From adf970ce5b29615d1677caae23e00cac2032cad3 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Wed, 29 Aug 2007 17:30:40 +0000 Subject: [PATCH] CVE-2007-0242 QT UTF8 improper character expansion --- qt.spec | 7 ++- utf8-bug-qt3-CVE-2007-0242.diff | 101 ++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 utf8-bug-qt3-CVE-2007-0242.diff diff --git a/qt.spec b/qt.spec index 163981b..08f1a8f 100644 --- a/qt.spec +++ b/qt.spec @@ -1,7 +1,7 @@ Summary: The shared library for the Qt GUI toolkit. Name: qt Version: 3.3.8 -Release: 6%{?dist} +Release: 6%{?dist}.1 Epoch: 1 License: GPL/QPL Group: System Environment/Libraries @@ -65,6 +65,7 @@ Patch201: qt-x11-free-3.3.8-bz#243722-mysql.patch # security patces Patch300: qt3-CVE-2007-3388.patch +Patch301: utf8-bug-qt3-CVE-2007-0242.diff %define qt_dirname qt-3.3 %define qtdir %{_libdir}/%{qt_dirname} @@ -305,6 +306,7 @@ for the Qt toolkit. # security patches %patch300 -p1 -b .CVE-2007-3388 +%patch301 -p0 -b .CVE-2007-0242 # convert to UTF-8 iconv -f iso-8859-1 -t utf-8 < doc/man/man3/qdial.3qt > doc/man/man3/qdial.3qt_ @@ -576,6 +578,9 @@ rm -rf %{buildroot} %changelog +* Wed Aug 29 2007 Than Ngo - 1:3.3.8-6.fc7.1 +- CVE-2007-0242, UTF8 improper character expansion + * Tue Aug 28 2007 Than Ngo - 1:3.3.8-6.fc7 - CVE-2007-3388 qt3 format string flaw diff --git a/utf8-bug-qt3-CVE-2007-0242.diff b/utf8-bug-qt3-CVE-2007-0242.diff new file mode 100644 index 0000000..43e84a9 --- /dev/null +++ b/utf8-bug-qt3-CVE-2007-0242.diff @@ -0,0 +1,101 @@ +--- src/codecs/qutfcodec.cpp ++++ src/codecs/qutfcodec.cpp +@@ -154,6 +154,7 @@ + + class QUtf8Decoder : public QTextDecoder { + uint uc; ++ uint min_uc; + int need; + bool headerDone; + public: +@@ -167,8 +168,9 @@ + result.setLength( len ); // worst case + QChar *qch = (QChar *)result.unicode(); + uchar ch; ++ int error = -1; + for (int i=0; i= 0xd800 && uc <= 0xdfff) || (uc >= 0xfffe)) { ++ *qch++ = QChar::replacement; + } else { + if (headerDone || QChar(uc) != QChar::byteOrderMark) + *qch++ = uc; +@@ -190,6 +194,7 @@ + } + } else { + // error ++ i = error; + *qch++ = QChar::replacement; + need = 0; + } +@@ -200,12 +205,21 @@ + } else if ((ch & 0xe0) == 0xc0) { + uc = ch & 0x1f; + need = 1; ++ error = i; ++ min_uc = 0x80; + } else if ((ch & 0xf0) == 0xe0) { + uc = ch & 0x0f; + need = 2; ++ error = i; ++ min_uc = 0x800; + } else if ((ch&0xf8) == 0xf0) { + uc = ch & 0x07; + need = 3; ++ error = i; ++ min_uc = 0x10000; ++ } else { ++ // error ++ *qch++ = QChar::replacement; + } + } + } +--- src/tools/qstring.cpp ++++ src/tools/qstring.cpp +@@ -5805,6 +5805,7 @@ + result.setLength( len ); // worst case + QChar *qch = (QChar *)result.unicode(); + uint uc = 0; ++ uint min_uc = 0; + int need = 0; + int error = -1; + uchar ch; +@@ -5822,6 +5823,12 @@ + unsigned short low = uc%0x400 + 0xdc00; + *qch++ = QChar(high); + *qch++ = QChar(low); ++ } else if (uc < min_uc || (uc >= 0xd800 && uc <= 0xdfff) || (uc >= 0xfffe)) { ++ // overlong seqence, UTF16 surrogate or BOM ++ i = error; ++ qch = addOne(qch, result); ++ *qch++ = QChar(0xdbff); ++ *qch++ = QChar(0xde00+((uchar)utf8[i])); + } else { + *qch++ = uc; + } +@@ -5844,14 +5851,17 @@ + uc = ch & 0x1f; + need = 1; + error = i; ++ min_uc = 0x80; + } else if ((ch & 0xf0) == 0xe0) { + uc = ch & 0x0f; + need = 2; + error = i; ++ min_uc = 0x800; + } else if ((ch&0xf8) == 0xf0) { + uc = ch & 0x07; + need = 3; + error = i; ++ min_uc = 0x10000; + } else { + // Error + qch = addOne(qch, result);