Hello community, here is the log from the commit of package qt3 for openSUSE:Factory checked in at 2015-06-06 09:53:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qt3 (Old) and /work/SRC/openSUSE:Factory/.qt3.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qt3" Changes: -------- qt3-extensions.changes: same change --- /work/SRC/openSUSE:Factory/qt3/qt3.changes 2014-04-06 07:16:09.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.qt3.new/qt3.changes 2015-06-06 09:53:21.000000000 +0200 @@ -1,0 +2,8 @@ +Fri Jun 5 03:53:07 UTC 2015 - [email protected] + +- A set of security patches from Fedora: + qt-x11-free-3.3.8b-CVE-2013-4549.patch + qt-x11-free-3.3.8b-CVE-2015-0295.patch + qt-x11-free-3.3.8b-CVE-2015-1860.patch + +------------------------------------------------------------------- New: ---- qt-x11-free-3.3.8b-CVE-2013-4549.patch qt-x11-free-3.3.8b-CVE-2015-0295.patch qt-x11-free-3.3.8b-CVE-2015-1860.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ qt3-extensions.spec: same change ++++++ qt3.spec ++++++ --- /var/tmp/diff_new_pack.fWrdd3/_old 2015-06-06 09:53:23.000000000 +0200 +++ /var/tmp/diff_new_pack.fWrdd3/_new 2015-06-06 09:53:23.000000000 +0200 @@ -126,6 +126,9 @@ Patch142: extend-freetype-includes-search.patch Patch143: qt3-trident-add-glib-mainloop-support.patch Patch188: qt3-mysql-force-latin1.diff +Patch189: qt-x11-free-3.3.8b-CVE-2013-4549.patch +Patch190: qt-x11-free-3.3.8b-CVE-2015-0295.patch +Patch191: qt-x11-free-3.3.8b-CVE-2015-1860.patch # TQt integration Patch200: qt-3.3.8c.diff @@ -224,6 +227,11 @@ %patch200 %patch142 -p1 %patch188 -p1 +%patch189 -p1 +%patch190 -p1 +%patch191 -p1 + + # copy qt kde integration files cp %SOURCE100 %SOURCE101 src/kernel/ cp %SOURCE101 include/private/ ++++++ qt-x11-free-3.3.8b-CVE-2013-4549.patch ++++++ diff -ur qt-x11-free-3.3.8b/src/xml/qxml.cpp qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.cpp --- qt-x11-free-3.3.8b/src/xml/qxml.cpp 2008-01-15 20:09:13.000000000 +0100 +++ qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.cpp 2014-01-13 21:03:14.000000000 +0100 @@ -4529,6 +4529,11 @@ } break; case Mup: + if (dtdRecursionLimit > 0U && d->parameterEntities.size() > dtdRecursionLimit) { + reportParseError(QString::fromLatin1( + "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit)); + return FALSE; + } if ( !parseMarkupdecl() ) { parseFailed( &QXmlSimpleReader::parseDoctype, state ); return FALSE; @@ -6128,6 +6133,58 @@ } } +bool QXmlSimpleReader::isExpandedEntityValueTooLarge(QString *errorMessage) +{ + QMap<QString, uint> literalEntitySizes; + // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (uint>) times. + QMap<QString, QMap<QString, uint> > referencesToOtherEntities; + QMap<QString, uint> expandedSizes; + + // For every entity, check how many times all entity names were referenced in its value. + QMap<QString,QString>::ConstIterator toSearchIterator; + for (toSearchIterator = d->entities.begin(); toSearchIterator != d->entities.end(); ++toSearchIterator) { + QString toSearch = toSearchIterator.key(); + // The amount of characters that weren't entity names, but literals, like 'X'. + QString leftOvers = toSearchIterator.data(); + QMap<QString,QString>::ConstIterator entityNameIterator; + // How many times was entityName referenced by toSearch? + for (entityNameIterator = d->entities.begin(); entityNameIterator != d->entities.end(); ++entityNameIterator) { + QString entityName = entityNameIterator.key(); + for (int i = 0; i >= 0 && (uint) i < leftOvers.length(); ) { + i = leftOvers.find(QString::fromLatin1("&%1;").arg(entityName), i); + if (i != -1) { + leftOvers.remove(i, entityName.length() + 2U); + // The entityName we're currently trying to find was matched in this string; increase our count. + ++referencesToOtherEntities[toSearch][entityName]; + } + } + } + literalEntitySizes[toSearch] = leftOvers.length(); + } + + QMap<QString, QMap<QString, uint> >::ConstIterator entityIterator; + for (entityIterator = referencesToOtherEntities.begin(); entityIterator != referencesToOtherEntities.end(); ++entityIterator) { + QString entity = entityIterator.key(); + expandedSizes[entity] = literalEntitySizes[entity]; + QMap<QString, uint>::ConstIterator referenceToIterator; + for (referenceToIterator = entityIterator.data().begin(); referenceToIterator != entityIterator.data().end(); ++referenceToIterator) { + QString referenceTo = referenceToIterator.key(); + const uint references = referenceToIterator.data(); + // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size. + expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references; + } + + if (expandedSizes[entity] > entityCharacterLimit) { + if (errorMessage) { + *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands to a string that is too large to process (%2 characters > %3)."); + *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit); + } + return TRUE; + } + } + return FALSE; +} + /* Parse a EntityDecl [70]. @@ -6222,6 +6279,12 @@ switch ( state ) { case EValue: if ( !entityExist( name() ) ) { + QString errorMessage; + if (isExpandedEntityValueTooLarge(&errorMessage)) { + reportParseError(errorMessage); + return FALSE; + } + d->entities.insert( name(), string() ); if ( declHnd ) { if ( !declHnd->internalEntityDecl( name(), string() ) ) { diff -ur qt-x11-free-3.3.8b/src/xml/qxml.h qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.h --- qt-x11-free-3.3.8b/src/xml/qxml.h 2008-01-15 20:09:13.000000000 +0100 +++ qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.h 2014-01-13 21:03:02.000000000 +0100 @@ -307,6 +307,12 @@ QXmlSimpleReaderPrivate* d; + // The limit to the amount of times the DTD parsing functions can be called + // for the DTD currently being parsed. + static const uint dtdRecursionLimit = 2U; + // The maximum amount of characters an entity value may contain, after expansion. + static const uint entityCharacterLimit = 65536U; + const QString &string(); void stringClear(); inline void stringAddC() { stringAddC(c); } @@ -378,6 +384,7 @@ void unexpectedEof( ParseFunction where, int state ); void parseFailed( ParseFunction where, int state ); void pushParseState( ParseFunction function, int state ); + bool isExpandedEntityValueTooLarge(QString *errorMessage); void setUndefEntityInAttrHack(bool b); ++++++ qt-x11-free-3.3.8b-CVE-2015-0295.patch ++++++ diff -ur qt-x11-free-3.3.8b/src/kernel/qimage.cpp qt-x11-free-3.3.8b-CVE-2015-0295/src/kernel/qimage.cpp --- qt-x11-free-3.3.8b/src/kernel/qimage.cpp 2008-01-15 20:09:13.000000000 +0100 +++ qt-x11-free-3.3.8b-CVE-2015-0295/src/kernel/qimage.cpp 2015-02-28 04:59:11.000000000 +0100 @@ -4716,10 +4716,16 @@ if ( (Q_ULONG)d->readBlock( (char *)&blue_mask, sizeof(blue_mask) ) != sizeof(blue_mask) ) return FALSE; red_shift = calc_shift(red_mask); + if (((red_mask >> red_shift) + 1) == 0) + return FALSE; red_scale = 256 / ((red_mask >> red_shift) + 1); green_shift = calc_shift(green_mask); + if (((green_mask >> green_shift) + 1) == 0) + return FALSE; green_scale = 256 / ((green_mask >> green_shift) + 1); blue_shift = calc_shift(blue_mask); + if (((blue_mask >> blue_shift) + 1) == 0) + return FALSE; blue_scale = 256 / ((blue_mask >> blue_shift) + 1); } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) { blue_mask = 0x000000ff; ++++++ qt-x11-free-3.3.8b-CVE-2015-1860.patch ++++++ diff -ur qt-x11-free-3.3.8b/src/kernel/qasyncimageio.cpp qt-x11-free-3.3.8b-CVE-2015-1860/src/kernel/qasyncimageio.cpp --- qt-x11-free-3.3.8b/src/kernel/qasyncimageio.cpp 2008-01-15 20:09:13.000000000 +0100 +++ qt-x11-free-3.3.8b-CVE-2015-1860/src/kernel/qasyncimageio.cpp 2015-04-22 01:30:03.000000000 +0200 @@ -1221,6 +1221,8 @@ void QGIFFormat::nextY(QImage& img, QImageConsumer* consumer) { + if (out_of_bounds) + return; int my; switch (interlace) { case 0:
