From e57cb8baa23a680c54ea2f6a7583305ab4f61229 Mon Sep 17 00:00:00 2001 From: Kevin Kofler Date: Sun, 26 Jul 2009 03:09:15 +0000 Subject: [PATCH] - fix CVE-2009-2537 - select length DoS - fix CVE-2009-1725 - crash, possible ACE in numeric character references - fix CVE-2009-1690 - crash, possible ACE in KHTML ( use-after-free) - fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?) - fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling --- kdelibs-3.5.10-cve-2009-1725.patch | 13 + ...s-3.5.10-cve-2009-2537-select-length.patch | 30 + kdelibs-3.5.4-CVE-2009-1687.patch | 20 + kdelibs-3.5.4-CVE-2009-1690.patch | 545 ++++++++++++++++++ kdelibs-3.5.4-CVE-2009-1698.patch | 57 ++ kdelibs3.spec | 28 +- 6 files changed, 690 insertions(+), 3 deletions(-) create mode 100644 kdelibs-3.5.10-cve-2009-1725.patch create mode 100644 kdelibs-3.5.10-cve-2009-2537-select-length.patch create mode 100644 kdelibs-3.5.4-CVE-2009-1687.patch create mode 100644 kdelibs-3.5.4-CVE-2009-1690.patch create mode 100644 kdelibs-3.5.4-CVE-2009-1698.patch diff --git a/kdelibs-3.5.10-cve-2009-1725.patch b/kdelibs-3.5.10-cve-2009-1725.patch new file mode 100644 index 0000000..ee8fdbc --- /dev/null +++ b/kdelibs-3.5.10-cve-2009-1725.patch @@ -0,0 +1,13 @@ +Index: khtml/html/htmltokenizer.cpp +=================================================================== +--- khtml/html/htmltokenizer.cpp (revision 1002163) ++++ khtml/html/htmltokenizer.cpp (revision 1002164) +@@ -736,7 +736,7 @@ + #ifdef TOKEN_DEBUG + kdDebug( 6036 ) << "unknown entity!" << endl; + #endif +- checkBuffer(10); ++ checkBuffer(11); + // ignore the sequence, add it to the buffer as plaintext + *dest++ = '&'; + for(unsigned int i = 0; i < cBufferPos; i++) diff --git a/kdelibs-3.5.10-cve-2009-2537-select-length.patch b/kdelibs-3.5.10-cve-2009-2537-select-length.patch new file mode 100644 index 0000000..5972b0a --- /dev/null +++ b/kdelibs-3.5.10-cve-2009-2537-select-length.patch @@ -0,0 +1,30 @@ +diff -ur kdelibs-3.5.10/khtml/ecma/kjs_html.cpp kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp +--- kdelibs-3.5.10/khtml/ecma/kjs_html.cpp 2008-02-13 10:41:09.000000000 +0100 ++++ kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp 2009-07-26 04:54:52.000000000 +0200 +@@ -62,6 +62,9 @@ + + #include + ++// CVE-2009-2537 (vendors agreed on max 10000 elements) ++#define MAX_SELECT_LENGTH 10000 ++ + namespace KJS { + + KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto) +@@ -2550,8 +2553,14 @@ + case SelectValue: { select.setValue(str); return; } + case SelectLength: { // read-only according to the NS spec, but webpages need it writeable + Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) ); +- if ( coll.isValid() ) +- coll.put(exec,"length",value); ++ ++ if ( coll.isValid() ) { ++ if (value.toInteger(exec) >= MAX_SELECT_LENGTH) { ++ Object err = Error::create(exec, RangeError); ++ exec->setException(err); ++ } else ++ coll.put(exec, "length", value); ++ } + return; + } + // read-only: form diff --git a/kdelibs-3.5.4-CVE-2009-1687.patch b/kdelibs-3.5.4-CVE-2009-1687.patch new file mode 100644 index 0000000..6ffc463 --- /dev/null +++ b/kdelibs-3.5.4-CVE-2009-1687.patch @@ -0,0 +1,20 @@ +--- kdelibs-3.5.4/kjs/collector.cpp.CVE-2009-1687 2009-06-17 15:07:33.000000000 +0200 ++++ kdelibs-3.5.4/kjs/collector.cpp 2009-06-20 00:42:48.000000000 +0200 +@@ -23,6 +23,7 @@ + + #include "value.h" + #include "internal.h" ++#include + + #ifndef MAX + #define MAX(a,b) ((a) > (b) ? (a) : (b)) +@@ -119,6 +120,9 @@ + // didn't find one, need to allocate a new block + + if (heap.usedBlocks == heap.numBlocks) { ++ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR; ++ if (heap.numBlocks > maxNumBlocks) ++ return 0L; + heap.numBlocks = MAX(MIN_ARRAY_SIZE, heap.numBlocks * GROWTH_FACTOR); + heap.blocks = (CollectorBlock **)realloc(heap.blocks, heap.numBlocks * sizeof(CollectorBlock *)); + } diff --git a/kdelibs-3.5.4-CVE-2009-1690.patch b/kdelibs-3.5.4-CVE-2009-1690.patch new file mode 100644 index 0000000..2972d0e --- /dev/null +++ b/kdelibs-3.5.4-CVE-2009-1690.patch @@ -0,0 +1,545 @@ +--- kdelibs-3.5.4/khtml/html/RefPtr.h.CVE-2009-1690 2009-06-17 14:19:00.000000000 +0200 ++++ kdelibs-3.5.4/khtml/html/RefPtr.h 2009-06-17 14:19:00.000000000 +0200 +@@ -0,0 +1,202 @@ ++// -*- mode: c++; c-basic-offset: 4 -*- ++/* ++ * Copyright (C) 2005, 2006, 2007, 2008 Apple Inc. All rights reserved. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Library General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Library General Public License for more details. ++ * ++ * You should have received a copy of the GNU Library General Public License ++ * along with this library; see the file COPYING.LIB. If not, write to ++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++ * ++ */ ++ ++#ifndef WTF_RefPtr_h ++#define WTF_RefPtr_h ++ ++#include ++#include "AlwaysInline.h" ++ ++namespace WTF { ++ ++ enum PlacementNewAdoptType { PlacementNewAdopt }; ++ ++ template class PassRefPtr; ++ ++ enum HashTableDeletedValueType { HashTableDeletedValue }; ++ ++ template class RefPtr { ++ public: ++ RefPtr() : m_ptr(0) { } ++ RefPtr(T* ptr) : m_ptr(ptr) { if (ptr) ptr->ref(); } ++ RefPtr(const RefPtr& o) : m_ptr(o.m_ptr) { if (T* ptr = m_ptr) ptr->ref(); } ++ // see comment in PassRefPtr.h for why this takes const reference ++ template RefPtr(const PassRefPtr&); ++ ++ // Special constructor for cases where we overwrite an object in place. ++ RefPtr(PlacementNewAdoptType) { } ++ ++ // Hash table deleted values, which are only constructed and never copied or destroyed. ++ RefPtr(HashTableDeletedValueType) : m_ptr(hashTableDeletedValue()) { } ++ bool isHashTableDeletedValue() const { return m_ptr == hashTableDeletedValue(); } ++ ++ ~RefPtr() { if (T* ptr = m_ptr) ptr->deref(); } ++ ++ template RefPtr(const RefPtr& o) : m_ptr(o.get()) { if (T* ptr = m_ptr) ptr->ref(); } ++ ++ T* get() const { return m_ptr; } ++ ++ void clear() { if (T* ptr = m_ptr) ptr->deref(); m_ptr = 0; } ++ PassRefPtr release() { PassRefPtr tmp = adoptRef(m_ptr); m_ptr = 0; return tmp; } ++ ++ T& operator*() const { return *m_ptr; } ++ ALWAYS_INLINE T* operator->() const { return m_ptr; } ++ ++ bool operator!() const { return !m_ptr; } ++ ++ // This conversion operator allows implicit conversion to bool but not to other integer types. ++ typedef T* RefPtr::*UnspecifiedBoolType; ++ operator UnspecifiedBoolType() const { return m_ptr ? &RefPtr::m_ptr : 0; } ++ ++ RefPtr& operator=(const RefPtr&); ++ RefPtr& operator=(T*); ++ RefPtr& operator=(const PassRefPtr&); ++ template RefPtr& operator=(const RefPtr&); ++ template RefPtr& operator=(const PassRefPtr&); ++ ++ void swap(RefPtr&); ++ ++ private: ++ static T* hashTableDeletedValue() { return reinterpret_cast(-1); } ++ ++ T* m_ptr; ++ }; ++ ++ template template inline RefPtr::RefPtr(const PassRefPtr& o) ++ : m_ptr(o.releaseRef()) ++ { ++ } ++ ++ template inline RefPtr& RefPtr::operator=(const RefPtr& o) ++ { ++ T* optr = o.get(); ++ if (optr) ++ optr->ref(); ++ T* ptr = m_ptr; ++ m_ptr = optr; ++ if (ptr) ++ ptr->deref(); ++ return *this; ++ } ++ ++ template template inline RefPtr& RefPtr::operator=(const RefPtr& o) ++ { ++ T* optr = o.get(); ++ if (optr) ++ optr->ref(); ++ T* ptr = m_ptr; ++ m_ptr = optr; ++ if (ptr) ++ ptr->deref(); ++ return *this; ++ } ++ ++ template inline RefPtr& RefPtr::operator=(T* optr) ++ { ++ if (optr) ++ optr->ref(); ++ T* ptr = m_ptr; ++ m_ptr = optr; ++ if (ptr) ++ ptr->deref(); ++ return *this; ++ } ++ ++ template inline RefPtr& RefPtr::operator=(const PassRefPtr& o) ++ { ++ T* ptr = m_ptr; ++ m_ptr = o.releaseRef(); ++ if (ptr) ++ ptr->deref(); ++ return *this; ++ } ++ ++ template template inline RefPtr& RefPtr::operator=(const PassRefPtr& o) ++ { ++ T* ptr = m_ptr; ++ m_ptr = o.releaseRef(); ++ if (ptr) ++ ptr->deref(); ++ return *this; ++ } ++ ++ template inline void RefPtr::swap(RefPtr& o) ++ { ++ std::swap(m_ptr, o.m_ptr); ++ } ++ ++ template inline void swap(RefPtr& a, RefPtr& b) ++ { ++ a.swap(b); ++ } ++ ++ template inline bool operator==(const RefPtr& a, const RefPtr& b) ++ { ++ return a.get() == b.get(); ++ } ++ ++ template inline bool operator==(const RefPtr& a, U* b) ++ { ++ return a.get() == b; ++ } ++ ++ template inline bool operator==(T* a, const RefPtr& b) ++ { ++ return a == b.get(); ++ } ++ ++ template inline bool operator!=(const RefPtr& a, const RefPtr& b) ++ { ++ return a.get() != b.get(); ++ } ++ ++ template inline bool operator!=(const RefPtr& a, U* b) ++ { ++ return a.get() != b; ++ } ++ ++ template inline bool operator!=(T* a, const RefPtr& b) ++ { ++ return a != b.get(); ++ } ++ ++ template inline RefPtr static_pointer_cast(const RefPtr& p) ++ { ++ return RefPtr(static_cast(p.get())); ++ } ++ ++ template inline RefPtr const_pointer_cast(const RefPtr& p) ++ { ++ return RefPtr(const_cast(p.get())); ++ } ++ ++ template inline T* getPtr(const RefPtr& p) ++ { ++ return p.get(); ++ } ++ ++} // namespace WTF ++ ++using WTF::RefPtr; ++using WTF::static_pointer_cast; ++using WTF::const_pointer_cast; ++ ++#endif // WTF_RefPtr_h +--- kdelibs-3.5.4/khtml/html/htmlparser.cpp.CVE-2009-1690 2006-07-22 10:16:43.000000000 +0200 ++++ kdelibs-3.5.4/khtml/html/htmlparser.cpp 2009-06-17 11:51:15.000000000 +0200 +@@ -199,7 +199,6 @@ + + form = 0; + map = 0; +- head = 0; + end = false; + isindex = 0; + +@@ -616,8 +615,7 @@ + case ID_BASE: + if(!head) { + head = new HTMLHeadElementImpl(document); +- e = head; +- insertNode(e); ++ insertNode(head.get()); + handled = true; + } + break; +@@ -839,7 +837,7 @@ + case ID_HEAD: + if(!head && current->id() == ID_HTML) { + head = new HTMLHeadElementImpl(document); +- n = head; ++ n = head.get(); + } + break; + case ID_BODY: +@@ -1679,12 +1677,12 @@ + head = new HTMLHeadElementImpl(document); + HTMLElementImpl *body = doc()->body(); + int exceptioncode = 0; +- doc()->firstChild()->insertBefore(head, body, exceptioncode); ++ doc()->firstChild()->insertBefore(head.get(), body, exceptioncode); + if ( exceptioncode ) { + #ifdef PARSER_DEBUG + kdDebug( 6035 ) << "creation of head failed!!!!" << endl; + #endif +- delete head; ++ delete head.get(); + head = 0; + } + } +--- kdelibs-3.5.4/khtml/html/Platform.h.CVE-2009-1690 2009-06-17 14:19:07.000000000 +0200 ++++ kdelibs-3.5.4/khtml/html/Platform.h 2009-06-17 14:19:07.000000000 +0200 +@@ -0,0 +1,218 @@ ++/* -*- mode: c++; c-basic-offset: 4 -*- */ ++/* ++ * Copyright (C) 2006 Apple Computer, Inc. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY ++ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR ++ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, ++ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, ++ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR ++ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY ++ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#ifndef WTF_Platform_h ++#define WTF_Platform_h ++ ++/* Force KDE build here in our tree... */ ++#ifndef BUILDING_KDE__ ++#define BUILDING_KDE__ 1 ++#endif ++ ++/* PLATFORM handles OS, operating environment, graphics API, and CPU */ ++#define PLATFORM(WTF_FEATURE) (defined( WTF_PLATFORM_##WTF_FEATURE ) && WTF_PLATFORM_##WTF_FEATURE) ++#define COMPILER(WTF_FEATURE) (defined( WTF_COMPILER_##WTF_FEATURE ) && WTF_COMPILER_##WTF_FEATURE) ++#define HAVE(WTF_FEATURE) (defined( HAVE_##WTF_FEATURE ) && HAVE_##WTF_FEATURE) ++#define USE(WTF_FEATURE) (defined( WTF_USE_##WTF_FEATURE ) && WTF_USE_##WTF_FEATURE) ++#define ENABLE(WTF_FEATURE) (defined( ENABLE_##WTF_FEATURE ) && ENABLE_##WTF_FEATURE) ++ ++/* Operating systems - low-level dependencies */ ++ ++/* PLATFORM(DARWIN) */ ++/* Operating system level dependencies for Mac OS X / Darwin that should */ ++/* be used regardless of operating environment */ ++#ifdef __APPLE__ ++#define WTF_PLATFORM_DARWIN 1 ++#endif ++ ++/* PLATFORM(WIN_OS) */ ++/* Operating system level dependencies for Windows that should be used */ ++/* regardless of operating environment */ ++#if defined(WIN32) || defined(_WIN32) ++#define WTF_PLATFORM_WIN_OS 1 ++#endif ++ ++/* PLATFORM(UNIX) */ ++/* Operating system level dependencies for Unix-like systems that */ ++/* should be used regardless of operating environment */ ++/* (includes PLATFORM(DARWIN)) */ ++#if defined(__APPLE__) \ ++ || defined(unix) \ ++ || defined(__unix) \ ++ || defined(__unix__) \ ++ || defined (__NetBSD__) \ ++ || defined(_AIX) ++#define WTF_PLATFORM_UNIX 1 ++#endif ++ ++/* PLATFORM(SOLARIS_OS) */ ++/* Operating system level dependencies for Sun (Open)Solaris 10. */ ++/* Studio 12 on Solaris defines __SunOS; gcc defines __sun__; */ ++/* Both compilers define __sun and sun. */ ++#if defined(__sun) || defined(sun) ++#define WTF_PLATFORM_SOLARIS_OS 1 ++#endif ++ ++/* Operating environments */ ++ ++/* I made the BUILDING_KDE__ macro up for the KDE build system to define */ ++ ++/* PLATFORM(KDE) */ ++/* PLATFORM(MAC) */ ++/* PLATFORM(WIN) */ ++#if BUILDING_KDE__ ++#define WTF_PLATFORM_KDE 1 ++#elif PLATFORM(DARWIN) ++#define WTF_PLATFORM_MAC 1 ++#elif PLATFORM(WIN_OS) ++#define WTF_PLATFORM_WIN 1 ++#endif ++#if defined(BUILDING_GDK__) ++#define WTF_PLATFORM_GDK 1 ++#endif ++ ++ ++/* CPU */ ++ ++/* PLATFORM(PPC) */ ++#if defined(__ppc__) \ ++ || defined(__PPC__) \ ++ || defined(__powerpc__) \ ++ || defined(__powerpc) \ ++ || defined(__POWERPC__) \ ++ || defined(_M_PPC) \ ++ || defined(__PPC) ++#define WTF_PLATFORM_PPC 1 ++#define WTF_PLATFORM_BIG_ENDIAN 1 ++#endif ++ ++/* PLATFORM(PPC64) */ ++#if defined(__ppc64__) \ ++ || defined(__PPC64__) ++#define WTF_PLATFORM_PPC64 1 ++#define WTF_PLATFORM_BIG_ENDIAN 1 ++#endif ++ ++#if defined(arm) ++#define WTF_PLATFORM_ARM 1 ++#if defined(__ARMEB__) ++#define WTF_PLATFORM_BIG_ENDIAN 1 ++#elif !defined(__ARM_EABI__) && !defined(__ARMEB__) ++#define WTF_PLATFORM_MIDDLE_ENDIAN 1 ++#endif ++#if !defined(__ARM_EABI__) ++#define WTF_PLATFORM_FORCE_PACK 1 ++#endif ++#endif ++ ++/* PLATFORM(X86) */ ++#if defined(__i386__) \ ++ || defined(i386) \ ++ || defined(_M_IX86) \ ++ || defined(_X86_) \ ++ || defined(__THW_INTEL) ++#define WTF_PLATFORM_X86 1 ++#endif ++ ++/* PLATFORM(X86_64) */ ++#if defined(__x86_64__) \ ++ || defined(__ia64__) ++#define WTF_PLATFORM_X86_64 1 ++#endif ++ ++/* PLATFORM(SPARC) */ ++#if defined(sparc) ++#define WTF_PLATFORM_SPARC 1 ++#endif ++ ++/* Compiler */ ++ ++/* COMPILER(CWP) */ ++#if defined(__MWERKS__) ++#define WTF_COMPILER_CWP 1 ++#endif ++ ++/* COMPILER(MSVC) */ ++#if defined(_MSC_VER) ++#define WTF_COMPILER_MSVC 1 ++#endif ++ ++/* COMPILER(GCC) */ ++#if defined(__GNUC__) ++#define WTF_COMPILER_GCC 1 ++#endif ++ ++/* COMPILER(SUNPRO) */ ++#if defined(__SUNPRO_CC) ++#define WTF_COMPILER_SUNPRO 1 ++#endif ++ ++/* COMPILER(BORLAND) */ ++/* not really fully supported - is this relevant any more? */ ++#if defined(__BORLANDC__) ++#define WTF_COMPILER_BORLAND 1 ++#endif ++ ++/* COMPILER(CYGWIN) */ ++/* not really fully supported - is this relevant any more? */ ++#if defined(__CYGWIN__) ++#define WTF_COMPILER_CYGWIN 1 ++#endif ++ ++/* multiple threads only supported on Mac for now */ ++#if PLATFORM(MAC) ++#ifndef WTF_USE_MULTIPLE_THREADS ++#define WTF_USE_MULTIPLE_THREADS 1 ++#endif ++#ifndef WTF_USE_BINDINGS ++#define WTF_USE_BINDINGS 1 ++#endif ++#endif ++ ++/* for Unicode, KDE uses Qt, everything else uses ICU */ ++#if PLATFORM(KDE) || PLATFORM(QT) ++#define WTF_USE_QT4_UNICODE 1 ++#elif PLATFORM(SYMBIAN) ++#define WTF_USE_SYMBIAN_UNICODE 1 ++#else ++#define WTF_USE_ICU_UNICODE 1 ++#endif ++ ++#if PLATFORM(MAC) ++#define WTF_PLATFORM_CF 1 ++#endif ++ ++#if PLATFORM(WIN) ++#define WTF_USE_WININET 1 ++#endif ++ ++#if PLATFORM(GDK) ++#define WTF_USE_CURL 1 ++#endif ++ ++/* ENABLE macro defaults */ ++ ++#endif /* WTF_Platform_h */ +--- kdelibs-3.5.4/khtml/html/AlwaysInline.h.CVE-2009-1690 2009-06-17 14:18:52.000000000 +0200 ++++ kdelibs-3.5.4/khtml/html/AlwaysInline.h 2009-06-17 13:56:36.000000000 +0200 +@@ -0,0 +1,49 @@ ++/* ++ * Copyright (C) 2005, 2007 Apple Inc. All rights reserved. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Library General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Library General Public License for more details. ++ * ++ * You should have received a copy of the GNU Library General Public License ++ * along with this library; see the file COPYING.LIB. If not, write to ++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++ * ++ */ ++ ++#include "html/Platform.h" ++ ++ ++#ifndef ALWAYS_INLINE ++#if COMPILER(GCC) && defined(NDEBUG) && __GNUC__ > 3 ++#define ALWAYS_INLINE inline __attribute__ ((__always_inline__)) ++#elif COMPILER(MSVC) && defined(NDEBUG) ++#define ALWAYS_INLINE __forceinline ++#else ++#define ALWAYS_INLINE inline ++#endif ++#endif ++ ++#ifndef ALWAYS_INLINE_INTO ++#if COMPILER(GCC) && defined(NDEBUG) && ((__GNUC__ == 4 && __GNUC_MINOR__ >= 1) || __GNUC__ > 4) ++#define ALWAYS_INLINE_INTO __attribute__ ((__flatten__)) ++#else ++#define ALWAYS_INLINE_INTO ++#endif ++#endif ++ ++ ++#ifndef NEVER_INLINE ++#if COMPILER(GCC) && __GNUC__ > 3 ++#define NEVER_INLINE __attribute__ ((__noinline__)) ++#else ++#define NEVER_INLINE ++#endif ++#endif +--- kdelibs-3.5.4/khtml/html/htmlparser.h.CVE-2009-1690 2005-10-10 17:06:04.000000000 +0200 ++++ kdelibs-3.5.4/khtml/html/htmlparser.h 2009-06-17 14:42:27.000000000 +0200 +@@ -38,10 +38,10 @@ + #include + #endif + +- + #include "dom/dom_string.h" + #include "xml/dom_nodeimpl.h" + #include "html/html_documentimpl.h" ++#include "html/RefPtr.h" + + class KHTMLView; + class HTMLStackElem; +@@ -148,7 +148,7 @@ + /* + * the head element. Needed for crappy html which defines after + */ +- DOM::HTMLHeadElementImpl *head; ++ RefPtr head; + + /* + * a possible element in the head. Compatibility hack for diff --git a/kdelibs-3.5.4-CVE-2009-1698.patch b/kdelibs-3.5.4-CVE-2009-1698.patch new file mode 100644 index 0000000..171f2e3 --- /dev/null +++ b/kdelibs-3.5.4-CVE-2009-1698.patch @@ -0,0 +1,57 @@ +--- kdelibs-3.5.4/khtml/css/css_valueimpl.cpp.CVE-2009-1698 2009-06-18 10:59:23.000000000 +0200 ++++ kdelibs-3.5.4/khtml/css/css_valueimpl.cpp 2009-06-18 12:53:44.000000000 +0200 +@@ -736,7 +736,9 @@ + text = getValueName(m_value.ident); + break; + case CSSPrimitiveValue::CSS_ATTR: +- // ### ++ text = "attr("; ++ text += DOMString( m_value.string ); ++ text += ")"; + break; + case CSSPrimitiveValue::CSS_COUNTER: + text = "counter("; +--- kdelibs-3.5.4/khtml/css/cssparser.cpp.CVE-2009-1698 2009-06-18 10:37:13.000000000 +0200 ++++ kdelibs-3.5.4/khtml/css/cssparser.cpp 2009-06-23 13:05:20.000000000 +0200 +@@ -1318,6 +1318,7 @@ + + Value *val; + CSSValueImpl *parsedValue = 0; ++ bool valid = true; + while ( (val = valueList->current()) ) { + if ( val->unit == CSSPrimitiveValue::CSS_URI ) { + // url +@@ -1336,6 +1337,14 @@ + if ( args->size() != 1) + return false; + Value *a = args->current(); ++ if (a->unit != CSSPrimitiveValue::CSS_IDENT) { ++ valid=false; ++ break; ++ } ++ if (qString(a->string)[0] == '-') { ++ valid=false; ++ break; ++ } + parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR); + } + else +@@ -1367,7 +1376,7 @@ + break; + valueList->next(); + } +- if ( values->length() ) { ++ if ( valid && values->length() ) { + addProperty( propId, values, important ); + valueList->next(); + return true; +@@ -1384,7 +1393,8 @@ + + CounterImpl *counter = new CounterImpl; + Value *i = args->current(); +-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; ++ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; ++ if (qString(i->string)[0] == '-') goto invalid; + counter->m_identifier = domString(i->string); + if (counters) { + i = args->next(); diff --git a/kdelibs3.spec b/kdelibs3.spec index c588e07..6a46930 100644 --- a/kdelibs3.spec +++ b/kdelibs3.spec @@ -36,7 +36,7 @@ Summary: K Desktop Environment 3 - Libraries Version: 3.5.10 -Release: 12%{?dist} +Release: 13%{?dist} %if 0%{?fedora} > 8 Name: kdelibs3 @@ -97,7 +97,17 @@ Patch101: kde-3.5-libtool-shlibext.patch Patch103: kdelibs-3.5.0-101956.patch Patch104: kdelibs-3.5.10-gcc44.patch -## upstream patches +## security fixes +# fix CVE-2009-2537 - select length DoS +Patch200: kdelibs-3.5.10-cve-2009-2537-select-length.patch +# fix CVE-2009-1725 - crash, possible ACE in numeric character references +Patch201: kdelibs-3.5.10-cve-2009-1725.patch +# fix CVE-2009-1690 - crash, possible ACE in KHTML ( use-after-free) +Patch202: kdelibs-3.5.4-CVE-2009-1687.patch +# fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?) +Patch203: kdelibs-3.5.4-CVE-2009-1690.patch +# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling +Patch204: kdelibs-3.5.4-CVE-2009-1698.patch #{?arts:Requires: arts >= %{arts_ev}} #Requires: %{qt3} >= %{qt3_ev} @@ -273,7 +283,12 @@ format for easy browsing %patch101 -p1 -b .libtool-shlibext %patch104 -p1 -b .gcc44 -# upstream patches +# security fixes +%patch200 -p1 -b .cve-2009-2537 +%patch201 -p0 -b .cve-2009-1725 +%patch202 -p1 -b .cve-2009-1687 +%patch203 -p1 -b .cve-2009-1690 +%patch204 -p1 -b .cve-2009-1698 sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h @@ -625,6 +640,13 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %changelog +* Sun Jul 26 2009 Kevin Kofler - 3.5.10-13 +- fix CVE-2009-2537 - select length DoS +- fix CVE-2009-1725 - crash, possible ACE in numeric character references +- fix CVE-2009-1690 - crash, possible ACE in KHTML ( use-after-free) +- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?) +- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling + * Fri Jul 24 2009 Fedora Release Engineering - 3.5.10-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild