- WebKit security update: CVE-2010-0046, CVE-2010-0049, CVE-2010-0050,

CVE-2010-0051, CVE-2010-0052, CVE-2010-0054
This commit is contained in:
Jaroslav Reznik 2010-03-17 15:34:06 +00:00
parent 5e46fbec61
commit a6c166354c
7 changed files with 458 additions and 1 deletions

View File

@ -0,0 +1,267 @@
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y 2010-02-25 17:07:29.114742034 +0100
@@ -416,7 +416,9 @@ valid_rule:
;
rule:
- valid_rule
+ valid_rule {
+ static_cast<CSSParser*>(parser)->m_hadSyntacticallyValidCSSRule = true;
+ }
| invalid_rule
| invalid_at
| invalid_import
@@ -1517,8 +1519,12 @@ invalid_rule:
;
invalid_block:
- '{' error invalid_block_list error closing_brace
- | '{' error closing_brace
+ '{' error invalid_block_list error closing_brace {
+ static_cast<CSSParser*>(parser)->invalidBlockHit();
+ }
+ | '{' error closing_brace {
+ static_cast<CSSParser*>(parser)->invalidBlockHit();
+ }
;
invalid_block_list:
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp 2010-02-25 17:13:34.292803953 +0100
@@ -25,6 +25,7 @@
#include "CachedCSSStyleSheet.h"
#include "DocLoader.h"
#include "Document.h"
+#include "SecurityOrigin.h"
#include "MediaList.h"
#include "Settings.h"
#include <wtf/StdLibExtras.h>
@@ -60,11 +61,21 @@ void CSSImportRule::setCSSStyleSheet(con
m_styleSheet->setParent(0);
m_styleSheet = CSSStyleSheet::create(this, url, charset);
+ bool crossOriginCSS = false;
+ bool validMIMEType = false;
CSSStyleSheet* parent = parentStyleSheet();
bool strict = !parent || parent->useStrictParsing();
- String sheetText = sheet->sheetText(strict);
+ bool enforceMIMEType = strict;
+
+ String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
m_styleSheet->parseString(sheetText, strict);
+ if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
+ crossOriginCSS = true;
+
+ if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader())
+ m_styleSheet = CSSStyleSheet::create(this, url, charset);
+
if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) {
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-25 17:07:29.101741771 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp 2010-02-25 17:07:29.117741744 +0100
@@ -139,6 +139,7 @@ CSSParser::CSSParser(bool strictParsing)
, m_currentShorthand(0)
, m_implicitShorthand(false)
, m_hasFontFaceOnlyValues(false)
+ , m_hadSyntacticallyValidCSSRule(false)
, m_defaultNamespace(starAtom)
, m_data(0)
, yy_start(1)
@@ -5175,6 +5176,12 @@ WebKitCSSKeyframeRule* CSSParser::create
return keyframePtr;
}
+void CSSParser::invalidBlockHit()
+{
+ if (m_styleSheet && !m_hadSyntacticallyValidCSSRule)
+ m_styleSheet->setHasSyntacticallyValidCSSHeader(false);
+}
+
static int cssPropertyID(const UChar* propertyName, unsigned length)
{
if (!length)
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h 2010-02-25 17:07:29.117741744 +0100
@@ -191,6 +191,7 @@ namespace WebCore {
bool addVariableDeclarationBlock(const CSSParserString&);
bool checkForVariables(CSSParserValueList*);
void addUnresolvedProperty(int propId, bool important);
+ void invalidBlockHit();
Vector<CSSSelector*>* reusableSelectorVector() { return &m_reusableSelectorVector; }
@@ -212,6 +213,7 @@ namespace WebCore {
bool m_implicitShorthand;
bool m_hasFontFaceOnlyValues;
+ bool m_hadSyntacticallyValidCSSRule;
Vector<String> m_variableNames;
Vector<RefPtr<CSSValue> > m_variableValues;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp 2010-02-25 17:07:29.118741824 +0100
@@ -41,6 +41,7 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe
, m_loadCompleted(false)
, m_strictParsing(!parentSheet || parentSheet->useStrictParsing())
, m_isUserStyleSheet(parentSheet ? parentSheet->isUserStyleSheet() : false)
+ , m_hasSyntacticallyValidCSSHeader(true)
{
}
@@ -52,6 +53,7 @@ CSSStyleSheet::CSSStyleSheet(Node* paren
, m_loadCompleted(false)
, m_strictParsing(false)
, m_isUserStyleSheet(false)
+ , m_hasSyntacticallyValidCSSHeader(true)
{
}
@@ -61,6 +63,7 @@ CSSStyleSheet::CSSStyleSheet(CSSRule* ow
, m_charset(charset)
, m_loadCompleted(false)
, m_strictParsing(!ownerRule || ownerRule->useStrictParsing())
+ , m_hasSyntacticallyValidCSSHeader(true)
{
CSSStyleSheet* parentSheet = ownerRule ? ownerRule->parentStyleSheet() : 0;
m_doc = parentSheet ? parentSheet->doc() : 0;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h 2010-02-25 17:07:29.118741824 +0100
@@ -95,6 +95,8 @@ public:
void setIsUserStyleSheet(bool b) { m_isUserStyleSheet = b; }
bool isUserStyleSheet() const { return m_isUserStyleSheet; }
+ void setHasSyntacticallyValidCSSHeader(bool b) { m_hasSyntacticallyValidCSSHeader = b; }
+ bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; }
private:
CSSStyleSheet(Node* ownerNode, const String& href, const String& charset);
@@ -110,6 +112,7 @@ private:
bool m_loadCompleted : 1;
bool m_strictParsing : 1;
bool m_isUserStyleSheet : 1;
+ bool m_hasSyntacticallyValidCSSHeader : 1;
};
} // namespace
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp 2010-02-25 17:07:29.118741824 +0100
@@ -203,7 +203,10 @@ void ProcessingInstruction::setCSSStyleS
#endif
RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, url, charset);
m_sheet = newSheet;
- parseStyleSheet(sheet->sheetText());
+ // We don't need the cross-origin security check here because we are
+ // getting the sheet text in "strict" mode. This enforces a valid CSS MIME
+ // type.
+ parseStyleSheet(sheet->sheetText(true));
newSheet->setTitle(m_title);
newSheet->setMedia(MediaList::create(newSheet.get(), m_media));
newSheet->setDisabled(m_alternate);
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp 2010-02-25 17:07:29.119741915 +0100
@@ -260,14 +260,27 @@ void HTMLLinkElement::setCSSStyleSheet(c
bool strictParsing = !document()->inCompatMode();
bool enforceMIMEType = strictParsing;
+ bool crossOriginCSS = false;
+ bool validMIMEType = false;
// Check to see if we should enforce the MIME type of the CSS resource in strict mode.
// Running in iWeb 2 is one example of where we don't want to - <rdar://problem/6099748>
if (enforceMIMEType && document()->page() && !document()->page()->settings()->enforceCSSMIMETypeInStrictMode())
enforceMIMEType = false;
- String sheetText = sheet->sheetText(enforceMIMEType);
+ String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
m_sheet->parseString(sheetText, strictParsing);
+ // If we're loading a stylesheet cross-origin, and the MIME type is not
+ // standard, require the CSS to at least start with a syntactically
+ // valid CSS rule.
+ // This prevents an attacker playing games by injecting CSS strings into
+ // HTML, XML, JSON, etc. etc.
+ if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
+ crossOriginCSS = true;
+
+ if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader())
+ m_sheet = CSSStyleSheet::create(this, url, charset);
+
if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) {
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp 2010-02-25 17:07:29.119741915 +0100
@@ -71,11 +71,11 @@ String CachedCSSStyleSheet::encoding() c
return m_decoder->encoding().name();
}
-const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType) const
+const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType, bool* hasValidMIMEType) const
{
ASSERT(!isPurgeable());
- if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType))
+ if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType, hasValidMIMEType))
return String();
if (!m_decodedSheetText.isNull())
@@ -122,12 +122,12 @@ void CachedCSSStyleSheet::error()
checkNotify();
}
-bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType) const
+bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const
{
if (errorOccurred())
return false;
- if (!enforceMIMEType)
+ if (!enforceMIMEType && !hasValidMIMEType)
return true;
// This check exactly matches Firefox. Note that we grab the Content-Type
@@ -138,7 +138,12 @@ bool CachedCSSStyleSheet::canUseSheet(bo
// This code defaults to allowing the stylesheet for non-HTTP protocols so
// folks can use standards mode for local HTML documents.
String mimeType = extractMIMETypeFromMediaType(response().httpHeaderField("Content-Type"));
- return mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type");
+ bool typeOK = mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type");
+ if (hasValidMIMEType)
+ *hasValidMIMEType = typeOK;
+ if (!enforceMIMEType)
+ return true;
+ return typeOK;
}
}
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h 2010-02-25 17:07:29.120741848 +0100
@@ -40,7 +40,7 @@ namespace WebCore {
CachedCSSStyleSheet(const String& URL, const String& charset);
virtual ~CachedCSSStyleSheet();
- const String sheetText(bool enforceMIMEType = true) const;
+ const String sheetText(bool enforceMIMEType = true, bool* hasValidMIMEType = 0) const;
virtual void didAddClient(CachedResourceClient*);
@@ -56,7 +56,7 @@ namespace WebCore {
void checkNotify();
private:
- bool canUseSheet(bool enforceMIMEType) const;
+ bool canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const;
protected:
RefPtr<TextResourceDecoder> m_decoder;

View File

@ -0,0 +1,85 @@
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp 2010-02-25 15:50:05.987741463 +0100
@@ -515,11 +515,13 @@ bool HTMLFormElement::isURLAttribute(Att
void HTMLFormElement::registerImgElement(HTMLImageElement* e)
{
+ ASSERT(imgElements.find(e) == notFound);
imgElements.append(e);
}
void HTMLFormElement::removeImgElement(HTMLImageElement* e)
{
+ ASSERT(imgElements.find(e) == notFound);
removeFromVector(imgElements, e);
}
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp 2010-02-25 15:43:45.016742027 +0100
@@ -209,6 +209,40 @@ void HTMLImageElement::removedFromDocume
HTMLElement::removedFromDocument();
}
+void HTMLImageElement::insertedIntoTree(bool deep)
+{
+ if (m_form) {
+ // m_form was set by constructor. In debug builds, check that it's an ancestor indeed.
+#ifndef NDEBUG
+ for (Node* ancestor = parentNode(); /* no end condition - there must be a form ancestor */; ancestor = ancestor->parentNode()) {
+ ASSERT(ancestor);
+ if (ancestor->hasTagName(formTag)) {
+ ASSERT(m_form == static_cast<HTMLFormElement*>(ancestor));
+ break;
+ }
+ }
+#endif
+ } else {
+ for (Node* ancestor = parentNode(); ancestor; ancestor = ancestor->parentNode()) {
+ if (ancestor->hasTagName(formTag)) {
+ m_form = static_cast<HTMLFormElement*>(ancestor);
+ m_form->registerImgElement(this);
+ break;
+ }
+ }
+ }
+
+ HTMLElement::insertedIntoTree(deep);
+}
+
+void HTMLImageElement::removedFromTree(bool deep)
+{
+ if (m_form)
+ m_form->removeImgElement(this);
+ m_form = 0;
+ HTMLElement::removedFromTree(deep);
+}
+
int HTMLImageElement::width(bool ignorePendingStylesheets) const
{
if (!renderer()) {
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h 2010-02-25 15:41:18.340929598 +0100
@@ -45,8 +45,6 @@ public:
virtual void attach();
virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
- virtual void insertedIntoDocument();
- virtual void removedFromDocument();
virtual bool canStartSelection() const { return false; }
@@ -105,6 +103,11 @@ public:
virtual void addSubresourceAttributeURLs(ListHashSet<KURL>&) const;
private:
+ virtual void insertedIntoDocument();
+ virtual void removedFromDocument();
+ virtual void insertedIntoTree(bool deep);
+ virtual void removedFromTree(bool deep);
+
HTMLImageLoader m_imageLoader;
String usemap;
bool ismap;

View File

@ -0,0 +1,25 @@
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption 2009-09-29 13:01:35.000000000 +0200
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp 2010-02-04 15:00:24.778776273 +0100
@@ -3085,6 +3085,12 @@ bool CSSParser::parseFontWeight(bool imp
return false;
}
+static bool isValidFormatFunction(CSSParserValue* val)
+{
+ CSSParserValueList* args = val->function->args;
+ return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT);
+}
+
bool CSSParser::parseFontFaceSrc()
{
RefPtr<CSSValueList> values(CSSValueList::createCommaSeparated());
@@ -3111,7 +3117,7 @@ bool CSSParser::parseFontFaceSrc()
CSSParserValue* a = args->current();
uriValue.clear();
parsedValue = CSSFontFaceSrcValue::createLocal(a->string);
- } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) {
+ } else if (allowFormat && uriValue && isValidFormatFunction(val)) {
expectComma = true;
allowFormat = false;
uriValue->setFormat(args->current()->string);

View File

@ -0,0 +1,29 @@
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl 2009-09-29 13:01:36.000000000 +0200
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-02-04 15:43:15.707711730 +0100
@@ -1025,8 +1025,15 @@ void RenderText::position(InlineBox* box
if (!s->m_len) {
// We want the box to be destroyed.
s->remove();
+ if (m_firstTextBox == s)
+ m_firstTextBox = s->nextTextBox();
+ else
+ s->prevTextBox()->setNextLineBox(s->nextTextBox());
+ if (m_lastTextBox == s)
+ m_lastTextBox = s->prevTextBox();
+ else
+ s->nextTextBox()->setPreviousLineBox(s->prevTextBox());
s->destroy(renderArena());
- m_firstTextBox = m_lastTextBox = 0;
return;
}
@@ -1203,7 +1210,7 @@ void RenderText::checkConsistency() cons
#ifdef CHECK_CONSISTENCY
const InlineTextBox* prev = 0;
for (const InlineTextBox* child = m_firstTextBox; child != 0; child = child->nextTextBox()) {
- ASSERT(child->object() == this);
+ ASSERT(child->renderer() == this);
ASSERT(child->prevTextBox() == prev);
prev = child;
}

View File

@ -0,0 +1,13 @@
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags 2009-09-29 13:01:36.000000000 +0200
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp 2010-02-04 15:54:25.399651321 +0100
@@ -1208,7 +1208,8 @@ void HTMLParser::handleResidualStyleClos
prevMaxElem->next = elem;
ASSERT(newNodePtr);
prevMaxElem->node = newNodePtr;
- prevMaxElem->didRefNode = false;
+ newNodePtr->ref();
+ prevMaxElem->didRefNode = true;
} else
delete elem;
}

View File

@ -0,0 +1,21 @@
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached 2009-09-29 13:01:36.000000000 +0200
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp 2010-02-04 17:50:07.931656712 +0100
@@ -616,12 +616,15 @@ void HTMLInputElement::parseMappedAttrib
m_autocomplete = Off;
registerForActivationCallbackIfNeeded();
} else {
- if (m_autocomplete == Off)
- unregisterForActivationCallbackIfNeeded();
+ bool needsToUnregister = m_autocomplete == Off;
+
if (attr->isEmpty())
m_autocomplete = Uninitialized;
else
m_autocomplete = On;
+
+ if (needsToUnregister)
+ unregisterForActivationCallbackIfNeeded();
}
} else if (attr->name() == typeAttr) {
setInputType(attr->value());

19
qt.spec
View File

@ -13,7 +13,7 @@ Summary: Qt toolkit
Name: qt Name: qt
Epoch: 1 Epoch: 1
Version: 4.6.2 Version: 4.6.2
Release: 7%{?dist} Release: 8%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -60,6 +60,12 @@ Patch54: qt-x11-opensource-src-4.5.1-mysql_config.patch
Patch55: qt-everywhere-opensource-src-4.6.2-cups.patch Patch55: qt-everywhere-opensource-src-4.6.2-cups.patch
# security patches # security patches
Patch100: qt-x11-opensource-src-4.5.3-cve-2010-0046-css-format-mem-corruption.patch
Patch101: qt-x11-opensource-src-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch
Patch102: qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch
Patch103: qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch
Patch104: qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
Patch105: qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch
# kde-qt git patches # kde-qt git patches
Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
@ -410,6 +416,12 @@ Qt libraries used for drawing widgets and OpenGL items.
%patch55 -p1 -b .cups-1 %patch55 -p1 -b .cups-1
# security fixes # security fixes
%patch100 -p1 -b .cve-2010-0046-css-format-mem-corruption
%patch101 -p1 -b .cve-2010-0049-freed-line-boxes-ltr-rtl
%patch102 -p1 -b .cve-2010-0050-crash-misnested-style-tags
%patch103 -p1 -b .cve-2010-0052-destroyed-input-cached
%patch104 -p1 -b .cve-2010-0051-lax-css-parsing-cross-domain-theft
%patch105 -p1 -b .cve-2010-0054-image-element-pointer-name-getter
# kde-qt branch # kde-qt branch
%patch201 -p1 -b .kde-qt-0001 %patch201 -p1 -b .kde-qt-0001
@ -1015,6 +1027,11 @@ fi
%changelog %changelog
* Wed Mar 17 2010 Jaroslav Reznik <jreznik@redhat.com> - 4.6.2-8
- WebKit security update:
CVE-2010-0046, CVE-2010-0049, CVE-2010-0050, CVE-2010-0051,
CVE-2010-0052, CVE-2010-0054
* Sat Mar 13 2010 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.6.2-7 * Sat Mar 13 2010 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.6.2-7
- BR alsa-lib-devel (for QtMultimedia) - BR alsa-lib-devel (for QtMultimedia)