9 @@
#include <QtCore/QList>
#include <QtCore/QHash>
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
+#define MAX_SELECT_LENGTH 10000
+
using namespace DOM;
namespace KJS {
@@ -2428,8 +2431,12 @@ void KJS::HTMLElement::putValueProperty(
case SelectValue: { select.setValue(str.implementation()); return; }
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
JSObject *coll = getSelectHTMLCollection(exec, select.options(), &select)->getObject();
+
if ( coll )
- coll->put(exec,"length",value);
+ if (value->toInteger(exec) >= MAX_SELECT_LENGTH)
+ setDOMException(exec, DOMException::INDEX_SIZE_ERR);
+ else
+ coll->put(exec, "length", value);
return;
}
// read-only: form

21
kdelibs-4.2.98-cve-2009-1687.patch Normal file
View File

@ -0,0 +1,21 @@
diff -ur kdelibs-4.2.98/kjs/collector.cpp kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp
--- kdelibs-4.2.98/kjs/collector.cpp 2009-04-30 20:02:44.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp 2009-07-26 03:52:44.000000000 +0200
@@ -31,6 +31,7 @@
#include "value.h"
#include <setjmp.h>
+#include <limits.h>
#include <algorithm>
#if PLATFORM(DARWIN)
@@ -109,6 +110,9 @@
void append(CollectorBlock* block) {
if (m_used == m_capacity) {
+ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR;
+ if (m_capacity > maxNumBlocks)
+ CRASH();
m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR);
m_data = static_cast<CollectorBlock **>(fastRealloc(m_data, m_capacity * sizeof(CollectorBlock *)));
}

42
kdelibs-4.2.98-cve-2009-1698.patch Normal file
View File

@ -0,0 +1,42 @@
diff -ur kdelibs-4.2.98/khtml/css/cssparser.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp
--- kdelibs-4.2.98/khtml/css/cssparser.cpp 2009-07-21 17:16:12.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp 2009-07-26 04:19:38.000000000 +0200
@@ -1513,6 +1513,14 @@
if ( args->size() != 1)
return false;
Value *a = args->current();
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+ isValid=false;
+ break;
+ }
+ if (qString(a->string)[0] == '-') {
+ isValid=false;
+ break;
+ }
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
}
else
@@ -1565,7 +1573,8 @@
CounterImpl *counter = new CounterImpl;
Value *i = args->current();
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (qString(i->string)[0] == '-') goto invalid;
counter->m_identifier = domString(i->string);
if (counters) {
i = args->next();
diff -ur kdelibs-4.2.98/khtml/css/css_valueimpl.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp
--- kdelibs-4.2.98/khtml/css/css_valueimpl.cpp 2009-05-14 19:27:35.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp 2009-07-26 04:17:28.000000000 +0200
@@ -1212,7 +1212,9 @@
text = getValueName(m_value.ident);
break;
case CSSPrimitiveValue::CSS_ATTR:
- // ###
+ text = "attr(";
+ text += DOMString( m_value.string );
+ text += ")";
break;
case CSSPrimitiveValue::CSS_COUNTER:
text = "counter(";

13
kdelibs-4.2.98-cve-2009-1725.patch Normal file
View File

@ -0,0 +1,13 @@
Index: khtml/html/htmltokenizer.cpp
===================================================================
--- khtml/html/htmltokenizer.cpp (revision 1002162)
+++ khtml/html/htmltokenizer.cpp (revision 1002163)
@@ -1038,7 +1038,7 @@
#ifdef TOKEN_DEBUG
kDebug( 6036 ) << "unknown entity!";
#endif
- checkBuffer(10);
+ checkBuffer(11);
// ignore the sequence, add it to the buffer as plaintext
*dest++ = '&';
for(unsigned int i = 0; i < cBufferPos; i++)

42
kdelibs.spec
View File

@ -1,6 +1,6 @@
Summary: K Desktop Environment 4 - Libraries
Version: 4.2.4
Release: 2%{?dist}
Release: 6%{?dist}
%if 0%{?fedora} > 8
Name: kdelibs
@ -80,11 +80,26 @@ Patch18: kdelibs-4.1.72-kstandarddirs.patch
Patch20: kdelibs-4.1.70-cmake.patch
Patch22: kdelibs-4.1.96-cmake.patch
# upstreamable
Patch50: kdelibs-4.2.3-fixPopupForPlasmaboard.patch
# upstream
# 4.2 branch
# fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
Patch100: kdelibs-4.2.4-cve-2009-1690.patch
# fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
Patch101: kdelibs-4.2.4-cve-2009-0945.patch
# 4.3 branch
Patch200: kdelibs-4.1.96-AllowExternalPaths.patch
# fix CVE-2009-2537 - select length DoS
Patch201: kdelibs-4.2.4-cve-2009-2537-select-length.patch
# fix CVE-2009-1725 - crash, possible ACE in numeric character references
Patch202: kdelibs-4.2.98-cve-2009-1725.patch
# fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes)
Patch203: kdelibs-4.2.98-cve-2009-1687.patch
# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
Patch204: kdelibs-4.2.98-cve-2009-1698.patch
BuildRequires: qt4-devel >= 4.4.0
# qt4%{_?_isa} isn't provided yet -- Rex
@ -216,11 +231,19 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
%patch20 -p1 -b .xxcmake
%patch22 -p1 -b .kdepimlibs-cmake
%patch50 -p1 -b .fixPopupForPlasmaboard
# upstream patches
# 4.2
%patch100 -p0 -b .cve-2009-1690
%patch101 -p0 -b .cve-2009-0945
# 4.3
%patch200 -p1 -b .AllowExternalPaths
%patch201 -p1 -b .cve-2009-2537-select-length
%patch202 -p0 -b .cve-2009-1725
%patch203 -p1 -b .cve-2009-1687
%patch204 -p1 -b .cve-2009-1698
%build
@ -403,6 +426,23 @@ rm -rf %{buildroot}
%changelog
* Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-6
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
* Thu Jul 23 2009 Jaroslav Reznik <jreznik@redhat.com> - 4.2.4-5
- CVE-2009-2537 - select length DoS
- correct fixPopupForPlasmaboard.patch
* Wed Jul 08 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-4
- fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki)
* Mon Jun 15 2009 Rex Dieter <rdieter@fedoraproject.org> 4.2.4-3
- fixPopupForPlasmaboard.patch
* Mon Jun 1 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.2.4-2
- respun tarball