* Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.98-3
- fix CVE-2009-2537 - select length DoS - fix CVE-2009-1725 - crash, possible ACE in numeric character references - fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes) - fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
This commit is contained in:
parent
2fdf94d0d0
commit
74fa0fbc55
|
@ -0,0 +1,21 @@
|
|||
diff -ur kdelibs-4.2.98/kjs/collector.cpp kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp
|
||||
--- kdelibs-4.2.98/kjs/collector.cpp 2009-04-30 20:02:44.000000000 +0200
|
||||
+++ kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp 2009-07-26 03:52:44.000000000 +0200
|
||||
@@ -31,6 +31,7 @@
|
||||
#include "value.h"
|
||||
|
||||
#include <setjmp.h>
|
||||
+#include <limits.h>
|
||||
#include <algorithm>
|
||||
|
||||
#if PLATFORM(DARWIN)
|
||||
@@ -109,6 +110,9 @@
|
||||
|
||||
void append(CollectorBlock* block) {
|
||||
if (m_used == m_capacity) {
|
||||
+ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR;
|
||||
+ if (m_capacity > maxNumBlocks)
|
||||
+ CRASH();
|
||||
m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR);
|
||||
m_data = static_cast<CollectorBlock **>(fastRealloc(m_data, m_capacity * sizeof(CollectorBlock *)));
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
diff -ur kdelibs-4.2.98/khtml/css/cssparser.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp
|
||||
--- kdelibs-4.2.98/khtml/css/cssparser.cpp 2009-07-21 17:16:12.000000000 +0200
|
||||
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp 2009-07-26 04:19:38.000000000 +0200
|
||||
@@ -1513,6 +1513,14 @@
|
||||
if ( args->size() != 1)
|
||||
return false;
|
||||
Value *a = args->current();
|
||||
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
|
||||
+ isValid=false;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (qString(a->string)[0] == '-') {
|
||||
+ isValid=false;
|
||||
+ break;
|
||||
+ }
|
||||
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
|
||||
}
|
||||
else
|
||||
@@ -1565,7 +1573,8 @@
|
||||
|
||||
CounterImpl *counter = new CounterImpl;
|
||||
Value *i = args->current();
|
||||
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
||||
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
||||
+ if (qString(i->string)[0] == '-') goto invalid;
|
||||
counter->m_identifier = domString(i->string);
|
||||
if (counters) {
|
||||
i = args->next();
|
||||
diff -ur kdelibs-4.2.98/khtml/css/css_valueimpl.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp
|
||||
--- kdelibs-4.2.98/khtml/css/css_valueimpl.cpp 2009-05-14 19:27:35.000000000 +0200
|
||||
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp 2009-07-26 04:17:28.000000000 +0200
|
||||
@@ -1212,7 +1212,9 @@
|
||||
text = getValueName(m_value.ident);
|
||||
break;
|
||||
case CSSPrimitiveValue::CSS_ATTR:
|
||||
- // ###
|
||||
+ text = "attr(";
|
||||
+ text += DOMString( m_value.string );
|
||||
+ text += ")";
|
||||
break;
|
||||
case CSSPrimitiveValue::CSS_COUNTER:
|
||||
text = "counter(";
|
|
@ -0,0 +1,13 @@
|
|||
Index: khtml/html/htmltokenizer.cpp
|
||||
===================================================================
|
||||
--- khtml/html/htmltokenizer.cpp (revision 1002162)
|
||||
+++ khtml/html/htmltokenizer.cpp (revision 1002163)
|
||||
@@ -1038,7 +1038,7 @@
|
||||
#ifdef TOKEN_DEBUG
|
||||
kDebug( 6036 ) << "unknown entity!";
|
||||
#endif
|
||||
- checkBuffer(10);
|
||||
+ checkBuffer(11);
|
||||
// ignore the sequence, add it to the buffer as plaintext
|
||||
*dest++ = '&';
|
||||
for(unsigned int i = 0; i < cBufferPos; i++)
|
|
@ -0,0 +1,28 @@
|
|||
Index: khtml/ecma/kjs_html.cpp
|
||||
===================================================================
|
||||
--- khtml/ecma/kjs_html.cpp (revision 1001151)
|
||||
+++ khtml/ecma/kjs_html.cpp (revision 1001152)
|
||||
@@ -69,6 +69,9 @@
|
||||
#include <QtCore/QList>
|
||||
#include <QtCore/QHash>
|
||||
|
||||
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
|
||||
+#define MAX_SELECT_LENGTH 10000
|
||||
+
|
||||
using namespace DOM;
|
||||
|
||||
namespace KJS {
|
||||
@@ -2454,8 +2457,12 @@
|
||||
case SelectValue: { select.setValue(str.implementation()); return; }
|
||||
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
|
||||
JSObject *coll = getSelectHTMLCollection(exec, select.options(), &select)->getObject();
|
||||
+
|
||||
if ( coll )
|
||||
- coll->put(exec,"length",value);
|
||||
+ if (value->toInteger(exec) >= MAX_SELECT_LENGTH)
|
||||
+ setDOMException(exec, DOMException::INDEX_SIZE_ERR);
|
||||
+ else
|
||||
+ coll->put(exec, "length", value);
|
||||
return;
|
||||
}
|
||||
// read-only: form
|
21
kdelibs.spec
21
kdelibs.spec
|
@ -5,7 +5,7 @@
|
|||
|
||||
Summary: K Desktop Environment 4 - Libraries
|
||||
Version: 4.2.98
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
|
||||
%if 0%{?fedora} > 8
|
||||
Name: kdelibs
|
||||
|
@ -84,6 +84,15 @@ Patch20: kdelibs-4.1.70-cmake.patch
|
|||
|
||||
# upstream
|
||||
# 4.3 branch
|
||||
# fix CVE-2009-2537 - select length DoS
|
||||
Patch100: kdelibs-4.2.98-cve-2009-2537-select-length.patch
|
||||
# fix CVE-2009-1725 - crash, possible ACE in numeric character references
|
||||
Patch101: kdelibs-4.2.98-cve-2009-1725.patch
|
||||
### I will upstream these ones if the build completes successfully. -- kkofler
|
||||
# fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes)
|
||||
Patch102: kdelibs-4.2.98-cve-2009-1687.patch
|
||||
# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
|
||||
Patch103: kdelibs-4.2.98-cve-2009-1698.patch
|
||||
|
||||
BuildRequires: qt4-devel >= 4.4.0
|
||||
# qt4%{_?_isa} isn't provided yet -- Rex
|
||||
|
@ -215,6 +224,10 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
|
|||
|
||||
# upstream patches
|
||||
# 4.3
|
||||
%patch100 -p0 -b .cve-2009-2537
|
||||
%patch101 -p0 -b .cve-2009-1725
|
||||
%patch102 -p0 -b .cve-2009-1687
|
||||
%patch103 -p0 -b .cve-2009-1698
|
||||
|
||||
|
||||
%build
|
||||
|
@ -397,6 +410,12 @@ rm -rf %{buildroot}
|
|||
|
||||
|
||||
%changelog
|
||||
* Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.2.98-3
|
||||
- fix CVE-2009-2537 - select length DoS
|
||||
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
|
||||
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes)
|
||||
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
|
||||
|
||||
* Fri Jul 24 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.2.98-2
|
||||
- respun tarball, to fix KIO HTTP redirects
|
||||
- fix phonon/strigi versions
|
||||
|
|
Loading…
Reference in New Issue