Resolves: CVE-2012-4515, CVE-2012-4514

kdelibs-4.9.x-CVE-2012-4514.patch

@@ -0,0 +1,27 @@
+commit 65464349951e0df9b5d80c2eb3cc7458d54923ae
+Author: David Faure <faure@kde.org>
+Date:   Fri Oct 19 11:33:41 2012 +0200
+
+    Fix crash when trying to reuse a frame with a null part.
+    
+    BUG: 271528
+    FIXED-IN: 4.9.3
+
+diff --git a/khtml/khtml_part.cpp b/khtml/khtml_part.cpp
+index ad00ea5..6165710 100644
+--- a/khtml/khtml_part.cpp
++++ b/khtml/khtml_part.cpp
+@@ -5242,8 +5242,12 @@ KHTMLPart* KHTMLPartPrivate::top()
+ 
+ bool KHTMLPartPrivate::canNavigate(KParts::ReadOnlyPart* bCand)
+ {
++    if (!bCand) // No part here (e.g. invalid url), reuse that frame
++        return true;
++
+     KHTMLPart* b = qobject_cast<KHTMLPart*>(bCand);
+-    assert(b);
++    if (!b) // Another kind of part? Not sure what to do...
++        return false;
+ 
+     // HTML5 gives conditions for this (a) being able to navigate b
+     

kdelibs-4.9.x-CVE-2012-4515.patch

@@ -0,0 +1,50 @@
+commit 4f2eb356f1c23444fff2cfe0a7ae10efe303d6d8
+Author: David Faure <faure@kde.org>
+Date:   Wed Oct 24 20:04:31 2012 +0200
+
+    Fix crash when a redirect happens in an iframe while the context menu is shown
+
+diff --git a/khtml/rendering/render_replaced.cpp b/khtml/rendering/render_replaced.cpp
+index 195dcba..6bc5caa 100644
+--- a/khtml/rendering/render_replaced.cpp
++++ b/khtml/rendering/render_replaced.cpp
+@@ -1030,7 +1030,7 @@ bool RenderWidget::handleEvent(const DOM::EventImpl& ev)
+             p.setY(qMin(qMax(0,p.y()),m_widget->height()));
+         }
+ 
+-        QWidget* target = 0;
++        QPointer<QWidget> target;
+         target = m_widget->childAt(p);
+ 
+         if (target) {
+@@ -1103,16 +1103,18 @@ bool RenderWidget::handleEvent(const DOM::EventImpl& ev)
+             }
+         }
+ 
+-        QEvent *e = isMouseWheel ?
++        QScopedPointer<QEvent> e(isMouseWheel ?
+                     static_cast<QEvent*>(new QWheelEvent(p, -me.detail()*40, buttons, state, orient)) :
+-                    static_cast<QEvent*>(new QMouseEvent(type,    p, button, buttons, state));
++                    static_cast<QEvent*>(new QMouseEvent(type,    p, button, buttons, state)));
+ 
+ 
+-        ret = bubblingSend(target, e, m_widget);
++        ret = bubblingSend(target, e.data(), m_widget);
+ 
++        if (!target)
++            break;
+         if (needContextMenuEvent) {
+             QContextMenuEvent cme(QContextMenuEvent::Mouse, p);
+-            static_cast<EventPropagator *>(target)->sendEvent(&cme);
++            static_cast<EventPropagator *>(target.data())->sendEvent(&cme);
+         } else if (type == QEvent::MouseMove && target->testAttribute(Qt::WA_Hover)) {
+             QHoverEvent he( QEvent::HoverMove, p, p );
+             QApplication::sendEvent(target, &he);
+@@ -1120,7 +1122,6 @@ bool RenderWidget::handleEvent(const DOM::EventImpl& ev)
+         if (ev.id() == EventImpl::MOUSEUP_EVENT) {
+             view()->setMouseEventsTarget( 0 );
+         }
+-        delete e;
+         break;
+     }
+     case EventImpl::KEYDOWN_EVENT:

kdelibs.spec

@@ -25,7 +25,7 @@
 
 Summary: KDE Libraries
 Version: 4.8.5
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 Name: kdelibs
 Epoch: 6
@@ -152,6 +152,8 @@ Patch100: kdelibs-4.8.3-kdeclarative-install-location.patch
 ## security fix
 # Not Upstreamed? why not ? -- Rex
 Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
+Patch201: kdelibs-4.9.x-CVE-2012-4515.patch
+Patch202: kdelibs-4.9.x-CVE-2012-4514.patch
 
 # rhel patches
 Patch300: kdelibs-4.8.3-webkit.patch
@@ -362,6 +364,8 @@ popd
 
 # security fixes
 %patch200 -p1 -b .CVE-2009-2702
+%patch201 -p1 -b .CVE-2012-4515
+%patch202 -p1 -b .CVE-2012-4514
 
 # rhel patches
 %if 0%{?rhel}
@@ -614,6 +618,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Wed Oct 31 2012 Than Ngo <than@redhat.com> - 6:4.8.5-2
+- Resolves: CVE-2012-4515, CVE-2012-4514
+
 * Thu Aug 02 2012 Rex Dieter <rdieter@fedoraproject.org> - 6:4.8.5-1
 - 4.8.5