Date: Wednesday, December 11, 2013 @ 19:52:58 Author: andrea Revision: 201441
upgpkg: qt5 5.1.1-6 CVE-2013-4549 and link again to system libmng Added: qt5/trunk/CVE-2013-4549.patch qt5/trunk/bison3.patch qt5/trunk/libmng2.patch Modified: qt5/trunk/PKGBUILD ---------------------+ CVE-2013-4549.patch | 235 ++++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 93 +++++++++---------- bison3.patch | 38 ++++++++ libmng2.patch | 34 +++++++ 4 files changed, 352 insertions(+), 48 deletions(-) Added: CVE-2013-4549.patch =================================================================== --- CVE-2013-4549.patch (rev 0) +++ CVE-2013-4549.patch 2013-12-11 18:52:58 UTC (rev 201441) @@ -0,0 +1,235 @@ +From 46a8885ae486e238a39efa5119c2714f328b08e4 Mon Sep 17 00:00:00 2001 +From: Mitch Curtis <[email protected]> +Date: Fri, 27 Sep 2013 12:32:28 +0200 +Subject: [PATCH] Disallow deep or widely nested entity references. + +Nested references with a depth of 2 or greater will fail. References +that partially expand to greater than 1024 characters will also fail. + +Change-Id: Id4e49d6f7cf51e3a247efdb4c6c7c9bd9b223f6e +Reviewed-by: Richard J. Moore <[email protected]> +Reviewed-by: Lars Knoll <[email protected]> + +From f1053d94f59f053ce4acad9320df14f1fbe4faac Mon Sep 17 00:00:00 2001 +From: Mitch Curtis <[email protected]> +Date: Mon, 11 Nov 2013 14:27:40 +0100 +Subject: [PATCH] Fully expand entities to ensure deep or widely nested ones fail parsing + +With 46a8885ae486e238a39efa5119c2714f328b08e4, we failed when parsing +entities whose partially expanded size was greater than 1024 +characters. That was not enough, so now we fully expand all entities. + +Amends 46a8885ae486e238a39efa5119c2714f328b08e4. + +Change-Id: Ie80720d7e04d825eb4eebf528140eb94806c02b1 +Reviewed-by: Richard J. Moore <[email protected]> +Reviewed-by: Lars Knoll <[email protected]> + +diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp +index 45c0f3e..e6d78d3 100644 +--- a/src/xml/sax/qxml.cpp ++++ b/src/xml/sax/qxml.cpp +@@ -424,6 +424,10 @@ private: + int stringValueLen; + QString emptyStr; + ++ // The limit to the amount of times the DTD parsing functions can be called ++ // for the DTD currently being parsed. ++ int dtdRecursionLimit; ++ + const QString &string(); + void stringClear(); + void stringAddC(QChar); +@@ -493,6 +497,8 @@ private: + void parseFailed(ParseFunction where, int state); + void pushParseState(ParseFunction function, int state); + ++ bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); ++ + Q_DECLARE_PUBLIC(QXmlSimpleReader) + QXmlSimpleReader *q_ptr; + +@@ -2757,6 +2763,8 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) + useNamespacePrefixes = false; + reportWhitespaceCharData = true; + reportEntities = false; ++ ++ dtdRecursionLimit = 2; + } + + QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() +@@ -5035,6 +5043,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype() + } + break; + case Mup: ++ if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) { ++ reportParseError(QString::fromLatin1( ++ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit)); ++ return false; ++ } + if (!parseMarkupdecl()) { + parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state); + return false; +@@ -6644,6 +6657,37 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() + return false; + } + ++bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) ++{ ++ const QString value = string(); ++ QMap<QString, int> referencedEntityCounts; ++ foreach (QString entityName, entities.keys()) { ++ for (int i = 0; i < value.size() && i != -1; ) { ++ i = value.indexOf(entityName, i); ++ if (i != -1) { ++ // The entityName we're currently trying to find ++ // was matched in this string; increase our count. ++ ++referencedEntityCounts[entityName]; ++ i += entityName.size(); ++ } ++ } ++ } ++ ++ foreach (QString entityName, referencedEntityCounts.keys()) { ++ const int timesReferenced = referencedEntityCounts[entityName]; ++ const QString entityValue = entities[entityName]; ++ if (entityValue.size() * timesReferenced > 1024) { ++ if (errorMessage) { ++ *errorMessage = QString::fromLatin1("The XML entity \"%1\"" ++ "expands too a string that is too large to process when " ++ "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); ++ } ++ return true; ++ } ++ } ++ return false; ++} ++ + /* + Parse a EntityDecl [70]. + +@@ -6738,6 +6782,15 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() + switch (state) { + case EValue: + if ( !entityExist(name())) { ++ QString errorMessage; ++ if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { ++ // The entity at entityName is entityValue.size() characters ++ // long in its unexpanded form, and was mentioned timesReferenced times, ++ // resulting in a string that would be greater than 1024 characters. ++ reportParseError(errorMessage); ++ return false; ++ } ++ + entities.insert(name(), string()); + if (declHnd) { + if (!declHnd->internalEntityDecl(name(), string())) { +diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp +index e6d78d3..f3a1e47 100644 +--- a/src/xml/sax/qxml.cpp ++++ b/src/xml/sax/qxml.cpp +@@ -426,7 +426,9 @@ private: + + // The limit to the amount of times the DTD parsing functions can be called + // for the DTD currently being parsed. +- int dtdRecursionLimit; ++ static const int dtdRecursionLimit = 2; ++ // The maximum amount of characters an entity value may contain, after expansion. ++ static const int entityCharacterLimit = 1024; + + const QString &string(); + void stringClear(); +@@ -497,7 +499,7 @@ private: + void parseFailed(ParseFunction where, int state); + void pushParseState(ParseFunction function, int state); + +- bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); ++ bool isExpandedEntityValueTooLarge(QString *errorMessage); + + Q_DECLARE_PUBLIC(QXmlSimpleReader) + QXmlSimpleReader *q_ptr; +@@ -2763,8 +2765,6 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) + useNamespacePrefixes = false; + reportWhitespaceCharData = true; + reportEntities = false; +- +- dtdRecursionLimit = 2; + } + + QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() +@@ -6657,30 +6657,43 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() + return false; + } + +-bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) ++bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage) + { +- const QString value = string(); +- QMap<QString, int> referencedEntityCounts; +- foreach (QString entityName, entities.keys()) { +- for (int i = 0; i < value.size() && i != -1; ) { +- i = value.indexOf(entityName, i); +- if (i != -1) { +- // The entityName we're currently trying to find +- // was matched in this string; increase our count. +- ++referencedEntityCounts[entityName]; +- i += entityName.size(); ++ QMap<QString, int> literalEntitySizes; ++ // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (int>) times. ++ QMap<QString, QMap<QString, int> > referencesToOtherEntities; ++ QMap<QString, int> expandedSizes; ++ ++ // For every entity, check how many times all entity names were referenced in its value. ++ foreach (QString toSearch, entities.keys()) { ++ // The amount of characters that weren't entity names, but literals, like 'X'. ++ QString leftOvers = entities.value(toSearch); ++ // How many times was entityName referenced by toSearch? ++ foreach (QString entityName, entities.keys()) { ++ for (int i = 0; i < leftOvers.size() && i != -1; ) { ++ i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i); ++ if (i != -1) { ++ leftOvers.remove(i, entityName.size() + 2); ++ // The entityName we're currently trying to find was matched in this string; increase our count. ++ ++referencesToOtherEntities[toSearch][entityName]; ++ } + } + } ++ literalEntitySizes[toSearch] = leftOvers.size(); + } + +- foreach (QString entityName, referencedEntityCounts.keys()) { +- const int timesReferenced = referencedEntityCounts[entityName]; +- const QString entityValue = entities[entityName]; +- if (entityValue.size() * timesReferenced > 1024) { ++ foreach (QString entity, referencesToOtherEntities.keys()) { ++ expandedSizes[entity] = literalEntitySizes[entity]; ++ foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) { ++ const int references = referencesToOtherEntities.value(entity).value(referenceTo); ++ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size. ++ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references; ++ } ++ ++ if (expandedSizes[entity] > entityCharacterLimit) { + if (errorMessage) { +- *errorMessage = QString::fromLatin1("The XML entity \"%1\"" +- "expands too a string that is too large to process when " +- "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); ++ *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3)."); ++ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit); + } + return true; + } +@@ -6783,10 +6796,7 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() + case EValue: + if ( !entityExist(name())) { + QString errorMessage; +- if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { +- // The entity at entityName is entityValue.size() characters +- // long in its unexpanded form, and was mentioned timesReferenced times, +- // resulting in a string that would be greater than 1024 characters. ++ if (isExpandedEntityValueTooLarge(&errorMessage)) { + reportParseError(errorMessage); + return false; + } +-- +1.7 Modified: PKGBUILD =================================================================== --- PKGBUILD 2013-12-11 17:08:28 UTC (rev 201440) +++ PKGBUILD 2013-12-11 18:52:58 UTC (rev 201441) @@ -3,12 +3,11 @@ pkgbase=qt5 pkgname=('qt5-base' - 'qt5-connectivity' 'qt5-declarative' 'qt5-doc' 'qt5-graphicaleffects' 'qt5-imageformats' - 'qt5-location' + 'qt5-jsbackend' 'qt5-multimedia' 'qt5-quick1' 'qt5-quickcontrols' @@ -21,29 +20,32 @@ 'qt5-webkit' 'qt5-x11extras' 'qt5-xmlpatterns') -pkgver=5.2.0rc1 -_pkgver=5.2.0-rc1 -pkgrel=1 +pkgver=5.1.1 +pkgrel=6 arch=('i686' 'x86_64') url='http://qt-project.org/' license=('GPL3' 'LGPL' 'FDL' 'custom') makedepends=('libxcb' 'xcb-proto' 'xcb-util' 'xcb-util-image' 'xcb-util-wm' 'xcb-util-keysyms' - 'mesa' 'at-spi2-core' 'alsa-lib' 'gstreamer0.10-base-plugins' + 'mesa' 'at-spi2-core' 'alsa-lib' 'gstreamer0.10-base-plugins' 'libmng' 'libjpeg-turbo' 'cups' 'libpulse' 'hicolor-icon-theme' 'desktop-file-utils' 'postgresql-libs' 'libmariadbclient' 'sqlite' 'unixodbc' 'libfbclient' 'python2' 'ruby' 'gperf' 'libxslt' 'libxcomposite' 'fontconfig' - 'openal' 'gtk2' 'libxkbcommon' 'python') + 'openal' 'gtk2' 'libxkbcommon') groups=('qt' 'qt5') -_pkgfqn="qt-everywhere-opensource-src-${_pkgver}" -source=("http://download.qt-project.org/development_releases/qt/5.2/${_pkgver}/single/${_pkgfqn}.tar.xz"; +_pkgfqn="qt-everywhere-opensource-src-${pkgver}" +source=("http://download.qt-project.org/official_releases/qt/5.1/${pkgver}/single/${_pkgfqn}.tar.xz"; 'assistant.desktop' 'designer.desktop' 'linguist.desktop' 'qdbusviewer.desktop' - 'use-python2.patch') -md5sums=('7bc67db0ed54bd3646f1c6e3e871e938' + 'use-python2.patch' + 'bison3.patch' 'CVE-2013-4549.patch' 'libmng2.patch') +md5sums=('697b7b8768ef8895e168366ab6b44760' 'b2897dd6a2967bccf8f10e397aafee55' '9638a78e502719ef8fe5f8d10d0361a9' '188da8f4c87316e730ebf1c6217bf5a0' '322b419b16c75d4de0ee7ad0a246caa1' - 'a378deccf363bd6079da459c89aff7b9') + '92831f79144d5cb8121915423ba47575' + '6b162cd2bc104f0ae83ca039401be7bf' + 'e59ba552e12408dcc9486cdbb1f233e3' + '478647fa057d190a7d789cf78995167b') prepare() { cd ${_pkgfqn} @@ -57,6 +59,16 @@ sed -i -e "s|#![ ]*/usr/bin/python$|#!/usr/bin/python2|" \ -e "s|#![ ]*/usr/bin/env python$|#!/usr/bin/env python2|" \ $(find . -name '*.py') + + # Fix build with bison 3.x + cd qtwebkit + patch -p1 -i "${srcdir}"/bison3.patch + + cd ../qtbase + patch -p1 -i "${srcdir}"/CVE-2013-4549.patch + + cd ../qtimageformats + patch -p1 -i "${srcdir}"/libmng2.patch } build() { @@ -99,8 +111,8 @@ package_qt5-base() { pkgdesc='A cross-platform application and UI framework' depends=('libjpeg-turbo' 'xcb-util-keysyms' 'libgl' 'dbus' 'fontconfig' 'systemd' - 'xcb-util-wm' 'libxrender' 'libxi' 'sqlite' 'xcb-util-image' 'icu' - 'qtchooser' 'libxkbcommon') + 'xcb-util-wm' 'libxrender' 'libxi' 'sqlite' 'libpng' 'xcb-util-image' + 'icu' 'qtchooser' 'libxkbcommon') optdepends=('postgresql-libs: PostgreSQL driver' 'libmariadbclient: MariaDB driver' 'unixodbc: ODBC driver' @@ -120,7 +132,7 @@ # Fix wrong qmake path in pri file sed -i "s|${srcdir}/${_pkgfqn}/qtbase|/usr|" \ - "${pkgdir}"/usr/lib/qt/mkspecs/modules/qt_lib_bootstrap_private.pri + "${pkgdir}"/usr/lib/qt/mkspecs/modules/qt_lib_bootstrap.pri # Useful symlinks install -d "${pkgdir}"/usr/bin @@ -129,24 +141,9 @@ done } -package_qt5-connectivity() { - pkgdesc='A cross-platform application and UI framework (QtBluetooth, QtNfc)' - depends=('qt5-declarative') - - cd ${_pkgfqn}/qtconnectivity - make INSTALL_ROOT="${pkgdir}" install - - # Fix wrong path in prl files - find "${pkgdir}/usr/lib" -type f -name '*.prl' \ - -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; - - install -D -m644 LGPL_EXCEPTION.txt \ - "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt -} - package_qt5-declarative() { pkgdesc='A cross-platform application and UI framework (QtQml, QtQuick)' - depends=('qt5-xmlpatterns') + depends=('qt5-jsbackend' 'qt5-xmlpatterns') conflicts=('qt') cd ${_pkgfqn}/qtdeclarative @@ -183,6 +180,21 @@ "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } +package_qt5-jsbackend() { + pkgdesc='A cross-platform application and UI framework (QtV8)' + depends=('qt5-base') + + cd ${_pkgfqn}/qtjsbackend + make INSTALL_ROOT="${pkgdir}" install + + # Fix wrong path in prl files + find "${pkgdir}/usr/lib" -type f -name '*.prl' \ + -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt +} + package_qt5-xmlpatterns() { pkgdesc='A cross-platform application and UI framework (QtXmlPatterns)' depends=('qt5-base') @@ -246,7 +258,7 @@ package_qt5-imageformats() { pkgdesc='A cross-platform application and UI framework (Images plugins)' - depends=('qt5-base' 'libtiff') + depends=('qt5-base' 'libtiff' 'libmng') conflicts=('qt') cd ${_pkgfqn}/qtimageformats @@ -256,21 +268,6 @@ "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } -package_qt5-location() { - pkgdesc='A cross-platform application and UI framework (QtLocation, QtPositioning)' - depends=('qt5-declarative') - - cd ${_pkgfqn}/qtlocation - make INSTALL_ROOT="${pkgdir}" install - - # Fix wrong path in prl files - find "${pkgdir}/usr/lib" -type f -name '*.prl' \ - -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; - - install -D -m644 LGPL_EXCEPTION.txt \ - "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt -} - package_qt5-quick1() { pkgdesc='A cross-platform application and UI framework (QtDeclarative)' depends=('qt5-webkit' 'qt5-script') @@ -415,7 +412,7 @@ package_qt5-webkit() { pkgdesc='A cross-platform application and UI framework (QtWebKit)' - depends=('qt5-sensors' 'qt5-location' 'gstreamer0.10-base' 'libxslt' 'libxcomposite') + depends=('qt5-declarative' 'gstreamer0.10-base' 'libxslt' 'libxcomposite' 'qt5-sensors') license=('GPL3' 'LGPL' 'FDL') cd ${_pkgfqn}/qtwebkit Added: bison3.patch =================================================================== --- bison3.patch (rev 0) +++ bison3.patch 2013-12-11 18:52:58 UTC (rev 201441) @@ -0,0 +1,38 @@ +From 60ba8bd5b3575d0c7740571fbb4e681b21a49a82 Mon Sep 17 00:00:00 2001 +From: Allan Sandfeld Jensen <[email protected]> +Date: Fri, 16 Aug 2013 18:27:07 +0200 +Subject: [PATCH] ANGLE doesn't build with bison 3.0 + +https://bugs.webkit.org/show_bug.cgi?id=119798 + +Reviewed by Antti Koivisto. + +Make glslang.y compatible with bison 3.0 +by using %lex-param to set YYLEX_PARAM. + +* src/compiler/glslang.y: + +git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154109 268f45cc-cd09-0410-ab3c-d52691b4dbfc + +Task-number: QTBUG-32913 +Change-Id: I15505d31f0588c4d558b73befdb9d2358e29c1a3 +Reviewed-by: Jocelyn Turcotte <[email protected]> +--- + Source/ThirdParty/ANGLE/src/compiler/glslang.y | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/Source/ThirdParty/ANGLE/src/compiler/glslang.y b/Source/ThirdParty/ANGLE/src/compiler/glslang.y +index 3cad335..b41e95a 100644 +--- a/Source/ThirdParty/ANGLE/src/compiler/glslang.y ++++ b/Source/ThirdParty/ANGLE/src/compiler/glslang.y +@@ -47,6 +47,7 @@ WHICH GENERATES THE GLSL ES PARSER (glslang_tab.cpp AND glslang_tab.h). + %expect 1 /* One shift reduce conflict because of if | else */ + %pure-parser + %parse-param {TParseContext* context} ++%lex-param {YYLEX_PARAM} + + %union { + struct { +-- +1.7.1 + Added: libmng2.patch =================================================================== --- libmng2.patch (rev 0) +++ libmng2.patch 2013-12-11 18:52:58 UTC (rev 201441) @@ -0,0 +1,34 @@ +From 9ae386653c321c8ddc10fad5ea88f32ebb3d3ffe Mon Sep 17 00:00:00 2001 +From: aavit <[email protected]> +Date: Fri, 22 Nov 2013 15:04:23 +0100 +Subject: [PATCH] Recognize newer libmng versions in config test + +libmng 2.0.x has been released and is compatible and usable, but since +it no longer provides a VERSION_MAJOR macro, the config test would fail. + +Task-number: QTBUG-34894 +Change-Id: I106aa258de0851af01d1bb016c2971dd8e30fd24 +Reviewed-by: Liang Qi <[email protected]> +--- + config.tests/libmng/libmng.cpp | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/config.tests/libmng/libmng.cpp b/config.tests/libmng/libmng.cpp +index 9def33e..fc3e693 100644 +--- a/config.tests/libmng/libmng.cpp ++++ b/config.tests/libmng/libmng.cpp +@@ -46,9 +46,11 @@ int main(int, char **) + mng_handle hMNG; + mng_cleanup(&hMNG); + ++#if defined(MNG_VERSION_MAJOR) + #if MNG_VERSION_MAJOR < 1 || (MNG_VERSION_MAJOR == 1 && MNG_VERSION_MINOR == 0 && MNG_VERSION_RELEASE < 9) + #error System libmng version is less than 1.0.9; using built-in version instead. + #endif ++#endif + + return 0; + } +-- +1.7.1 +
