Hello community,
here is the log from the commit of package qt3 for openSUSE:Factory checked in
at 2015-06-06 09:53:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/qt3 (Old)
and /work/SRC/openSUSE:Factory/.qt3.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qt3"
Changes:
--------
qt3-extensions.changes: same change
--- /work/SRC/openSUSE:Factory/qt3/qt3.changes 2014-04-06 07:16:09.000000000
+0200
+++ /work/SRC/openSUSE:Factory/.qt3.new/qt3.changes 2015-06-06
09:53:21.000000000 +0200
@@ -1,0 +2,8 @@
+Fri Jun 5 03:53:07 UTC 2015 - an...@opensuse.org
+
+- A set of security patches from Fedora:
+ qt-x11-free-3.3.8b-CVE-2013-4549.patch
+ qt-x11-free-3.3.8b-CVE-2015-0295.patch
+ qt-x11-free-3.3.8b-CVE-2015-1860.patch
+
+-------------------------------------------------------------------
New:
----
qt-x11-free-3.3.8b-CVE-2013-4549.patch
qt-x11-free-3.3.8b-CVE-2015-0295.patch
qt-x11-free-3.3.8b-CVE-2015-1860.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
qt3-extensions.spec: same change
++++++ qt3.spec ++++++
--- /var/tmp/diff_new_pack.fWrdd3/_old 2015-06-06 09:53:23.000000000 +0200
+++ /var/tmp/diff_new_pack.fWrdd3/_new 2015-06-06 09:53:23.000000000 +0200
@@ -126,6 +126,9 @@
Patch142: extend-freetype-includes-search.patch
Patch143: qt3-trident-add-glib-mainloop-support.patch
Patch188: qt3-mysql-force-latin1.diff
+Patch189: qt-x11-free-3.3.8b-CVE-2013-4549.patch
+Patch190: qt-x11-free-3.3.8b-CVE-2015-0295.patch
+Patch191: qt-x11-free-3.3.8b-CVE-2015-1860.patch
# TQt integration
Patch200: qt-3.3.8c.diff
@@ -224,6 +227,11 @@
%patch200
%patch142 -p1
%patch188 -p1
+%patch189 -p1
+%patch190 -p1
+%patch191 -p1
+
+
# copy qt kde integration files
cp %SOURCE100 %SOURCE101 src/kernel/
cp %SOURCE101 include/private/
++++++ qt-x11-free-3.3.8b-CVE-2013-4549.patch ++++++
diff -ur qt-x11-free-3.3.8b/src/xml/qxml.cpp
qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.cpp
--- qt-x11-free-3.3.8b/src/xml/qxml.cpp 2008-01-15 20:09:13.000000000 +0100
+++ qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.cpp 2014-01-13
21:03:14.000000000 +0100
@@ -4529,6 +4529,11 @@
}
break;
case Mup:
+ if (dtdRecursionLimit > 0U && d->parameterEntities.size() >
dtdRecursionLimit) {
+ reportParseError(QString::fromLatin1(
+ "DTD parsing exceeded recursion limit of
%1.").arg(dtdRecursionLimit));
+ return FALSE;
+ }
if ( !parseMarkupdecl() ) {
parseFailed( &QXmlSimpleReader::parseDoctype, state );
return FALSE;
@@ -6128,6 +6133,58 @@
}
}
+bool QXmlSimpleReader::isExpandedEntityValueTooLarge(QString *errorMessage)
+{
+ QMap<QString, uint> literalEntitySizes;
+ // The entity at (QMap<QString,) referenced the entities at
(QMap<QString,) (uint>) times.
+ QMap<QString, QMap<QString, uint> > referencesToOtherEntities;
+ QMap<QString, uint> expandedSizes;
+
+ // For every entity, check how many times all entity names were referenced
in its value.
+ QMap<QString,QString>::ConstIterator toSearchIterator;
+ for (toSearchIterator = d->entities.begin(); toSearchIterator !=
d->entities.end(); ++toSearchIterator) {
+ QString toSearch = toSearchIterator.key();
+ // The amount of characters that weren't entity names, but literals,
like 'X'.
+ QString leftOvers = toSearchIterator.data();
+ QMap<QString,QString>::ConstIterator entityNameIterator;
+ // How many times was entityName referenced by toSearch?
+ for (entityNameIterator = d->entities.begin(); entityNameIterator !=
d->entities.end(); ++entityNameIterator) {
+ QString entityName = entityNameIterator.key();
+ for (int i = 0; i >= 0 && (uint) i < leftOvers.length(); ) {
+ i =
leftOvers.find(QString::fromLatin1("&%1;").arg(entityName), i);
+ if (i != -1) {
+ leftOvers.remove(i, entityName.length() + 2U);
+ // The entityName we're currently trying to find was
matched in this string; increase our count.
+ ++referencesToOtherEntities[toSearch][entityName];
+ }
+ }
+ }
+ literalEntitySizes[toSearch] = leftOvers.length();
+ }
+
+ QMap<QString, QMap<QString, uint> >::ConstIterator entityIterator;
+ for (entityIterator = referencesToOtherEntities.begin(); entityIterator !=
referencesToOtherEntities.end(); ++entityIterator) {
+ QString entity = entityIterator.key();
+ expandedSizes[entity] = literalEntitySizes[entity];
+ QMap<QString, uint>::ConstIterator referenceToIterator;
+ for (referenceToIterator = entityIterator.data().begin();
referenceToIterator != entityIterator.data().end(); ++referenceToIterator) {
+ QString referenceTo = referenceToIterator.key();
+ const uint references = referenceToIterator.data();
+ // The total size of an entity's value is the expanded size of all
of its referenced entities, plus its literal size.
+ expandedSizes[entity] += expandedSizes[referenceTo] * references +
literalEntitySizes[referenceTo] * references;
+ }
+
+ if (expandedSizes[entity] > entityCharacterLimit) {
+ if (errorMessage) {
+ *errorMessage = QString::fromLatin1("The XML entity \"%1\"
expands to a string that is too large to process (%2 characters > %3).");
+ *errorMessage =
(*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
+ }
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
/*
Parse a EntityDecl [70].
@@ -6222,6 +6279,12 @@
switch ( state ) {
case EValue:
if ( !entityExist( name() ) ) {
+ QString errorMessage;
+ if (isExpandedEntityValueTooLarge(&errorMessage)) {
+ reportParseError(errorMessage);
+ return FALSE;
+ }
+
d->entities.insert( name(), string() );
if ( declHnd ) {
if ( !declHnd->internalEntityDecl( name(), string() ) )
{
diff -ur qt-x11-free-3.3.8b/src/xml/qxml.h
qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.h
--- qt-x11-free-3.3.8b/src/xml/qxml.h 2008-01-15 20:09:13.000000000 +0100
+++ qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.h 2014-01-13
21:03:02.000000000 +0100
@@ -307,6 +307,12 @@
QXmlSimpleReaderPrivate* d;
+ // The limit to the amount of times the DTD parsing functions can be called
+ // for the DTD currently being parsed.
+ static const uint dtdRecursionLimit = 2U;
+ // The maximum amount of characters an entity value may contain, after
expansion.
+ static const uint entityCharacterLimit = 65536U;
+
const QString &string();
void stringClear();
inline void stringAddC() { stringAddC(c); }
@@ -378,6 +384,7 @@
void unexpectedEof( ParseFunction where, int state );
void parseFailed( ParseFunction where, int state );
void pushParseState( ParseFunction function, int state );
+ bool isExpandedEntityValueTooLarge(QString *errorMessage);
void setUndefEntityInAttrHack(bool b);
++++++ qt-x11-free-3.3.8b-CVE-2015-0295.patch ++++++
diff -ur qt-x11-free-3.3.8b/src/kernel/qimage.cpp
qt-x11-free-3.3.8b-CVE-2015-0295/src/kernel/qimage.cpp
--- qt-x11-free-3.3.8b/src/kernel/qimage.cpp 2008-01-15 20:09:13.000000000
+0100
+++ qt-x11-free-3.3.8b-CVE-2015-0295/src/kernel/qimage.cpp 2015-02-28
04:59:11.000000000 +0100
@@ -4716,10 +4716,16 @@
if ( (Q_ULONG)d->readBlock( (char *)&blue_mask, sizeof(blue_mask) ) !=
sizeof(blue_mask) )
return FALSE;
red_shift = calc_shift(red_mask);
+ if (((red_mask >> red_shift) + 1) == 0)
+ return FALSE;
red_scale = 256 / ((red_mask >> red_shift) + 1);
green_shift = calc_shift(green_mask);
+ if (((green_mask >> green_shift) + 1) == 0)
+ return FALSE;
green_scale = 256 / ((green_mask >> green_shift) + 1);
blue_shift = calc_shift(blue_mask);
+ if (((blue_mask >> blue_shift) + 1) == 0)
+ return FALSE;
blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
} else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
blue_mask = 0x000000ff;
++++++ qt-x11-free-3.3.8b-CVE-2015-1860.patch ++++++
diff -ur qt-x11-free-3.3.8b/src/kernel/qasyncimageio.cpp
qt-x11-free-3.3.8b-CVE-2015-1860/src/kernel/qasyncimageio.cpp
--- qt-x11-free-3.3.8b/src/kernel/qasyncimageio.cpp 2008-01-15
20:09:13.000000000 +0100
+++ qt-x11-free-3.3.8b-CVE-2015-1860/src/kernel/qasyncimageio.cpp
2015-04-22 01:30:03.000000000 +0200
@@ -1221,6 +1221,8 @@
void QGIFFormat::nextY(QImage& img, QImageConsumer* consumer)
{
+ if (out_of_bounds)
+ return;
int my;
switch (interlace) {
case 0:
