Sync from F11:
* Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-6 - fix CVE-2009-1725 - crash, possible ACE in numeric character references - fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free) - fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?) - fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling - fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl * Thu Jul 23 2009 Jaroslav Reznik <jreznik@redhat.com> - 4.2.4-5 - CVE-2009-2537 - select length DoS - correct fixPopupForPlasmaboard.patch * Wed Jul 08 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-4 - fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki) * Mon Jun 15 2009 Rex Dieter <rdieter@fedoraproject.org> 4.2.4-3 - fixPopupForPlasmaboard.patch
This commit is contained in:
parent
9f0c4697df
commit
0ee6ccbd82
|
@ -208,3 +208,12 @@ diff -up kdelibs-4.1.96/kdewidgets/CMakeLists.txt.parallel_devel kdelibs-4.1.96/
|
||||||
|
|
||||||
set(kdewidgets_PART_SRCS
|
set(kdewidgets_PART_SRCS
|
||||||
classpreviews.cpp
|
classpreviews.cpp
|
||||||
|
@@ -66,7 +66,7 @@
|
||||||
|
|
||||||
|
add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/kde3supportwidgets.cpp
|
||||||
|
COMMAND "${MAKEKDEWIDGETS_EXECUTABLE}" -o ${CMAKE_CURRENT_BINARY_DIR}/kde3supportwidgets.cpp ${CMAKE_CURRENT_SOURCE_DIR}/kde3support.widgets
|
||||||
|
- MAIN_DEPENDENCY kde3support.widgets DEPENDS makekdewidgets)
|
||||||
|
+ MAIN_DEPENDENCY kde3support.widgets DEPENDS makekdewidgets4)
|
||||||
|
|
||||||
|
set(kde3supportwidgets_PART_SRCS
|
||||||
|
classpreviews.cpp
|
||||||
|
|
|
@ -0,0 +1,71 @@
|
||||||
|
From: =?iso-8859-1?q?Bj=F6rn_Ruberg?= <bjoern@ruberg-wegener.de>
|
||||||
|
To: kde-packager@kde.org
|
||||||
|
Subject: kdelibs patch for making virtual keyboard work
|
||||||
|
Date: Sat, 6 Jun 2009 23:40:47 +0200
|
||||||
|
Message-Id: <200906062340.47628.bjoern@ruberg-wegener.de>
|
||||||
|
|
||||||
|
Hello,
|
||||||
|
|
||||||
|
I want you to have a look at the patch attached. It's from current KDE 4.2 and
|
||||||
|
4.3 trunk. It didn't make it into KDE 4.2.4, but maybe you want to apply it to
|
||||||
|
your KDE packages.
|
||||||
|
|
||||||
|
It is needed for making the plasmoid plasmaboard working. Plasmaboard is a
|
||||||
|
virtual keyboard for plasma. Find it here:
|
||||||
|
http://www.kde-look.org/content/show.php/Plasmaboard?content=101822
|
||||||
|
|
||||||
|
Without the patch, opening plasmaboard will steal window focus, what makes the
|
||||||
|
plasmoid useless.
|
||||||
|
|
||||||
|
Please notify me if this patch find its way in your distribution so I can
|
||||||
|
maintain a list for the plasmaboard users.
|
||||||
|
|
||||||
|
Regards,
|
||||||
|
|
||||||
|
Björn Ruberg
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Index: kdelibs/plasma/popupapplet.cpp
|
||||||
|
===================================================================
|
||||||
|
--- kdelibs/plasma/popupapplet.cpp (Revision 976120)
|
||||||
|
+++ kdelibs/plasma/popupapplet.cpp (Arbeitskopie)
|
||||||
|
@@ -275,11 +275,7 @@
|
||||||
|
//stuff out of your Dialog (extenders). Monitor WindowDeactivate events so we can
|
||||||
|
//emulate the same kind of behavior as Qt::Popup (close when you click somewhere
|
||||||
|
//else.
|
||||||
|
- dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint);
|
||||||
|
- updateDialogFlags();
|
||||||
|
- KWindowSystem::setState(dialog->winId(), NET::SkipTaskbar | NET::SkipPager);
|
||||||
|
- dialog->installEventFilter(q);
|
||||||
|
-
|
||||||
|
+
|
||||||
|
q->setMinimumSize(QSize(0, 0));
|
||||||
|
if (gWidget) {
|
||||||
|
Corona *corona = qobject_cast<Corona *>(gWidget->scene());
|
||||||
|
@@ -289,14 +285,25 @@
|
||||||
|
corona->addOffscreenWidget(gWidget);
|
||||||
|
dialog->setGraphicsWidget(gWidget);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint | (gWidget->windowFlags() & Qt::X11BypassWindowManagerHint));
|
||||||
|
} else if (qWidget) {
|
||||||
|
QVBoxLayout *l_layout = new QVBoxLayout(dialog);
|
||||||
|
l_layout->setSpacing(0);
|
||||||
|
l_layout->setMargin(0);
|
||||||
|
l_layout->addWidget(qWidget);
|
||||||
|
dialog->adjustSize();
|
||||||
|
+
|
||||||
|
+ dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint | (qWidget->windowFlags() & Qt::X11BypassWindowManagerHint));
|
||||||
|
}
|
||||||
|
+ else {
|
||||||
|
+ dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint);
|
||||||
|
+ }
|
||||||
|
+ updateDialogFlags();
|
||||||
|
+ KWindowSystem::setState(dialog->winId(), NET::SkipTaskbar | NET::SkipPager);
|
||||||
|
+ dialog->installEventFilter(q);
|
||||||
|
|
||||||
|
+
|
||||||
|
QObject::connect(dialog, SIGNAL(dialogResized()), q, SLOT(dialogSizeChanged()));
|
||||||
|
QObject::connect(dialog, SIGNAL(dialogVisible(bool)), q, SLOT(dialogStatusChanged(bool)));
|
||||||
|
}
|
|
@ -0,0 +1,17 @@
|
||||||
|
Index: khtml/svg/SVGList.h
|
||||||
|
===================================================================
|
||||||
|
--- khtml/svg/SVGList.h (revision 983301)
|
||||||
|
+++ khtml/svg/SVGList.h (revision 983302)
|
||||||
|
@@ -97,7 +97,11 @@
|
||||||
|
|
||||||
|
Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&)
|
||||||
|
{
|
||||||
|
- m_vector.insert(index, newItem);
|
||||||
|
+ if (index < m_vector.size()) {
|
||||||
|
+ m_vector.insert(index, newItem);
|
||||||
|
+ } else {
|
||||||
|
+ m_vector.append(newItem);
|
||||||
|
+ }
|
||||||
|
return newItem;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
Index: khtml/html/htmlparser.h
|
||||||
|
===================================================================
|
||||||
|
--- khtml/html/htmlparser.h (revision 983315)
|
||||||
|
+++ khtml/html/htmlparser.h (revision 983316)
|
||||||
|
@@ -157,7 +157,7 @@
|
||||||
|
/*
|
||||||
|
* the head element. Needed for crappy html which defines <base> after </head>
|
||||||
|
*/
|
||||||
|
- DOM::HTMLHeadElementImpl *head;
|
||||||
|
+ RefPtr<DOM::HTMLHeadElementImpl> head;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* a possible <isindex> element in the head. Compatibility hack for
|
||||||
|
Index: khtml/html/htmlparser.cpp
|
||||||
|
===================================================================
|
||||||
|
--- khtml/html/htmlparser.cpp (revision 983315)
|
||||||
|
+++ khtml/html/htmlparser.cpp (revision 983316)
|
||||||
|
@@ -216,7 +216,6 @@
|
||||||
|
|
||||||
|
form = 0;
|
||||||
|
map = 0;
|
||||||
|
- head = 0;
|
||||||
|
end = false;
|
||||||
|
isindex = 0;
|
||||||
|
|
||||||
|
@@ -678,8 +677,7 @@
|
||||||
|
case ID_BASE:
|
||||||
|
if(!head) {
|
||||||
|
head = new HTMLHeadElementImpl(document);
|
||||||
|
- e = head;
|
||||||
|
- insertNode(e);
|
||||||
|
+ insertNode(head.get());
|
||||||
|
handled = true;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
@@ -894,7 +892,7 @@
|
||||||
|
case ID_HEAD:
|
||||||
|
if(!head && (current->id() == ID_HTML || current->isDocumentNode())) {
|
||||||
|
head = new HTMLHeadElementImpl(document);
|
||||||
|
- n = head;
|
||||||
|
+ n = head.get();
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case ID_BODY:
|
||||||
|
@@ -1907,19 +1905,19 @@
|
||||||
|
head = new HTMLHeadElementImpl(document);
|
||||||
|
HTMLElementImpl *body = doc()->body();
|
||||||
|
int exceptioncode = 0;
|
||||||
|
- doc()->documentElement()->insertBefore(head, body, exceptioncode);
|
||||||
|
+ doc()->documentElement()->insertBefore(head.get(), body, exceptioncode);
|
||||||
|
if ( exceptioncode ) {
|
||||||
|
#ifdef PARSER_DEBUG
|
||||||
|
kDebug( 6035 ) << "creation of head failed!!!!:" << exceptioncode;
|
||||||
|
#endif
|
||||||
|
- delete head;
|
||||||
|
+ delete head.get();
|
||||||
|
head = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the body does not exist yet, then the <head> should be pushed as the current block.
|
||||||
|
if (head && !body) {
|
||||||
|
pushBlock(head->id(), tagPriority(head->id()));
|
||||||
|
- setCurrent(head);
|
||||||
|
+ setCurrent(head.get());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
diff -up kdelibs-4.2.4/khtml/ecma/kjs_html.cpp.cve-2009-2537-select-length kdelibs-4.2.4/khtml/ecma/kjs_html.cpp
|
||||||
|
--- kdelibs-4.2.4/khtml/ecma/kjs_html.cpp.cve-2009-2537-select-length 2009-03-26 15:44:13.000000000 +0100
|
||||||
|
+++ kdelibs-4.2.4/khtml/ecma/kjs_html.cpp 2009-07-23 10:35:55.908865609 +0200
|
||||||
|
@@ -69,6 +69,9 @@
|
||||||
|
#include <QtCore/QList>
|
||||||
|
#include <QtCore/QHash>
|
||||||
|
|
||||||
|
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
|
||||||
|
+#define MAX_SELECT_LENGTH 10000
|
||||||
|
+
|
||||||
|
using namespace DOM;
|
||||||
|
|
||||||
|
namespace KJS {
|
||||||
|
@@ -2428,8 +2431,12 @@ void KJS::HTMLElement::putValueProperty(
|
||||||
|
case SelectValue: { select.setValue(str.implementation()); return; }
|
||||||
|
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
|
||||||
|
JSObject *coll = getSelectHTMLCollection(exec, select.options(), &select)->getObject();
|
||||||
|
+
|
||||||
|
if ( coll )
|
||||||
|
- coll->put(exec,"length",value);
|
||||||
|
+ if (value->toInteger(exec) >= MAX_SELECT_LENGTH)
|
||||||
|
+ setDOMException(exec, DOMException::INDEX_SIZE_ERR);
|
||||||
|
+ else
|
||||||
|
+ coll->put(exec, "length", value);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
// read-only: form
|
|
@ -0,0 +1,21 @@
|
||||||
|
diff -ur kdelibs-4.2.98/kjs/collector.cpp kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp
|
||||||
|
--- kdelibs-4.2.98/kjs/collector.cpp 2009-04-30 20:02:44.000000000 +0200
|
||||||
|
+++ kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp 2009-07-26 03:52:44.000000000 +0200
|
||||||
|
@@ -31,6 +31,7 @@
|
||||||
|
#include "value.h"
|
||||||
|
|
||||||
|
#include <setjmp.h>
|
||||||
|
+#include <limits.h>
|
||||||
|
#include <algorithm>
|
||||||
|
|
||||||
|
#if PLATFORM(DARWIN)
|
||||||
|
@@ -109,6 +110,9 @@
|
||||||
|
|
||||||
|
void append(CollectorBlock* block) {
|
||||||
|
if (m_used == m_capacity) {
|
||||||
|
+ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR;
|
||||||
|
+ if (m_capacity > maxNumBlocks)
|
||||||
|
+ CRASH();
|
||||||
|
m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR);
|
||||||
|
m_data = static_cast<CollectorBlock **>(fastRealloc(m_data, m_capacity * sizeof(CollectorBlock *)));
|
||||||
|
}
|
|
@ -0,0 +1,42 @@
|
||||||
|
diff -ur kdelibs-4.2.98/khtml/css/cssparser.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp
|
||||||
|
--- kdelibs-4.2.98/khtml/css/cssparser.cpp 2009-07-21 17:16:12.000000000 +0200
|
||||||
|
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp 2009-07-26 04:19:38.000000000 +0200
|
||||||
|
@@ -1513,6 +1513,14 @@
|
||||||
|
if ( args->size() != 1)
|
||||||
|
return false;
|
||||||
|
Value *a = args->current();
|
||||||
|
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
|
||||||
|
+ isValid=false;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ if (qString(a->string)[0] == '-') {
|
||||||
|
+ isValid=false;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -1565,7 +1573,8 @@
|
||||||
|
|
||||||
|
CounterImpl *counter = new CounterImpl;
|
||||||
|
Value *i = args->current();
|
||||||
|
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
||||||
|
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
||||||
|
+ if (qString(i->string)[0] == '-') goto invalid;
|
||||||
|
counter->m_identifier = domString(i->string);
|
||||||
|
if (counters) {
|
||||||
|
i = args->next();
|
||||||
|
diff -ur kdelibs-4.2.98/khtml/css/css_valueimpl.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp
|
||||||
|
--- kdelibs-4.2.98/khtml/css/css_valueimpl.cpp 2009-05-14 19:27:35.000000000 +0200
|
||||||
|
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp 2009-07-26 04:17:28.000000000 +0200
|
||||||
|
@@ -1212,7 +1212,9 @@
|
||||||
|
text = getValueName(m_value.ident);
|
||||||
|
break;
|
||||||
|
case CSSPrimitiveValue::CSS_ATTR:
|
||||||
|
- // ###
|
||||||
|
+ text = "attr(";
|
||||||
|
+ text += DOMString( m_value.string );
|
||||||
|
+ text += ")";
|
||||||
|
break;
|
||||||
|
case CSSPrimitiveValue::CSS_COUNTER:
|
||||||
|
text = "counter(";
|
|
@ -0,0 +1,13 @@
|
||||||
|
Index: khtml/html/htmltokenizer.cpp
|
||||||
|
===================================================================
|
||||||
|
--- khtml/html/htmltokenizer.cpp (revision 1002162)
|
||||||
|
+++ khtml/html/htmltokenizer.cpp (revision 1002163)
|
||||||
|
@@ -1038,7 +1038,7 @@
|
||||||
|
#ifdef TOKEN_DEBUG
|
||||||
|
kDebug( 6036 ) << "unknown entity!";
|
||||||
|
#endif
|
||||||
|
- checkBuffer(10);
|
||||||
|
+ checkBuffer(11);
|
||||||
|
// ignore the sequence, add it to the buffer as plaintext
|
||||||
|
*dest++ = '&';
|
||||||
|
for(unsigned int i = 0; i < cBufferPos; i++)
|
42
kdelibs.spec
42
kdelibs.spec
|
@ -1,6 +1,6 @@
|
||||||
Summary: K Desktop Environment 4 - Libraries
|
Summary: K Desktop Environment 4 - Libraries
|
||||||
Version: 4.2.4
|
Version: 4.2.4
|
||||||
Release: 2%{?dist}
|
Release: 6%{?dist}
|
||||||
|
|
||||||
%if 0%{?fedora} > 8
|
%if 0%{?fedora} > 8
|
||||||
Name: kdelibs
|
Name: kdelibs
|
||||||
|
@ -80,11 +80,26 @@ Patch18: kdelibs-4.1.72-kstandarddirs.patch
|
||||||
Patch20: kdelibs-4.1.70-cmake.patch
|
Patch20: kdelibs-4.1.70-cmake.patch
|
||||||
Patch22: kdelibs-4.1.96-cmake.patch
|
Patch22: kdelibs-4.1.96-cmake.patch
|
||||||
|
|
||||||
|
# upstreamable
|
||||||
|
Patch50: kdelibs-4.2.3-fixPopupForPlasmaboard.patch
|
||||||
|
|
||||||
# upstream
|
# upstream
|
||||||
# 4.2 branch
|
# 4.2 branch
|
||||||
|
# fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
|
||||||
|
Patch100: kdelibs-4.2.4-cve-2009-1690.patch
|
||||||
|
# fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
|
||||||
|
Patch101: kdelibs-4.2.4-cve-2009-0945.patch
|
||||||
|
|
||||||
# 4.3 branch
|
# 4.3 branch
|
||||||
Patch200: kdelibs-4.1.96-AllowExternalPaths.patch
|
Patch200: kdelibs-4.1.96-AllowExternalPaths.patch
|
||||||
|
# fix CVE-2009-2537 - select length DoS
|
||||||
|
Patch201: kdelibs-4.2.4-cve-2009-2537-select-length.patch
|
||||||
|
# fix CVE-2009-1725 - crash, possible ACE in numeric character references
|
||||||
|
Patch202: kdelibs-4.2.98-cve-2009-1725.patch
|
||||||
|
# fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes)
|
||||||
|
Patch203: kdelibs-4.2.98-cve-2009-1687.patch
|
||||||
|
# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
|
||||||
|
Patch204: kdelibs-4.2.98-cve-2009-1698.patch
|
||||||
|
|
||||||
BuildRequires: qt4-devel >= 4.4.0
|
BuildRequires: qt4-devel >= 4.4.0
|
||||||
# qt4%{_?_isa} isn't provided yet -- Rex
|
# qt4%{_?_isa} isn't provided yet -- Rex
|
||||||
|
@ -216,11 +231,19 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
|
||||||
%patch20 -p1 -b .xxcmake
|
%patch20 -p1 -b .xxcmake
|
||||||
%patch22 -p1 -b .kdepimlibs-cmake
|
%patch22 -p1 -b .kdepimlibs-cmake
|
||||||
|
|
||||||
|
%patch50 -p1 -b .fixPopupForPlasmaboard
|
||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
# 4.2
|
# 4.2
|
||||||
|
%patch100 -p0 -b .cve-2009-1690
|
||||||
|
%patch101 -p0 -b .cve-2009-0945
|
||||||
|
|
||||||
# 4.3
|
# 4.3
|
||||||
%patch200 -p1 -b .AllowExternalPaths
|
%patch200 -p1 -b .AllowExternalPaths
|
||||||
|
%patch201 -p1 -b .cve-2009-2537-select-length
|
||||||
|
%patch202 -p0 -b .cve-2009-1725
|
||||||
|
%patch203 -p1 -b .cve-2009-1687
|
||||||
|
%patch204 -p1 -b .cve-2009-1698
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
@ -403,6 +426,23 @@ rm -rf %{buildroot}
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-6
|
||||||
|
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
|
||||||
|
- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
|
||||||
|
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
|
||||||
|
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
|
||||||
|
- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
|
||||||
|
|
||||||
|
* Thu Jul 23 2009 Jaroslav Reznik <jreznik@redhat.com> - 4.2.4-5
|
||||||
|
- CVE-2009-2537 - select length DoS
|
||||||
|
- correct fixPopupForPlasmaboard.patch
|
||||||
|
|
||||||
|
* Wed Jul 08 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.4-4
|
||||||
|
- fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki)
|
||||||
|
|
||||||
|
* Mon Jun 15 2009 Rex Dieter <rdieter@fedoraproject.org> 4.2.4-3
|
||||||
|
- fixPopupForPlasmaboard.patch
|
||||||
|
|
||||||
* Mon Jun 1 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.2.4-2
|
* Mon Jun 1 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.2.4-2
|
||||||
- respun tarball
|
- respun tarball
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue