- CVE-2009-3384 - WebKit, ftp listing handling (#525788)
- CVE-2009-2816 - WebKit, MITM Cross-Origin Resource Sharing (#525789)
This commit is contained in:
parent
04adb889dd
commit
b4fb0d7f9b
11
qt-x11-opensource-src-4.5.3-cve-2009-2816-cors.patch
Normal file
11
qt-x11-opensource-src-4.5.3-cve-2009-2816-cors.patch
Normal file
@ -0,0 +1,11 @@
|
||||
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp.cve-2009-2816-cors qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp
|
||||
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp.cve-2009-2816-cors 2009-09-29 13:01:37.000000000 +0200
|
||||
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp 2009-11-03 13:47:52.974837432 +0100
|
||||
@@ -735,7 +735,6 @@ void XMLHttpRequest::makeCrossSiteAccess
|
||||
}
|
||||
|
||||
preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", String::adopt(headerBuffer));
|
||||
- preflightRequest.addHTTPHeaderFields(m_requestHeaders);
|
||||
}
|
||||
|
||||
if (m_async) {
|
284
qt-x11-opensource-src-4.5.3-cve-2009-3384-ftp-ls-handling.patch
Normal file
284
qt-x11-opensource-src-4.5.3-cve-2009-3384-ftp-ls-handling.patch
Normal file
@ -0,0 +1,284 @@
|
||||
diff -U0 qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog.cve-2009-3384-ftp-ls-handling qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog
|
||||
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog.cve-2009-3384-ftp-ls-handling 2009-09-29 13:01:35.000000000 +0200
|
||||
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog 2009-11-03 14:53:34.008898552 +0100
|
||||
@@ -0,0 +1,14 @@
|
||||
+2009-09-24 Brady Eidson <beidson@apple.com>
|
||||
+
|
||||
+ Reviewed by Sam Weinig.
|
||||
+
|
||||
+ Merge changes from Mozilla's FTP directory parser.
|
||||
+ <rdar://problem/7227620> and https://bugs.webkit.org/show_bug.cgi?id=29294
|
||||
+
|
||||
+ FTP layout tests not possible at this time.
|
||||
+ https://bugs.webkit.org/show_bug.cgi?id=29719 tracks making them possible.
|
||||
+
|
||||
+ * loader/FTPDirectoryParser.cpp:
|
||||
+ (WebCore::ParsingFailed):
|
||||
+ (WebCore::parseOneFTPLine):
|
||||
+
|
||||
diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp.cve-2009-3384-ftp-ls-handling qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp
|
||||
--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp.cve-2009-3384-ftp-ls-handling 2009-09-29 13:01:36.000000000 +0200
|
||||
+++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp 2009-11-03 14:53:34.044898565 +0100
|
||||
@@ -53,6 +53,13 @@ static struct tm *gmtimeQt(const time_t
|
||||
#define gmtime_r(x, y) gmtime_s((y), (x))
|
||||
#endif
|
||||
|
||||
+static inline FTPEntryType ParsingFailed(ListState& state)
|
||||
+{
|
||||
+ if (state.parsedOne || state.listStyle) /* junk if we fail to parse */
|
||||
+ return FTPJunkEntry; /* this time but had previously parsed sucessfully */
|
||||
+ return FTPMiscEntry; /* its part of a comment or error message */
|
||||
+}
|
||||
+
|
||||
FTPEntryType parseOneFTPLine(const char* line, ListState& state, ListResult& result)
|
||||
{
|
||||
result.clear();
|
||||
@@ -122,6 +129,9 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
}
|
||||
}
|
||||
|
||||
+ if (!numtoks)
|
||||
+ return ParsingFailed(state);
|
||||
+
|
||||
linelen_sans_wsp = &(tokens[numtoks-1][toklen[numtoks-1]]) - tokens[0];
|
||||
if (numtoks == (sizeof(tokens)/sizeof(tokens[0])) )
|
||||
{
|
||||
@@ -352,11 +362,16 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
pos++;
|
||||
p++;
|
||||
}
|
||||
- if (lstyle && pos < (toklen[0]-1) && *p == ']')
|
||||
+ if (lstyle && pos < (toklen[0]-1))
|
||||
{
|
||||
+ /* ']' was found and there is at least one character after it */
|
||||
+ ASSERT(*p == ']');
|
||||
pos++;
|
||||
p++;
|
||||
tokmarker = pos; /* length of leading "[DIR1.DIR2.etc]" */
|
||||
+ } else {
|
||||
+ /* not a CMU style listing */
|
||||
+ lstyle = 0;
|
||||
}
|
||||
}
|
||||
while (lstyle && pos < toklen[0] && *p != ';')
|
||||
@@ -383,7 +398,7 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
pos -= tokmarker; /* => fnlength sans "[DIR1.DIR2.etc]" */
|
||||
p = &(tokens[0][tokmarker]); /* offset of basename */
|
||||
|
||||
- if (!lstyle || pos > 80) /* VMS filenames can't be longer than that */
|
||||
+ if (!lstyle || pos == 0 || pos > 80) /* VMS filenames can't be longer than that */
|
||||
{
|
||||
lstyle = 0;
|
||||
}
|
||||
@@ -776,7 +791,7 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
state.parsedOne = true;
|
||||
state.listStyle = lstyle;
|
||||
|
||||
- p = &(line[linelen_sans_wsp]); /* line end sans wsp */
|
||||
+ p = &(line[linelen]); /* line end */
|
||||
result.caseSensitive = true;
|
||||
result.filename = tokens[3];
|
||||
result.filenameLength = p - tokens[3];
|
||||
@@ -784,29 +799,46 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
|
||||
if (*tokens[2] != '<') /* not <DIR> or <JUNCTION> */
|
||||
{
|
||||
+ // try to handle correctly spaces at the beginning of the filename
|
||||
+ // filesize (token[2]) must end at offset 38
|
||||
+ if (tokens[2] + toklen[2] - line == 38) {
|
||||
+ result.filename = &(line[39]);
|
||||
+ result.filenameLength = p - result.filename;
|
||||
+ }
|
||||
result.type = FTPFileEntry;
|
||||
pos = toklen[2];
|
||||
result.fileSize = String(tokens[2], pos);
|
||||
}
|
||||
- else if ((tokens[2][1]) != 'D') /* not <DIR> */
|
||||
- {
|
||||
- result.type = FTPJunkEntry; /* unknown until junc for sure */
|
||||
- if (result.filenameLength > 4)
|
||||
+ else {
|
||||
+ // try to handle correctly spaces at the beginning of the filename
|
||||
+ // token[2] must begin at offset 24, the length is 5 or 10
|
||||
+ // token[3] must begin at offset 39 or higher
|
||||
+ if (tokens[2] - line == 24 && (toklen[2] == 5 || toklen[2] == 10) &&
|
||||
+ tokens[3] - line >= 39) {
|
||||
+ result.filename = &(line[39]);
|
||||
+ result.filenameLength = p - result.filename;
|
||||
+ }
|
||||
+
|
||||
+ if ((tokens[2][1]) != 'D') /* not <DIR> */
|
||||
{
|
||||
- p = result.filename;
|
||||
- for (pos = result.filenameLength - 4; pos > 0; pos--)
|
||||
+ result.type = FTPJunkEntry; /* unknown until junc for sure */
|
||||
+ if (result.filenameLength > 4)
|
||||
{
|
||||
- if (p[0] == ' ' && p[3] == ' ' && p[2] == '>' &&
|
||||
- (p[1] == '=' || p[1] == '-'))
|
||||
+ p = result.filename;
|
||||
+ for (pos = result.filenameLength - 4; pos > 0; pos--)
|
||||
{
|
||||
- result.type = FTPLinkEntry;
|
||||
- result.filenameLength = p - result.filename;
|
||||
- result.linkname = p + 4;
|
||||
- result.linknameLength = &(line[linelen_sans_wsp])
|
||||
- - result.linkname;
|
||||
- break;
|
||||
+ if (p[0] == ' ' && p[3] == ' ' && p[2] == '>' &&
|
||||
+ (p[1] == '=' || p[1] == '-'))
|
||||
+ {
|
||||
+ result.type = FTPLinkEntry;
|
||||
+ result.filenameLength = p - result.filename;
|
||||
+ result.linkname = p + 4;
|
||||
+ result.linknameLength = &(line[linelen])
|
||||
+ - result.linkname;
|
||||
+ break;
|
||||
+ }
|
||||
+ p++;
|
||||
}
|
||||
- p++;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -817,8 +849,13 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
result.modifiedTime.tm_mon--;
|
||||
result.modifiedTime.tm_mday = atoi(tokens[0]+3);
|
||||
result.modifiedTime.tm_year = atoi(tokens[0]+6);
|
||||
+ /* if year has only two digits then assume that
|
||||
+ 00-79 is 2000-2079
|
||||
+ 80-99 is 1980-1999 */
|
||||
if (result.modifiedTime.tm_year < 80)
|
||||
- result.modifiedTime.tm_year += 100;
|
||||
+ result.modifiedTime.tm_year += 2000;
|
||||
+ else if (result.modifiedTime.tm_year < 100)
|
||||
+ result.modifiedTime.tm_year += 1900;
|
||||
}
|
||||
|
||||
result.modifiedTime.tm_hour = atoi(tokens[1]+0);
|
||||
@@ -970,6 +1007,8 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
* "drwxr-xr-x 2 0 0 512 May 28 22:17 etc"
|
||||
*/
|
||||
|
||||
+ bool isOldHellsoft = false;
|
||||
+
|
||||
if (numtoks >= 6)
|
||||
{
|
||||
/* there are two perm formats (Hellsoft/NetWare and *IX strmode(3)).
|
||||
@@ -995,6 +1034,8 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
{
|
||||
/* rest is FMA[S] or AFM[S] */
|
||||
lstyle = 'U'; /* very likely one of the NetWare servers */
|
||||
+ if (toklen[0] == 10)
|
||||
+ isOldHellsoft = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1059,7 +1100,7 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
|
||||
/* check that size is numeric */
|
||||
p = tokens[tokmarker];
|
||||
- for (pos = 0; lstyle && pos < toklen[tokmarker]; pos++)
|
||||
+ for (unsigned int i = 0; lstyle && i < toklen[tokmarker]; ++i)
|
||||
{
|
||||
if (!isASCIIDigit(*p++))
|
||||
lstyle = 0;
|
||||
@@ -1068,11 +1109,11 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
{
|
||||
month_num = 0;
|
||||
p = tokens[tokmarker+1];
|
||||
- for (pos = 0;pos < (12*3); pos+=3)
|
||||
+ for (unsigned int i = 0; i < (12*3); i+=3)
|
||||
{
|
||||
- if (p[0] == month_names[pos+0] &&
|
||||
- p[1] == month_names[pos+1] &&
|
||||
- p[2] == month_names[pos+2])
|
||||
+ if (p[0] == month_names[i+0] &&
|
||||
+ p[1] == month_names[i+1] &&
|
||||
+ p[2] == month_names[i+2])
|
||||
break;
|
||||
month_num++;
|
||||
}
|
||||
@@ -1080,8 +1121,8 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
lstyle = 0;
|
||||
}
|
||||
} /* relative position test */
|
||||
- } /* while (pos+5) < numtoks */
|
||||
- } /* if (numtoks >= 4) */
|
||||
+ } /* for (pos = (numtoks-5); !lstyle && pos > 1; pos--) */
|
||||
+ } /* if (lstyle == 'U') */
|
||||
|
||||
if (lstyle == 'U')
|
||||
{
|
||||
@@ -1140,24 +1181,49 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
|
||||
} /* time/year */
|
||||
|
||||
- result.filename = tokens[tokmarker+4];
|
||||
- result.filenameLength = (&(line[linelen_sans_wsp]))
|
||||
+ // there is exacly 1 space between filename and previous token in all
|
||||
+ // outputs except old Hellsoft
|
||||
+ if (!isOldHellsoft)
|
||||
+ result.filename = tokens[tokmarker+3] + toklen[tokmarker+3] + 1;
|
||||
+ else
|
||||
+ result.filename = tokens[tokmarker+4];
|
||||
+
|
||||
+ result.filenameLength = (&(line[linelen]))
|
||||
- (result.filename);
|
||||
|
||||
if (result.type == FTPLinkEntry && result.filenameLength > 4)
|
||||
{
|
||||
- p = result.filename + 1;
|
||||
- for (pos = 1; pos < (result.filenameLength - 4); pos++)
|
||||
+ /* First try to use result.fe_size to find " -> " sequence.
|
||||
+ This can give proper result for cases like "aaa -> bbb -> ccc". */
|
||||
+ unsigned int fileSize = result.fileSize.toUInt();
|
||||
+
|
||||
+ if (result.filenameLength > (fileSize + 4) &&
|
||||
+ strncmp(result.filename + result.filenameLength - fileSize - 4, " -> ", 4) == 0)
|
||||
+ {
|
||||
+ result.linkname = result.filename + (result.filenameLength - fileSize);
|
||||
+ result.linknameLength = (&(line[linelen])) - (result.linkname);
|
||||
+ result.filenameLength -= fileSize + 4;
|
||||
+ }
|
||||
+ else
|
||||
{
|
||||
- if (*p == ' ' && p[1] == '-' && p[2] == '>' && p[3] == ' ')
|
||||
+ /* Search for sequence " -> " from the end for case when there are
|
||||
+ more occurrences. F.e. if ftpd returns "a -> b -> c" assume
|
||||
+ "a -> b" as a name. Powerusers can remove unnecessary parts
|
||||
+ manually but there is no way to follow the link when some
|
||||
+ essential part is missing. */
|
||||
+ p = result.filename + (result.filenameLength - 5);
|
||||
+ for (pos = (result.filenameLength - 5); pos > 0; pos--)
|
||||
{
|
||||
- result.linkname = p + 4;
|
||||
- result.linknameLength = (&(line[linelen_sans_wsp]))
|
||||
- - (result.linkname);
|
||||
- result.filenameLength = pos;
|
||||
- break;
|
||||
+ if (strncmp(p, " -> ", 4) == 0)
|
||||
+ {
|
||||
+ result.linkname = p + 4;
|
||||
+ result.linknameLength = (&(line[linelen]))
|
||||
+ - (result.linkname);
|
||||
+ result.filenameLength = pos;
|
||||
+ break;
|
||||
+ }
|
||||
+ p--;
|
||||
}
|
||||
- p++;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1614,9 +1680,7 @@ FTPEntryType parseOneFTPLine(const char*
|
||||
|
||||
} /* if (linelen > 0) */
|
||||
|
||||
- if (state.parsedOne || state.listStyle) /* junk if we fail to parse */
|
||||
- return FTPJunkEntry; /* this time but had previously parsed sucessfully */
|
||||
- return FTPMiscEntry; /* its part of a comment or error message */
|
||||
+ return ParsingFailed(state);
|
||||
}
|
||||
|
||||
} // namespace WebCore
|
10
qt.spec
10
qt.spec
@ -10,7 +10,7 @@ Summary: Qt toolkit
|
||||
Name: qt
|
||||
Epoch: 1
|
||||
Version: 4.5.3
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
|
||||
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
||||
License: LGPLv2 with exceptions or GPLv3 with exceptions
|
||||
@ -64,6 +64,8 @@ Patch55: qt-x11-opensource-src-4.5.3-glib-event-loop.patch
|
||||
Patch155: http://www.davidfaure.fr/2009/qeventdispatcher_glib_fix.diff
|
||||
|
||||
# security patches
|
||||
Patch180: qt-x11-opensource-src-4.5.3-cve-2009-2816-cors.patch
|
||||
Patch181: qt-x11-opensource-src-4.5.3-cve-2009-3384-ftp-ls-handling.patch
|
||||
|
||||
# kde-qt git patches
|
||||
Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
|
||||
@ -400,6 +402,8 @@ Qt libraries used for drawing widgets and OpenGL items.
|
||||
#patch155 -p1 -b .qeventdispatcher_glib_fix
|
||||
|
||||
# security fixes
|
||||
%patch180 -p1 -b .cve-2009-2816-cors
|
||||
%patch181 -p1 -b .cve-2009-3384-ftp-ls-handling
|
||||
|
||||
# kde-qt branch
|
||||
%patch201 -p1 -b .kde-qt-0001
|
||||
@ -994,6 +998,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Nov 12 2009 Jaroslav Reznik <jreznik@redhat.com> - 4.5.3-9
|
||||
- CVE-2009-3384 - WebKit, ftp listing handling (#525788)
|
||||
- CVE-2009-2816 - WebKit, MITM Cross-Origin Resource Sharing (#525789)
|
||||
|
||||
* Sun Nov 08 2009 Rex Dieter <rdieter@fedoraproject.org> - 4.5.3-8
|
||||
- -x11: Requires: %%{name}-sqlite%{?_isa}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user