rpms/qt
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- CVE-2009-3384 - WebKit, ftp listing handling (#525788)

Browse Source 
- CVE-2009-2816 - WebKit, MITM Cross-Origin Resource Sharing (#525789)
This commit is contained in:
Jaroslav Reznik 2009-11-12 15:40:04 +00:00
parent 04adb889dd
commit b4fb0d7f9b
3 changed files with 304 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
qt-x11-opensource-src-4.5.3-cve-2009-2816-cors.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp.cve-2009-2816-cors qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp.cve-2009-2816-cors 2009-09-29 13:01:37.000000000 +0200
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp 2009-11-03 13:47:52.974837432 +0100
@@ -735,7 +735,6 @@ void XMLHttpRequest::makeCrossSiteAccess
}
preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", String::adopt(headerBuffer));
- preflightRequest.addHTTPHeaderFields(m_requestHeaders);
}
if (m_async) {

284
qt-x11-opensource-src-4.5.3-cve-2009-3384-ftp-ls-handling.patch Normal file
View File

@ -0,0 +1,284 @@
diff -U0 qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog.cve-2009-3384-ftp-ls-handling qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog.cve-2009-3384-ftp-ls-handling 2009-09-29 13:01:35.000000000 +0200
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog 2009-11-03 14:53:34.008898552 +0100
@@ -0,0 +1,14 @@
+2009-09-24 Brady Eidson <beidson@apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Merge changes from Mozilla's FTP directory parser.
+ <rdar://problem/7227620> and https://bugs.webkit.org/show_bug.cgi?id=29294
+
+ FTP layout tests not possible at this time.
+ https://bugs.webkit.org/show_bug.cgi?id=29719 tracks making them possible.
+
+ * loader/FTPDirectoryParser.cpp:
+ (WebCore::ParsingFailed):
+ (WebCore::parseOneFTPLine):
+
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp.cve-2009-3384-ftp-ls-handling qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp.cve-2009-3384-ftp-ls-handling 2009-09-29 13:01:36.000000000 +0200
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp 2009-11-03 14:53:34.044898565 +0100
@@ -53,6 +53,13 @@ static struct tm *gmtimeQt(const time_t
#define gmtime_r(x, y) gmtime_s((y), (x))
#endif
+static inline FTPEntryType ParsingFailed(ListState& state)
+{
+ if (state.parsedOne || state.listStyle) /* junk if we fail to parse */
+ return FTPJunkEntry; /* this time but had previously parsed sucessfully */
+ return FTPMiscEntry; /* its part of a comment or error message */
+}
+
FTPEntryType parseOneFTPLine(const char* line, ListState& state, ListResult& result)
{
result.clear();
@@ -122,6 +129,9 @@ FTPEntryType parseOneFTPLine(const char*
}
}
+ if (!numtoks)
+ return ParsingFailed(state);
+
linelen_sans_wsp = &(tokens[numtoks-1][toklen[numtoks-1]]) - tokens[0];
if (numtoks == (sizeof(tokens)/sizeof(tokens[0])) )
{
@@ -352,11 +362,16 @@ FTPEntryType parseOneFTPLine(const char*
pos++;
p++;
}
- if (lstyle && pos < (toklen[0]-1) && *p == ']')
+ if (lstyle && pos < (toklen[0]-1))
{
+ /* ']' was found and there is at least one character after it */
+ ASSERT(*p == ']');
pos++;
p++;
tokmarker = pos; /* length of leading "[DIR1.DIR2.etc]" */
+ } else {
+ /* not a CMU style listing */
+ lstyle = 0;
}
}
while (lstyle && pos < toklen[0] && *p != ';')
@@ -383,7 +398,7 @@ FTPEntryType parseOneFTPLine(const char*
pos -= tokmarker; /* => fnlength sans "[DIR1.DIR2.etc]" */
p = &(tokens[0][tokmarker]); /* offset of basename */
- if (!lstyle || pos > 80) /* VMS filenames can't be longer than that */
+ if (!lstyle || pos == 0 || pos > 80) /* VMS filenames can't be longer than that */
{
lstyle = 0;
}
@@ -776,7 +791,7 @@ FTPEntryType parseOneFTPLine(const char*
state.parsedOne = true;
state.listStyle = lstyle;
- p = &(line[linelen_sans_wsp]); /* line end sans wsp */
+ p = &(line[linelen]); /* line end */
result.caseSensitive = true;
result.filename = tokens[3];
result.filenameLength = p - tokens[3];
@@ -784,29 +799,46 @@ FTPEntryType parseOneFTPLine(const char*
if (*tokens[2] != '<') /* not <DIR> or <JUNCTION> */
{
+ // try to handle correctly spaces at the beginning of the filename
+ // filesize (token[2]) must end at offset 38
+ if (tokens[2] + toklen[2] - line == 38) {
+ result.filename = &(line[39]);
+ result.filenameLength = p - result.filename;
+ }
result.type = FTPFileEntry;
pos = toklen[2];
result.fileSize = String(tokens[2], pos);
}
- else if ((tokens[2][1]) != 'D') /* not <DIR> */
- {
- result.type = FTPJunkEntry; /* unknown until junc for sure */
- if (result.filenameLength > 4)
+ else {
+ // try to handle correctly spaces at the beginning of the filename
+ // token[2] must begin at offset 24, the length is 5 or 10
+ // token[3] must begin at offset 39 or higher
+ if (tokens[2] - line == 24 && (toklen[2] == 5 || toklen[2] == 10) &&
+ tokens[3] - line >= 39) {
+ result.filename = &(line[39]);
+ result.filenameLength = p - result.filename;
+ }
+
+ if ((tokens[2][1]) != 'D') /* not <DIR> */
{
- p = result.filename;
- for (pos = result.filenameLength - 4; pos > 0; pos--)
+ result.type = FTPJunkEntry; /* unknown until junc for sure */
+ if (result.filenameLength > 4)
{
- if (p[0] == ' ' && p[3] == ' ' && p[2] == '>' &&
- (p[1] == '=' || p[1] == '-'))
+ p = result.filename;
+ for (pos = result.filenameLength - 4; pos > 0; pos--)
{
- result.type = FTPLinkEntry;
- result.filenameLength = p - result.filename;
- result.linkname = p + 4;
- result.linknameLength = &(line[linelen_sans_wsp])
- - result.linkname;
- break;
+ if (p[0] == ' ' && p[3] == ' ' && p[2] == '>' &&
+ (p[1] == '=' || p[1] == '-'))
+ {
+ result.type = FTPLinkEntry;
+ result.filenameLength = p - result.filename;
+ result.linkname = p + 4;
+ result.linknameLength = &(line[linelen])
+ - result.linkname;
+ break;
+ }
+ p++;
}
- p++;
}
}
}
@@ -817,8 +849,13 @@ FTPEntryType parseOneFTPLine(const char*
result.modifiedTime.tm_mon--;
result.modifiedTime.tm_mday = atoi(tokens[0]+3);
result.modifiedTime.tm_year = atoi(tokens[0]+6);
+ /* if year has only two digits then assume that
+ 00-79 is 2000-2079
+ 80-99 is 1980-1999 */
if (result.modifiedTime.tm_year < 80)
- result.modifiedTime.tm_year += 100;
+ result.modifiedTime.tm_year += 2000;
+ else if (result.modifiedTime.tm_year < 100)
+ result.modifiedTime.tm_year += 1900;
}
result.modifiedTime.tm_hour = atoi(tokens[1]+0);
@@ -970,6 +1007,8 @@ FTPEntryType parseOneFTPLine(const char*
* "drwxr-xr-x 2 0 0 512 May 28 22:17 etc"
*/
+ bool isOldHellsoft = false;
+
if (numtoks >= 6)
{
/* there are two perm formats (Hellsoft/NetWare and *IX strmode(3)).
@@ -995,6 +1034,8 @@ FTPEntryType parseOneFTPLine(const char*
{
/* rest is FMA[S] or AFM[S] */
lstyle = 'U'; /* very likely one of the NetWare servers */
+ if (toklen[0] == 10)
+ isOldHellsoft = true;
}
}
}
@@ -1059,7 +1100,7 @@ FTPEntryType parseOneFTPLine(const char*
/* check that size is numeric */
p = tokens[tokmarker];
- for (pos = 0; lstyle && pos < toklen[tokmarker]; pos++)
+ for (unsigned int i = 0; lstyle && i < toklen[tokmarker]; ++i)
{
if (!isASCIIDigit(*p++))
lstyle = 0;
@@ -1068,11 +1109,11 @@ FTPEntryType parseOneFTPLine(const char*
{
month_num = 0;
p = tokens[tokmarker+1];
- for (pos = 0;pos < (12*3); pos+=3)
+ for (unsigned int i = 0; i < (12*3); i+=3)
{
- if (p[0] == month_names[pos+0] &&
- p[1] == month_names[pos+1] &&
- p[2] == month_names[pos+2])
+ if (p[0] == month_names[i+0] &&
+ p[1] == month_names[i+1] &&
+ p[2] == month_names[i+2])
break;
month_num++;
}
@@ -1080,8 +1121,8 @@ FTPEntryType parseOneFTPLine(const char*
lstyle = 0;
}
} /* relative position test */
- } /* while (pos+5) < numtoks */
- } /* if (numtoks >= 4) */
+ } /* for (pos = (numtoks-5); !lstyle && pos > 1; pos--) */
+ } /* if (lstyle == 'U') */
if (lstyle == 'U')
{
@@ -1140,24 +1181,49 @@ FTPEntryType parseOneFTPLine(const char*
} /* time/year */
- result.filename = tokens[tokmarker+4];
- result.filenameLength = (&(line[linelen_sans_wsp]))
+ // there is exacly 1 space between filename and previous token in all
+ // outputs except old Hellsoft
+ if (!isOldHellsoft)
+ result.filename = tokens[tokmarker+3] + toklen[tokmarker+3] + 1;
+ else
+ result.filename = tokens[tokmarker+4];
+
+ result.filenameLength = (&(line[linelen]))
- (result.filename);
if (result.type == FTPLinkEntry && result.filenameLength > 4)
{
- p = result.filename + 1;
- for (pos = 1; pos < (result.filenameLength - 4); pos++)
+ /* First try to use result.fe_size to find " -> " sequence.
+ This can give proper result for cases like "aaa -> bbb -> ccc". */
+ unsigned int fileSize = result.fileSize.toUInt();
+
+ if (result.filenameLength > (fileSize + 4) &&
+ strncmp(result.filename + result.filenameLength - fileSize - 4, " -> ", 4) == 0)
+ {
+ result.linkname = result.filename + (result.filenameLength - fileSize);
+ result.linknameLength = (&(line[linelen])) - (result.linkname);
+ result.filenameLength -= fileSize + 4;
+ }
+ else
{
- if (*p == ' ' && p[1] == '-' && p[2] == '>' && p[3] == ' ')
+ /* Search for sequence " -> " from the end for case when there are
+ more occurrences. F.e. if ftpd returns "a -> b -> c" assume
+ "a -> b" as a name. Powerusers can remove unnecessary parts
+ manually but there is no way to follow the link when some
+ essential part is missing. */
+ p = result.filename + (result.filenameLength - 5);
+ for (pos = (result.filenameLength - 5); pos > 0; pos--)
{
- result.linkname = p + 4;
- result.linknameLength = (&(line[linelen_sans_wsp]))
- - (result.linkname);
- result.filenameLength = pos;
- break;
+ if (strncmp(p, " -> ", 4) == 0)
+ {
+ result.linkname = p + 4;
+ result.linknameLength = (&(line[linelen]))
+ - (result.linkname);
+ result.filenameLength = pos;
+ break;
+ }
+ p--;
}
- p++;
}
}
@@ -1614,9 +1680,7 @@ FTPEntryType parseOneFTPLine(const char*
} /* if (linelen > 0) */
- if (state.parsedOne || state.listStyle) /* junk if we fail to parse */
- return FTPJunkEntry; /* this time but had previously parsed sucessfully */
- return FTPMiscEntry; /* its part of a comment or error message */
+ return ParsingFailed(state);
}
} // namespace WebCore

10
qt.spec
View File

@ -10,7 +10,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.5.3
Release: 8%{?dist}
Release: 9%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -64,6 +64,8 @@ Patch55: qt-x11-opensource-src-4.5.3-glib-event-loop.patch
Patch155: http://www.davidfaure.fr/2009/qeventdispatcher_glib_fix.diff
# security patches
Patch180: qt-x11-opensource-src-4.5.3-cve-2009-2816-cors.patch
Patch181: qt-x11-opensource-src-4.5.3-cve-2009-3384-ftp-ls-handling.patch
# kde-qt git patches
Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
@ -400,6 +402,8 @@ Qt libraries used for drawing widgets and OpenGL items.
#patch155 -p1 -b .qeventdispatcher_glib_fix
# security fixes
%patch180 -p1 -b .cve-2009-2816-cors
%patch181 -p1 -b .cve-2009-3384-ftp-ls-handling
# kde-qt branch
%patch201 -p1 -b .kde-qt-0001
@ -994,6 +998,10 @@ fi
%changelog
* Thu Nov 12 2009 Jaroslav Reznik <jreznik@redhat.com> - 4.5.3-9
- CVE-2009-3384 - WebKit, ftp listing handling (#525788)
- CVE-2009-2816 - WebKit, MITM Cross-Origin Resource Sharing (#525789)
* Sun Nov 08 2009 Rex Dieter <rdieter@fedoraproject.org> - 4.5.3-8
- -x11: Requires: %%{name}-sqlite%{?_isa}