diff --git a/qt-x11-opensource-src-4.5.3-cve-2009-2816-cors.patch b/qt-x11-opensource-src-4.5.3-cve-2009-2816-cors.patch new file mode 100644 index 0000000..fa80e1f --- /dev/null +++ b/qt-x11-opensource-src-4.5.3-cve-2009-2816-cors.patch @@ -0,0 +1,11 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp.cve-2009-2816-cors qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp.cve-2009-2816-cors 2009-09-29 13:01:37.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/xml/XMLHttpRequest.cpp 2009-11-03 13:47:52.974837432 +0100 +@@ -735,7 +735,6 @@ void XMLHttpRequest::makeCrossSiteAccess + } + + preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", String::adopt(headerBuffer)); +- preflightRequest.addHTTPHeaderFields(m_requestHeaders); + } + + if (m_async) { diff --git a/qt-x11-opensource-src-4.5.3-cve-2009-3384-ftp-ls-handling.patch b/qt-x11-opensource-src-4.5.3-cve-2009-3384-ftp-ls-handling.patch new file mode 100644 index 0000000..14e0cc0 --- /dev/null +++ b/qt-x11-opensource-src-4.5.3-cve-2009-3384-ftp-ls-handling.patch @@ -0,0 +1,284 @@ +diff -U0 qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog.cve-2009-3384-ftp-ls-handling qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog.cve-2009-3384-ftp-ls-handling 2009-09-29 13:01:35.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/ChangeLog 2009-11-03 14:53:34.008898552 +0100 +@@ -0,0 +1,14 @@ ++2009-09-24 Brady Eidson ++ ++ Reviewed by Sam Weinig. ++ ++ Merge changes from Mozilla's FTP directory parser. ++ and https://bugs.webkit.org/show_bug.cgi?id=29294 ++ ++ FTP layout tests not possible at this time. ++ https://bugs.webkit.org/show_bug.cgi?id=29719 tracks making them possible. ++ ++ * loader/FTPDirectoryParser.cpp: ++ (WebCore::ParsingFailed): ++ (WebCore::parseOneFTPLine): ++ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp.cve-2009-3384-ftp-ls-handling qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp.cve-2009-3384-ftp-ls-handling 2009-09-29 13:01:36.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/loader/FTPDirectoryParser.cpp 2009-11-03 14:53:34.044898565 +0100 +@@ -53,6 +53,13 @@ static struct tm *gmtimeQt(const time_t + #define gmtime_r(x, y) gmtime_s((y), (x)) + #endif + ++static inline FTPEntryType ParsingFailed(ListState& state) ++{ ++ if (state.parsedOne || state.listStyle) /* junk if we fail to parse */ ++ return FTPJunkEntry; /* this time but had previously parsed sucessfully */ ++ return FTPMiscEntry; /* its part of a comment or error message */ ++} ++ + FTPEntryType parseOneFTPLine(const char* line, ListState& state, ListResult& result) + { + result.clear(); +@@ -122,6 +129,9 @@ FTPEntryType parseOneFTPLine(const char* + } + } + ++ if (!numtoks) ++ return ParsingFailed(state); ++ + linelen_sans_wsp = &(tokens[numtoks-1][toklen[numtoks-1]]) - tokens[0]; + if (numtoks == (sizeof(tokens)/sizeof(tokens[0])) ) + { +@@ -352,11 +362,16 @@ FTPEntryType parseOneFTPLine(const char* + pos++; + p++; + } +- if (lstyle && pos < (toklen[0]-1) && *p == ']') ++ if (lstyle && pos < (toklen[0]-1)) + { ++ /* ']' was found and there is at least one character after it */ ++ ASSERT(*p == ']'); + pos++; + p++; + tokmarker = pos; /* length of leading "[DIR1.DIR2.etc]" */ ++ } else { ++ /* not a CMU style listing */ ++ lstyle = 0; + } + } + while (lstyle && pos < toklen[0] && *p != ';') +@@ -383,7 +398,7 @@ FTPEntryType parseOneFTPLine(const char* + pos -= tokmarker; /* => fnlength sans "[DIR1.DIR2.etc]" */ + p = &(tokens[0][tokmarker]); /* offset of basename */ + +- if (!lstyle || pos > 80) /* VMS filenames can't be longer than that */ ++ if (!lstyle || pos == 0 || pos > 80) /* VMS filenames can't be longer than that */ + { + lstyle = 0; + } +@@ -776,7 +791,7 @@ FTPEntryType parseOneFTPLine(const char* + state.parsedOne = true; + state.listStyle = lstyle; + +- p = &(line[linelen_sans_wsp]); /* line end sans wsp */ ++ p = &(line[linelen]); /* line end */ + result.caseSensitive = true; + result.filename = tokens[3]; + result.filenameLength = p - tokens[3]; +@@ -784,29 +799,46 @@ FTPEntryType parseOneFTPLine(const char* + + if (*tokens[2] != '<') /* not or */ + { ++ // try to handle correctly spaces at the beginning of the filename ++ // filesize (token[2]) must end at offset 38 ++ if (tokens[2] + toklen[2] - line == 38) { ++ result.filename = &(line[39]); ++ result.filenameLength = p - result.filename; ++ } + result.type = FTPFileEntry; + pos = toklen[2]; + result.fileSize = String(tokens[2], pos); + } +- else if ((tokens[2][1]) != 'D') /* not */ +- { +- result.type = FTPJunkEntry; /* unknown until junc for sure */ +- if (result.filenameLength > 4) ++ else { ++ // try to handle correctly spaces at the beginning of the filename ++ // token[2] must begin at offset 24, the length is 5 or 10 ++ // token[3] must begin at offset 39 or higher ++ if (tokens[2] - line == 24 && (toklen[2] == 5 || toklen[2] == 10) && ++ tokens[3] - line >= 39) { ++ result.filename = &(line[39]); ++ result.filenameLength = p - result.filename; ++ } ++ ++ if ((tokens[2][1]) != 'D') /* not */ + { +- p = result.filename; +- for (pos = result.filenameLength - 4; pos > 0; pos--) ++ result.type = FTPJunkEntry; /* unknown until junc for sure */ ++ if (result.filenameLength > 4) + { +- if (p[0] == ' ' && p[3] == ' ' && p[2] == '>' && +- (p[1] == '=' || p[1] == '-')) ++ p = result.filename; ++ for (pos = result.filenameLength - 4; pos > 0; pos--) + { +- result.type = FTPLinkEntry; +- result.filenameLength = p - result.filename; +- result.linkname = p + 4; +- result.linknameLength = &(line[linelen_sans_wsp]) +- - result.linkname; +- break; ++ if (p[0] == ' ' && p[3] == ' ' && p[2] == '>' && ++ (p[1] == '=' || p[1] == '-')) ++ { ++ result.type = FTPLinkEntry; ++ result.filenameLength = p - result.filename; ++ result.linkname = p + 4; ++ result.linknameLength = &(line[linelen]) ++ - result.linkname; ++ break; ++ } ++ p++; + } +- p++; + } + } + } +@@ -817,8 +849,13 @@ FTPEntryType parseOneFTPLine(const char* + result.modifiedTime.tm_mon--; + result.modifiedTime.tm_mday = atoi(tokens[0]+3); + result.modifiedTime.tm_year = atoi(tokens[0]+6); ++ /* if year has only two digits then assume that ++ 00-79 is 2000-2079 ++ 80-99 is 1980-1999 */ + if (result.modifiedTime.tm_year < 80) +- result.modifiedTime.tm_year += 100; ++ result.modifiedTime.tm_year += 2000; ++ else if (result.modifiedTime.tm_year < 100) ++ result.modifiedTime.tm_year += 1900; + } + + result.modifiedTime.tm_hour = atoi(tokens[1]+0); +@@ -970,6 +1007,8 @@ FTPEntryType parseOneFTPLine(const char* + * "drwxr-xr-x 2 0 0 512 May 28 22:17 etc" + */ + ++ bool isOldHellsoft = false; ++ + if (numtoks >= 6) + { + /* there are two perm formats (Hellsoft/NetWare and *IX strmode(3)). +@@ -995,6 +1034,8 @@ FTPEntryType parseOneFTPLine(const char* + { + /* rest is FMA[S] or AFM[S] */ + lstyle = 'U'; /* very likely one of the NetWare servers */ ++ if (toklen[0] == 10) ++ isOldHellsoft = true; + } + } + } +@@ -1059,7 +1100,7 @@ FTPEntryType parseOneFTPLine(const char* + + /* check that size is numeric */ + p = tokens[tokmarker]; +- for (pos = 0; lstyle && pos < toklen[tokmarker]; pos++) ++ for (unsigned int i = 0; lstyle && i < toklen[tokmarker]; ++i) + { + if (!isASCIIDigit(*p++)) + lstyle = 0; +@@ -1068,11 +1109,11 @@ FTPEntryType parseOneFTPLine(const char* + { + month_num = 0; + p = tokens[tokmarker+1]; +- for (pos = 0;pos < (12*3); pos+=3) ++ for (unsigned int i = 0; i < (12*3); i+=3) + { +- if (p[0] == month_names[pos+0] && +- p[1] == month_names[pos+1] && +- p[2] == month_names[pos+2]) ++ if (p[0] == month_names[i+0] && ++ p[1] == month_names[i+1] && ++ p[2] == month_names[i+2]) + break; + month_num++; + } +@@ -1080,8 +1121,8 @@ FTPEntryType parseOneFTPLine(const char* + lstyle = 0; + } + } /* relative position test */ +- } /* while (pos+5) < numtoks */ +- } /* if (numtoks >= 4) */ ++ } /* for (pos = (numtoks-5); !lstyle && pos > 1; pos--) */ ++ } /* if (lstyle == 'U') */ + + if (lstyle == 'U') + { +@@ -1140,24 +1181,49 @@ FTPEntryType parseOneFTPLine(const char* + + } /* time/year */ + +- result.filename = tokens[tokmarker+4]; +- result.filenameLength = (&(line[linelen_sans_wsp])) ++ // there is exacly 1 space between filename and previous token in all ++ // outputs except old Hellsoft ++ if (!isOldHellsoft) ++ result.filename = tokens[tokmarker+3] + toklen[tokmarker+3] + 1; ++ else ++ result.filename = tokens[tokmarker+4]; ++ ++ result.filenameLength = (&(line[linelen])) + - (result.filename); + + if (result.type == FTPLinkEntry && result.filenameLength > 4) + { +- p = result.filename + 1; +- for (pos = 1; pos < (result.filenameLength - 4); pos++) ++ /* First try to use result.fe_size to find " -> " sequence. ++ This can give proper result for cases like "aaa -> bbb -> ccc". */ ++ unsigned int fileSize = result.fileSize.toUInt(); ++ ++ if (result.filenameLength > (fileSize + 4) && ++ strncmp(result.filename + result.filenameLength - fileSize - 4, " -> ", 4) == 0) ++ { ++ result.linkname = result.filename + (result.filenameLength - fileSize); ++ result.linknameLength = (&(line[linelen])) - (result.linkname); ++ result.filenameLength -= fileSize + 4; ++ } ++ else + { +- if (*p == ' ' && p[1] == '-' && p[2] == '>' && p[3] == ' ') ++ /* Search for sequence " -> " from the end for case when there are ++ more occurrences. F.e. if ftpd returns "a -> b -> c" assume ++ "a -> b" as a name. Powerusers can remove unnecessary parts ++ manually but there is no way to follow the link when some ++ essential part is missing. */ ++ p = result.filename + (result.filenameLength - 5); ++ for (pos = (result.filenameLength - 5); pos > 0; pos--) + { +- result.linkname = p + 4; +- result.linknameLength = (&(line[linelen_sans_wsp])) +- - (result.linkname); +- result.filenameLength = pos; +- break; ++ if (strncmp(p, " -> ", 4) == 0) ++ { ++ result.linkname = p + 4; ++ result.linknameLength = (&(line[linelen])) ++ - (result.linkname); ++ result.filenameLength = pos; ++ break; ++ } ++ p--; + } +- p++; + } + } + +@@ -1614,9 +1680,7 @@ FTPEntryType parseOneFTPLine(const char* + + } /* if (linelen > 0) */ + +- if (state.parsedOne || state.listStyle) /* junk if we fail to parse */ +- return FTPJunkEntry; /* this time but had previously parsed sucessfully */ +- return FTPMiscEntry; /* its part of a comment or error message */ ++ return ParsingFailed(state); + } + + } // namespace WebCore diff --git a/qt.spec b/qt.spec index 5e0d39f..646e727 100644 --- a/qt.spec +++ b/qt.spec @@ -10,7 +10,7 @@ Summary: Qt toolkit Name: qt Epoch: 1 Version: 4.5.3 -Release: 8%{?dist} +Release: 9%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -64,6 +64,8 @@ Patch55: qt-x11-opensource-src-4.5.3-glib-event-loop.patch Patch155: http://www.davidfaure.fr/2009/qeventdispatcher_glib_fix.diff # security patches +Patch180: qt-x11-opensource-src-4.5.3-cve-2009-2816-cors.patch +Patch181: qt-x11-opensource-src-4.5.3-cve-2009-3384-ftp-ls-handling.patch # kde-qt git patches Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch @@ -400,6 +402,8 @@ Qt libraries used for drawing widgets and OpenGL items. #patch155 -p1 -b .qeventdispatcher_glib_fix # security fixes +%patch180 -p1 -b .cve-2009-2816-cors +%patch181 -p1 -b .cve-2009-3384-ftp-ls-handling # kde-qt branch %patch201 -p1 -b .kde-qt-0001 @@ -994,6 +998,10 @@ fi %changelog +* Thu Nov 12 2009 Jaroslav Reznik - 4.5.3-9 +- CVE-2009-3384 - WebKit, ftp listing handling (#525788) +- CVE-2009-2816 - WebKit, MITM Cross-Origin Resource Sharing (#525789) + * Sun Nov 08 2009 Rex Dieter - 4.5.3-8 - -x11: Requires: %%{name}-sqlite%{?_isa}