rpms
/
kdelibs
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

4.3.0

This commit is contained in:
Than Ngo 2009-07-29 23:05:01 +00:00
parent f7171463f8
commit d7c211b5ea
7 changed files with 7 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.cvsignore
View File

@ -1 +1,2 @@
kdelibs-4.2.98.tar.bz2
kdelibs-4.3.0.tar.bz2

21
kdelibs-4.2.98-cve-2009-1687.patch
View File

@ -1,21 +0,0 @@
diff -ur kdelibs-4.2.98/kjs/collector.cpp kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp
--- kdelibs-4.2.98/kjs/collector.cpp 2009-04-30 20:02:44.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp 2009-07-26 03:52:44.000000000 +0200
@@ -31,6 +31,7 @@
#include "value.h"
#include <setjmp.h>
+#include <limits.h>
#include <algorithm>
#if PLATFORM(DARWIN)
@@ -109,6 +110,9 @@
void append(CollectorBlock* block) {
if (m_used == m_capacity) {
+ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR;
+ if (m_capacity > maxNumBlocks)
+ CRASH();
m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR);
m_data = static_cast<CollectorBlock **>(fastRealloc(m_data, m_capacity * sizeof(CollectorBlock *)));
}

42
kdelibs-4.2.98-cve-2009-1698.patch
View File

@ -1,42 +0,0 @@
diff -ur kdelibs-4.2.98/khtml/css/cssparser.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp
--- kdelibs-4.2.98/khtml/css/cssparser.cpp 2009-07-21 17:16:12.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp 2009-07-26 04:19:38.000000000 +0200
@@ -1513,6 +1513,14 @@
if ( args->size() != 1)
return false;
Value *a = args->current();
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+ isValid=false;
+ break;
+ }
+ if (qString(a->string)[0] == '-') {
+ isValid=false;
+ break;
+ }
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
}
else
@@ -1565,7 +1573,8 @@
CounterImpl *counter = new CounterImpl;
Value *i = args->current();
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (qString(i->string)[0] == '-') goto invalid;
counter->m_identifier = domString(i->string);
if (counters) {
i = args->next();
diff -ur kdelibs-4.2.98/khtml/css/css_valueimpl.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp
--- kdelibs-4.2.98/khtml/css/css_valueimpl.cpp 2009-05-14 19:27:35.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp 2009-07-26 04:17:28.000000000 +0200
@@ -1212,7 +1212,9 @@
text = getValueName(m_value.ident);
break;
case CSSPrimitiveValue::CSS_ATTR:
- // ###
+ text = "attr(";
+ text += DOMString( m_value.string );
+ text += ")";
break;
case CSSPrimitiveValue::CSS_COUNTER:
text = "counter(";

13
kdelibs-4.2.98-cve-2009-1725.patch
View File

@ -1,13 +0,0 @@
Index: khtml/html/htmltokenizer.cpp
===================================================================
--- khtml/html/htmltokenizer.cpp (revision 1002162)
+++ khtml/html/htmltokenizer.cpp (revision 1002163)
@@ -1038,7 +1038,7 @@
#ifdef TOKEN_DEBUG
kDebug( 6036 ) << "unknown entity!";
#endif
- checkBuffer(10);
+ checkBuffer(11);
// ignore the sequence, add it to the buffer as plaintext
*dest++ = '&';
for(unsigned int i = 0; i < cBufferPos; i++)

28
kdelibs-4.2.98-cve-2009-2537-select-length.patch
View File

@ -1,28 +0,0 @@
Index: khtml/ecma/kjs_html.cpp
===================================================================
--- khtml/ecma/kjs_html.cpp (revision 1001151)
+++ khtml/ecma/kjs_html.cpp (revision 1001152)
@@ -69,6 +69,9 @@
#include <QtCore/QList>
#include <QtCore/QHash>
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
+#define MAX_SELECT_LENGTH 10000
+
using namespace DOM;
namespace KJS {
@@ -2454,8 +2457,12 @@
case SelectValue: { select.setValue(str.implementation()); return; }
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
JSObject *coll = getSelectHTMLCollection(exec, select.options(), &select)->getObject();
+
if ( coll )
- coll->put(exec,"length",value);
+ if (value->toInteger(exec) >= MAX_SELECT_LENGTH)
+ setDOMException(exec, DOMException::INDEX_SIZE_ERR);
+ else
+ coll->put(exec, "length", value);
return;
}
// read-only: form

20
kdelibs.spec
View File

@ -1,11 +1,10 @@
%define phonon_ver 4.3.1
%define soprano_ver 2.3.0
%define strigi_ver 0.7
Summary: K Desktop Environment 4 - Libraries
Version: 4.2.98
Release: 4%{?dist}
Version: 4.3.0
Release: 1%{?dist}
%if 0%{?fedora} > 8
Name: kdelibs
@ -84,14 +83,6 @@ Patch20: kdelibs-4.1.70-cmake.patch
# upstream
# 4.3 branch
# fix CVE-2009-2537 - select length DoS
Patch100: kdelibs-4.2.98-cve-2009-2537-select-length.patch
# fix CVE-2009-1725 - crash, possible ACE in numeric character references
Patch101: kdelibs-4.2.98-cve-2009-1725.patch
# fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes)
Patch102: kdelibs-4.2.98-cve-2009-1687.patch
# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
Patch103: kdelibs-4.2.98-cve-2009-1698.patch
BuildRequires: qt4-devel >= 4.4.0
# qt4%{_?_isa} isn't provided yet -- Rex
@ -226,10 +217,6 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
# upstream patches
# 4.3
%patch100 -p0 -b .cve-2009-2537
%patch101 -p0 -b .cve-2009-1725
%patch102 -p1 -b .cve-2009-1687
%patch103 -p1 -b .cve-2009-1698
%build
@ -412,6 +399,9 @@ rm -rf %{buildroot}
%changelog
* Thu Jul 30 2009 Than Ngo <than@redhat.com> - 4.3.0-1
- 4.3.0
* Wed Jul 29 2009 Rex Dieter <rdieter@fedoraproject.org> - 4.2.98-4
- -devel: Conflicts: kdebase-runtime < 4.2.90, kdebase-workspace-devel < 4.2.90

2
sources
View File

@ -1 +1 @@
57d29dbd24afb72c03545ba583c8347f kdelibs-4.2.98.tar.bz2
ea54f71bcbb0cf96bb6d94c019de8bb5 kdelibs-4.3.0.tar.bz2