[arch-commits] Commit in qt4/trunk (CVE-2013-4549.patch PKGBUILD libmng2.patch)
Andrea Scarpino
andrea at nymeria.archlinux.org
Wed Dec 11 15:30:07 UTC 2013
Date: Wednesday, December 11, 2013 @ 16:30:07
Author: andrea
Revision: 201435
upgpkg: qt4 4.8.5-7
CVE-2013-4549 and link again to system libmng
Added:
qt4/trunk/CVE-2013-4549.patch
qt4/trunk/libmng2.patch
Modified:
qt4/trunk/PKGBUILD
---------------------+
CVE-2013-4549.patch | 233 ++++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 18 ++-
libmng2.patch | 35 +++++++
3 files changed, 281 insertions(+), 5 deletions(-)
Added: CVE-2013-4549.patch
===================================================================
--- CVE-2013-4549.patch (rev 0)
+++ CVE-2013-4549.patch 2013-12-11 15:30:07 UTC (rev 201435)
@@ -0,0 +1,233 @@
+From 512a1ce0698d370c313bb561bbf078935fa0342e Mon Sep 17 00:00:00 2001
+From: Mitch Curtis <mitch.curtis at digia.com>
+Date: Thu, 7 Nov 2013 09:36:29 +0100
+Subject: [PATCH] Disallow deep or widely nested entity references.
+
+Nested references with a depth of 2 or greater will fail. References
+that partially expand to greater than 1024 characters will also fail.
+
+This is a backport of 46a8885ae486e238a39efa5119c2714f328b08e4.
+
+Change-Id: I0c2e1fa13d6ccb5f88641dae2ed3f28bfdeaf609
+Reviewed-by: Richard J. Moore <rich at kde.org>
+Reviewed-by: Lars Knoll <lars.knoll at digia.com>
+
+From cecceb0cdd87482124a73ecf537f3445d68be13e Mon Sep 17 00:00:00 2001
+From: Mitch Curtis <mitch.curtis at digia.com>
+Date: Tue, 12 Nov 2013 13:44:56 +0100
+Subject: [PATCH] Fully expand entities to ensure deep or widely nested ones fail parsing
+
+With 512a1ce0698d370c313bb561bbf078935fa0342e, we failed when parsing
+entities whose partially expanded size was greater than 1024
+characters. That was not enough, so now we fully expand all entities.
+
+This is a backport of f1053d94f59f053ce4acad9320df14f1fbe4faac.
+
+Change-Id: I41dd6f4525c63e82fd320a22d19248169627f7e0
+Reviewed-by: Richard J. Moore <rich at kde.org>
+
+diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp
+index a1777c5..3904632 100644
+--- a/src/xml/sax/qxml.cpp
++++ b/src/xml/sax/qxml.cpp
+@@ -424,6 +424,10 @@ private:
+ int stringValueLen;
+ QString emptyStr;
+
++ // The limit to the amount of times the DTD parsing functions can be called
++ // for the DTD currently being parsed.
++ int dtdRecursionLimit;
++
+ const QString &string();
+ void stringClear();
+ void stringAddC(QChar);
+@@ -492,6 +496,7 @@ private:
+ void unexpectedEof(ParseFunction where, int state);
+ void parseFailed(ParseFunction where, int state);
+ void pushParseState(ParseFunction function, int state);
++ bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage);
+
+ Q_DECLARE_PUBLIC(QXmlSimpleReader)
+ QXmlSimpleReader *q_ptr;
+@@ -2759,6 +2764,7 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader)
+ useNamespacePrefixes = false;
+ reportWhitespaceCharData = true;
+ reportEntities = false;
++ dtdRecursionLimit = 2;
+ }
+
+ QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate()
+@@ -5018,6 +5024,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype()
+ }
+ break;
+ case Mup:
++ if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) {
++ reportParseError(QString::fromLatin1(
++ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit));
++ return false;
++ }
+ if (!parseMarkupdecl()) {
+ parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state);
+ return false;
+@@ -6627,6 +6638,37 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq()
+ return false;
+ }
+
++bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage)
++{
++ const QString value = string();
++ QMap<QString, int> referencedEntityCounts;
++ foreach (QString entityName, entities.keys()) {
++ for (int i = 0; i < value.size() && i != -1; ) {
++ i = value.indexOf(entityName, i);
++ if (i != -1) {
++ // The entityName we're currently trying to find
++ // was matched in this string; increase our count.
++ ++referencedEntityCounts[entityName];
++ i += entityName.size();
++ }
++ }
++ }
++
++ foreach (QString entityName, referencedEntityCounts.keys()) {
++ const int timesReferenced = referencedEntityCounts[entityName];
++ const QString entityValue = entities[entityName];
++ if (entityValue.size() * timesReferenced > 1024) {
++ if (errorMessage) {
++ *errorMessage = QString::fromLatin1("The XML entity \"%1\""
++ "expands too a string that is too large to process when "
++ "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced);
++ }
++ return true;
++ }
++ }
++ return false;
++}
++
+ /*
+ Parse a EntityDecl [70].
+
+@@ -6721,6 +6763,15 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl()
+ switch (state) {
+ case EValue:
+ if ( !entityExist(name())) {
++ QString errorMessage;
++ if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) {
++ // The entity at entityName is entityValue.size() characters
++ // long in its unexpanded form, and was mentioned timesReferenced times,
++ // resulting in a string that would be greater than 1024 characters.
++ reportParseError(errorMessage);
++ return false;
++ }
++
+ entities.insert(name(), string());
+ if (declHnd) {
+ if (!declHnd->internalEntityDecl(name(), string())) {
+diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp
+index 3904632..befa801 100644
+--- a/src/xml/sax/qxml.cpp
++++ b/src/xml/sax/qxml.cpp
+@@ -426,7 +426,9 @@ private:
+
+ // The limit to the amount of times the DTD parsing functions can be called
+ // for the DTD currently being parsed.
+- int dtdRecursionLimit;
++ static const int dtdRecursionLimit = 2;
++ // The maximum amount of characters an entity value may contain, after expansion.
++ static const int entityCharacterLimit = 1024;
+
+ const QString &string();
+ void stringClear();
+@@ -496,7 +498,7 @@ private:
+ void unexpectedEof(ParseFunction where, int state);
+ void parseFailed(ParseFunction where, int state);
+ void pushParseState(ParseFunction function, int state);
+- bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage);
++ bool isExpandedEntityValueTooLarge(QString *errorMessage);
+
+ Q_DECLARE_PUBLIC(QXmlSimpleReader)
+ QXmlSimpleReader *q_ptr;
+@@ -2764,7 +2766,6 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader)
+ useNamespacePrefixes = false;
+ reportWhitespaceCharData = true;
+ reportEntities = false;
+- dtdRecursionLimit = 2;
+ }
+
+ QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate()
+@@ -6638,30 +6639,43 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq()
+ return false;
+ }
+
+-bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage)
++bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage)
+ {
+- const QString value = string();
+- QMap<QString, int> referencedEntityCounts;
+- foreach (QString entityName, entities.keys()) {
+- for (int i = 0; i < value.size() && i != -1; ) {
+- i = value.indexOf(entityName, i);
+- if (i != -1) {
+- // The entityName we're currently trying to find
+- // was matched in this string; increase our count.
+- ++referencedEntityCounts[entityName];
+- i += entityName.size();
++ QMap<QString, int> literalEntitySizes;
++ // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (int>) times.
++ QMap<QString, QMap<QString, int> > referencesToOtherEntities;
++ QMap<QString, int> expandedSizes;
++
++ // For every entity, check how many times all entity names were referenced in its value.
++ foreach (QString toSearch, entities.keys()) {
++ // The amount of characters that weren't entity names, but literals, like 'X'.
++ QString leftOvers = entities.value(toSearch);
++ // How many times was entityName referenced by toSearch?
++ foreach (QString entityName, entities.keys()) {
++ for (int i = 0; i < leftOvers.size() && i != -1; ) {
++ i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i);
++ if (i != -1) {
++ leftOvers.remove(i, entityName.size() + 2);
++ // The entityName we're currently trying to find was matched in this string; increase our count.
++ ++referencesToOtherEntities[toSearch][entityName];
++ }
+ }
+ }
++ literalEntitySizes[toSearch] = leftOvers.size();
+ }
+
+- foreach (QString entityName, referencedEntityCounts.keys()) {
+- const int timesReferenced = referencedEntityCounts[entityName];
+- const QString entityValue = entities[entityName];
+- if (entityValue.size() * timesReferenced > 1024) {
++ foreach (QString entity, referencesToOtherEntities.keys()) {
++ expandedSizes[entity] = literalEntitySizes[entity];
++ foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) {
++ const int references = referencesToOtherEntities.value(entity).value(referenceTo);
++ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size.
++ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references;
++ }
++
++ if (expandedSizes[entity] > entityCharacterLimit) {
+ if (errorMessage) {
+- *errorMessage = QString::fromLatin1("The XML entity \"%1\""
+- "expands too a string that is too large to process when "
+- "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced);
++ *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3).");
++ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
+ }
+ return true;
+ }
+@@ -6764,10 +6778,7 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl()
+ case EValue:
+ if ( !entityExist(name())) {
+ QString errorMessage;
+- if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) {
+- // The entity at entityName is entityValue.size() characters
+- // long in its unexpanded form, and was mentioned timesReferenced times,
+- // resulting in a string that would be greater than 1024 characters.
++ if (isExpandedEntityValueTooLarge(&errorMessage)) {
+ reportParseError(errorMessage);
+ return false;
+ }
+--
+1.7.1
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2013-12-11 15:08:40 UTC (rev 201434)
+++ PKGBUILD 2013-12-11 15:30:07 UTC (rev 201435)
@@ -4,7 +4,7 @@
pkgname=qt4
pkgver=4.8.5
-pkgrel=6
+pkgrel=7
arch=('i686' 'x86_64')
url='http://qt-project.org/'
license=('GPL3' 'LGPL' 'FDL' 'custom')
@@ -11,7 +11,7 @@
pkgdesc='A cross-platform application and UI framework'
depends=('libtiff' 'libpng' 'sqlite' 'ca-certificates' 'dbus'
'fontconfig' 'libgl' 'libxrandr' 'libxv' 'libxi' 'alsa-lib'
- 'xdg-utils' 'hicolor-icon-theme' 'desktop-file-utils')
+ 'xdg-utils' 'hicolor-icon-theme' 'desktop-file-utils' 'libmng')
makedepends=('postgresql-libs' 'mariadb' 'unixodbc' 'cups' 'gtk2' 'libfbclient'
'mesa')
optdepends=('qtchooser: set the default Qt toolkit'
@@ -32,7 +32,8 @@
'qtconfig-qt4.desktop' 'assistant-qt4.desktop' 'designer-qt4.desktop'
'linguist-qt4.desktop' 'qdbusviewer-qt4.desktop'
'improve-cups-support.patch'
- 'qtbug-31579.patch' 'qtbug-32534.patch' 'qtbug-32908.patch')
+ 'qtbug-31579.patch' 'qtbug-32534.patch' 'qtbug-32908.patch'
+ 'libmng2.patch' 'CVE-2013-4549.patch')
md5sums=('1864987bdbb2f58f8ae8b350dfdbe133'
'a16638f4781e56e7887ff8212a322ecc'
'8a28b3f52dbeb685d4b69440b520a3e1'
@@ -42,7 +43,9 @@
'c439c7731c25387352d8453ca7574971'
'6ed8d26a8e4a9bba1f6c08fb99cc8357'
'bb0e0fa6ba953fa590d81ac612374e11'
- 'db343dcae522bc90d802ad1e83b7f5dd')
+ 'db343dcae522bc90d802ad1e83b7f5dd'
+ '0ba4ffc9ff1acb9bf8a5f592ba956d48'
+ '8701bd7445426c1ad5da3ddbd72df6b4')
prepare() {
cd ${_pkgfqn}
@@ -57,6 +60,11 @@
# (FS#36947) (QTBUG#32908)
patch -p1 -i "${srcdir}"/qtbug-32908.patch
+ # (FS#38081)
+ patch -p1 -i "${srcdir}"/CVE-2013-4549.patch
+ # (QTBUG#34894)
+ patch -p1 -i "${srcdir}"/libmng2.patch
+
sed -i "s|-O2|${CXXFLAGS}|" mkspecs/common/{g++,gcc}-base.conf
sed -i "/^QMAKE_LFLAGS_RPATH/s| -Wl,-rpath,||g" mkspecs/common/gcc-base-unix.conf
sed -i "/^QMAKE_LFLAGS\s/s|+=|+= ${LDFLAGS}|g" mkspecs/common/gcc-base.conf
@@ -69,7 +77,7 @@
build() {
export QT4DIR="${srcdir}"/${_pkgfqn}
export LD_LIBRARY_PATH=${QT4DIR}/lib:${LD_LIBRARY_PATH}
-
+
cd ${_pkgfqn}
./configure -confirm-license -opensource \
Added: libmng2.patch
===================================================================
--- libmng2.patch (rev 0)
+++ libmng2.patch 2013-12-11 15:30:07 UTC (rev 201435)
@@ -0,0 +1,35 @@
+From 515617e55be9a7bfa738a9c32ef8b19065de37d4 Mon Sep 17 00:00:00 2001
+From: aavit <eirik.aavitsland at digia.com>
+Date: Fri, 22 Nov 2013 15:49:44 +0100
+Subject: [PATCH] Recognize newer libmng versions in config test
+
+libmng 2.0.x has been released and is compatible and usable, but since
+it no longer provides a VERSION_MAJOR macro, the config test would fail.
+
+Task-number: QTBUG-34894
+Change-Id: I36f6ed9d69dbae88feb1b88ce099bf36c9283133
+Reviewed-by: Liang Qi <liang.qi at digia.com>
+(cherry picked from qtimageformats/9ae386653c321c8ddc10fad5ea88f32ebb3d3ffe)
+---
+ config.tests/unix/libmng/libmng.cpp | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/config.tests/unix/libmng/libmng.cpp b/config.tests/unix/libmng/libmng.cpp
+index 0fbe554..9db10ff 100644
+--- a/config.tests/unix/libmng/libmng.cpp
++++ b/config.tests/unix/libmng/libmng.cpp
+@@ -46,9 +46,11 @@ int main(int, char **)
+ mng_handle hMNG;
+ mng_cleanup(&hMNG);
+
++#if defined(MNG_VERSION_MAJOR)
+ #if MNG_VERSION_MAJOR < 1 || (MNG_VERSION_MAJOR == 1 && MNG_VERSION_MINOR == 0 && MNG_VERSION_RELEASE < 9)
+ #error System libmng version is less than 1.0.9; using built-in version instead.
+ #endif
++#endif
+
+ return 0;
+ }
+--
+1.7.1
+
More information about the arch-commits
mailing list