rpms
/
kdelibs3
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Rebase CVE-2009-1698 patch.

This commit is contained in:
Kevin Kofler 2009-07-26 03:49:33 +00:00
parent e57cb8baa2
commit 5e929decd1
2 changed files with 32 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
kdelibs-3.5.4-CVE-2009-1698.patch → kdelibs-3.5.10-cve-2009-1698.patch
View File

@ -1,5 +1,34 @@
--- kdelibs-3.5.4/khtml/css/css_valueimpl.cpp.CVE-2009-1698 2009-06-18 10:59:23.000000000 +0200
+++ kdelibs-3.5.4/khtml/css/css_valueimpl.cpp 2009-06-18 12:53:44.000000000 +0200
diff -ur kdelibs-3.5.10/khtml/css/cssparser.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp
--- kdelibs-3.5.10/khtml/css/cssparser.cpp 2007-01-15 12:34:04.000000000 +0100
+++ kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp 2009-07-26 05:46:39.000000000 +0200
@@ -1344,6 +1344,14 @@
if ( args->size() != 1)
return false;
Value *a = args->current();
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+ isValid=false;
+ break;
+ }
+ if (qString(a->string)[0] == '-') {
+ isValid=false;
+ break;
+ }
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
}
else
@@ -1396,7 +1404,8 @@
CounterImpl *counter = new CounterImpl;
Value *i = args->current();
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (qString(i->string)[0] == '-') goto invalid;
counter->m_identifier = domString(i->string);
if (counters) {
i = args->next();
diff -ur kdelibs-3.5.10/khtml/css/css_valueimpl.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp
--- kdelibs-3.5.10/khtml/css/css_valueimpl.cpp 2006-07-22 10:16:49.000000000 +0200
+++ kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp 2009-07-26 05:45:36.000000000 +0200
@@ -736,7 +736,9 @@
text = getValueName(m_value.ident);
break;
@ -11,47 +40,3 @@
break;
case CSSPrimitiveValue::CSS_COUNTER:
text = "counter(";
--- kdelibs-3.5.4/khtml/css/cssparser.cpp.CVE-2009-1698 2009-06-18 10:37:13.000000000 +0200
+++ kdelibs-3.5.4/khtml/css/cssparser.cpp 2009-06-23 13:05:20.000000000 +0200
@@ -1318,6 +1318,7 @@
Value *val;
CSSValueImpl *parsedValue = 0;
+ bool valid = true;
while ( (val = valueList->current()) ) {
if ( val->unit == CSSPrimitiveValue::CSS_URI ) {
// url
@@ -1336,6 +1337,14 @@
if ( args->size() != 1)
return false;
Value *a = args->current();
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+ valid=false;
+ break;
+ }
+ if (qString(a->string)[0] == '-') {
+ valid=false;
+ break;
+ }
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
}
else
@@ -1367,7 +1376,7 @@
break;
valueList->next();
}
- if ( values->length() ) {
+ if ( valid && values->length() ) {
addProperty( propId, values, important );
valueList->next();
return true;
@@ -1384,7 +1393,8 @@
CounterImpl *counter = new CounterImpl;
Value *i = args->current();
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (qString(i->string)[0] == '-') goto invalid;
counter->m_identifier = domString(i->string);
if (counters) {
i = args->next();

2
kdelibs3.spec
View File

@ -107,7 +107,7 @@ Patch202: kdelibs-3.5.4-CVE-2009-1687.patch
# fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
Patch203: kdelibs-3.5.4-CVE-2009-1690.patch
# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
Patch204: kdelibs-3.5.4-CVE-2009-1698.patch
Patch204: kdelibs-3.5.10-cve-2009-1698.patch
#{?arts:Requires: arts >= %{arts_ev}}
#Requires: %{qt3} >= %{qt3_ev}