From 97c30bc66df9875bee6f3b18f67dff5a2dd27d5c Mon Sep 17 00:00:00 2001
From: Kevin Kofler <Kevin@tigcc.ticalc.org>
Date: Mon, 13 Jan 2014 21:01:51 +0100
Subject: [PATCH] fix QTBUG-35459 and fix QTBUG-35460

* Mon Jan 13 2014 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.8.5-14
- fix QTBUG-35459 (too low entityCharacterLimit=1024 for CVE-2013-4549)
- fix QTBUG-35460 (error message for CVE-2013-4549 is misspelled)
---
 ...rywhere-opensource-src-4.8.5-QTBUG-35459.patch | 12 ++++++++++++
 ...rywhere-opensource-src-4.8.5-QTBUG-35460.patch | 12 ++++++++++++
 qt.spec                                           | 15 ++++++++++++++-
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 qt-everywhere-opensource-src-4.8.5-QTBUG-35459.patch
 create mode 100644 qt-everywhere-opensource-src-4.8.5-QTBUG-35460.patch

diff --git a/qt-everywhere-opensource-src-4.8.5-QTBUG-35459.patch b/qt-everywhere-opensource-src-4.8.5-QTBUG-35459.patch
new file mode 100644
index 0000000..dede832
--- /dev/null
+++ b/qt-everywhere-opensource-src-4.8.5-QTBUG-35459.patch
@@ -0,0 +1,12 @@
+diff -ur qt-everywhere-opensource-src-4.8.5-CVE-2013-4549/src/xml/sax/qxml.cpp qt-everywhere-opensource-src-4.8.5-QTBUG-35459/src/xml/sax/qxml.cpp
+--- qt-everywhere-opensource-src-4.8.5-CVE-2013-4549/src/xml/sax/qxml.cpp	2013-12-05 19:23:33.000000000 +0100
++++ qt-everywhere-opensource-src-4.8.5-QTBUG-35459/src/xml/sax/qxml.cpp	2014-01-13 20:13:59.000000000 +0100
+@@ -428,7 +428,7 @@
+     // for the DTD currently being parsed.
+     static const int dtdRecursionLimit = 2;
+     // The maximum amount of characters an entity value may contain, after expansion.
+-    static const int entityCharacterLimit = 1024;
++    static const int entityCharacterLimit = 65536;
+ 
+     const QString &string();
+     void stringClear();
diff --git a/qt-everywhere-opensource-src-4.8.5-QTBUG-35460.patch b/qt-everywhere-opensource-src-4.8.5-QTBUG-35460.patch
new file mode 100644
index 0000000..e0f4bc8
--- /dev/null
+++ b/qt-everywhere-opensource-src-4.8.5-QTBUG-35460.patch
@@ -0,0 +1,12 @@
+diff -ur qt-everywhere-opensource-src-4.8.5-CVE-2013-4549/src/xml/sax/qxml.cpp qt-everywhere-opensource-src-4.8.5-QTBUG-35460/src/xml/sax/qxml.cpp
+--- qt-everywhere-opensource-src-4.8.5-CVE-2013-4549/src/xml/sax/qxml.cpp	2013-12-05 19:23:33.000000000 +0100
++++ qt-everywhere-opensource-src-4.8.5-QTBUG-35460/src/xml/sax/qxml.cpp	2014-01-13 20:15:11.000000000 +0100
+@@ -6674,7 +6674,7 @@
+ 
+         if (expandedSizes[entity] > entityCharacterLimit) {
+             if (errorMessage) {
+-                *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3).");
++                *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands to a string that is too large to process (%2 characters > %3).");
+                 *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
+             }
+             return true;
diff --git a/qt.spec b/qt.spec
index e66a054..680b8f3 100644
--- a/qt.spec
+++ b/qt.spec
@@ -29,7 +29,7 @@ Summary: Qt toolkit
 Name:    qt
 Epoch:   1
 Version: 4.8.5
-Release: 13%{?dist}
+Release: 14%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@@ -142,6 +142,12 @@ Patch82: qt-everywhere-opensource-src-4.8.5-QTBUG-4862.patch
 # poll support
 Patch83: qt-4.8-poll.patch
 
+# fix QTBUG-35459 (too low entityCharacterLimit=1024 for CVE-2013-4549)
+Patch84: qt-everywhere-opensource-src-4.8.5-QTBUG-35459.patch
+
+# fix QTBUG-35460 (error message for CVE-2013-4549 is misspelled)
+Patch85: qt-everywhere-opensource-src-4.8.5-QTBUG-35460.patch
+
 # upstream patches
 # http://codereview.qt-project.org/#change,22006
 Patch100: qt-everywhere-opensource-src-4.8.1-qtgahandle.patch
@@ -544,6 +550,9 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
 # security fixes
 %patch1147 -p1 -b .0147
 %patch1162 -p1 -b .0162
+# regression fixes for the security fixes
+%patch84 -p1 -b .QTBUG-35459
+%patch85 -p1 -b .QTBUG-35460
 
 # drop -fexceptions from $RPM_OPT_FLAGS
 RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
@@ -1240,6 +1249,10 @@ fi
 
 
 %changelog
+* Mon Jan 13 2014 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.8.5-14
+- fix QTBUG-35459 (too low entityCharacterLimit=1024 for CVE-2013-4549)
+- fix QTBUG-35460 (error message for CVE-2013-4549 is misspelled)
+
 * Mon Dec 23 2013 Peter Robinson <pbrobinson@fedoraproject.org> 4.8.5-13
 - Add support for aarch64 (#1046360)