[arch-commits] Commit in qt5/trunk (5 files)
Date: Thursday, May 14, 2015 @ 09:32:11 Author: fyan Revision: 239330 upgpkg: qt5 5.4.1-8 - add patches for CVE-2015-0295, CVE-2015-1858, CVE-2015-1859, CVE-2015-1860 - add patch to fix keypad shortcuts (FS#44676) Added: qt5/trunk/CVE-2015-0295.patch qt5/trunk/CVE-2015-1858_1859.patch qt5/trunk/CVE-2015-1860.patch qt5/trunk/keypad-shortcuts.patch Modified: qt5/trunk/PKGBUILD --+ CVE-2015-0295.patch | 44 + CVE-2015-1858_1859.patch | 62 + CVE-2015-1860.patch | 30 ++ PKGBUILD | 21 -- keypad-shortcuts.patch | 94 + 5 files changed, 248 insertions(+), 3 deletions(-) Added: CVE-2015-0295.patch === --- CVE-2015-0295.patch (rev 0) +++ CVE-2015-0295.patch 2015-05-14 07:32:11 UTC (rev 239330) @@ -0,0 +1,44 @@ +From 661f6bfd032dacc62841037732816a583640e187 Mon Sep 17 00:00:00 2001 +From: Richard J. Moore r...@kde.org +Date: Sat, 21 Feb 2015 17:43:21 + +Subject: Fix a division by zero when processing malformed BMP files. + +This fixes a division by 0 when processing a maliciously crafted BMP +file. No impact beyond DoS. + +Task-number: QTBUG-44547 +Change-Id: Ifcded2c0aa712e90d23e6b3969af0ec3add53973 +Reviewed-by: Thiago Macieira thiago.macie...@intel.com +Reviewed-by: Oswald Buddenhagen oswald.buddenha...@theqtcompany.com +--- + src/gui/image/qbmphandler.cpp | 8 + 1 file changed, 8 insertions(+) + +diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp +index 21c1a2f..df66499 100644 +--- a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp +@@ -314,12 +314,20 @@ static bool read_dib_body(QDataStream s, const BMP_INFOHDR bi, int offset, int + } + } else if (comp == BMP_BITFIELDS (nbits == 16 || nbits == 32)) { + red_shift = calc_shift(red_mask); ++if (((red_mask red_shift) + 1) == 0) ++return false; + red_scale = 256 / ((red_mask red_shift) + 1); + green_shift = calc_shift(green_mask); ++if (((green_mask green_shift) + 1) == 0) ++return false; + green_scale = 256 / ((green_mask green_shift) + 1); + blue_shift = calc_shift(blue_mask); ++if (((blue_mask blue_shift) + 1) == 0) ++return false; + blue_scale = 256 / ((blue_mask blue_shift) + 1); + alpha_shift = calc_shift(alpha_mask); ++if (((alpha_mask alpha_shift) + 1) == 0) ++return false; + alpha_scale = 256 / ((alpha_mask alpha_shift) + 1); + } else if (comp == BMP_RGB (nbits == 24 || nbits == 32)) { + blue_mask = 0x00ff; +-- +cgit v0.11.0 + Added: CVE-2015-1858_1859.patch === --- CVE-2015-1858_1859.patch(rev 0) +++ CVE-2015-1858_1859.patch2015-05-14 07:32:11 UTC (rev 239330) @@ -0,0 +1,62 @@ +From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland eirik.aavitsl...@theqtcompany.com +Date: Wed, 11 Mar 2015 13:34:01 +0100 +Subject: Fixes crash in bmp and ico image decoding + +Fuzzing test revealed that for certain malformed bmp and ico files, +the handler would segfault. + +Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe +Reviewed-by: Lars Knoll lars.kn...@digia.com +--- + src/gui/image/qbmphandler.cpp| 13 +++-- + src/plugins/imageformats/ico/qicohandler.cpp | 2 +- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp +index df66499..8acc593 100644 +--- a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp +@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream s, const BMP_INFOHDR bi, int offset, int + p = data + (h-y-1)*bpl; + break; + case 2:// delta (jump) +-// Protection +-if ((uint)x = (uint)w) +-x = w-1; +-if ((uint)y = (uint)h) +-y = h-1; +- + { + quint8 tmp; + d-getChar((char *)tmp); +@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream s, const BMP_INFOHDR bi, int offset, int + d-getChar((char *)tmp); + y += tmp; + } ++ ++// Protection ++if ((uint)x = (uint)w) ++x = w-1; ++if ((uint)y = (uint)h) ++y = h-1; ++ +
[arch-commits] Commit in qt5/trunk (5 files)
Date: Thursday, December 12, 2013 @ 14:44:52 Author: andrea Revision: 201457 Qt 5.2.0 Modified: qt5/trunk/PKGBUILD qt5/trunk/use-python2.patch Deleted: qt5/trunk/CVE-2013-4549.patch qt5/trunk/bison3.patch qt5/trunk/libmng2.patch -+ CVE-2013-4549.patch | 235 -- PKGBUILD| 88 +- bison3.patch| 38 libmng2.patch | 34 --- use-python2.patch | 140 +++-- 5 files changed, 100 insertions(+), 435 deletions(-) Deleted: CVE-2013-4549.patch === --- CVE-2013-4549.patch 2013-12-12 13:13:42 UTC (rev 201456) +++ CVE-2013-4549.patch 2013-12-12 13:44:52 UTC (rev 201457) @@ -1,235 +0,0 @@ -From 46a8885ae486e238a39efa5119c2714f328b08e4 Mon Sep 17 00:00:00 2001 -From: Mitch Curtis mitch.cur...@digia.com -Date: Fri, 27 Sep 2013 12:32:28 +0200 -Subject: [PATCH] Disallow deep or widely nested entity references. - -Nested references with a depth of 2 or greater will fail. References -that partially expand to greater than 1024 characters will also fail. - -Change-Id: Id4e49d6f7cf51e3a247efdb4c6c7c9bd9b223f6e -Reviewed-by: Richard J. Moore r...@kde.org -Reviewed-by: Lars Knoll lars.kn...@digia.com - -From f1053d94f59f053ce4acad9320df14f1fbe4faac Mon Sep 17 00:00:00 2001 -From: Mitch Curtis mitch.cur...@digia.com -Date: Mon, 11 Nov 2013 14:27:40 +0100 -Subject: [PATCH] Fully expand entities to ensure deep or widely nested ones fail parsing - -With 46a8885ae486e238a39efa5119c2714f328b08e4, we failed when parsing -entities whose partially expanded size was greater than 1024 -characters. That was not enough, so now we fully expand all entities. - -Amends 46a8885ae486e238a39efa5119c2714f328b08e4. - -Change-Id: Ie80720d7e04d825eb4eebf528140eb94806c02b1 -Reviewed-by: Richard J. Moore r...@kde.org -Reviewed-by: Lars Knoll lars.kn...@digia.com - -diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp -index 45c0f3e..e6d78d3 100644 a/src/xml/sax/qxml.cpp -+++ b/src/xml/sax/qxml.cpp -@@ -424,6 +424,10 @@ private: - int stringValueLen; - QString emptyStr; - -+// The limit to the amount of times the DTD parsing functions can be called -+// for the DTD currently being parsed. -+int dtdRecursionLimit; -+ - const QString string(); - void stringClear(); - void stringAddC(QChar); -@@ -493,6 +497,8 @@ private: - void parseFailed(ParseFunction where, int state); - void pushParseState(ParseFunction function, int state); - -+bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); -+ - Q_DECLARE_PUBLIC(QXmlSimpleReader) - QXmlSimpleReader *q_ptr; - -@@ -2757,6 +2763,8 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) - useNamespacePrefixes = false; - reportWhitespaceCharData = true; - reportEntities = false; -+ -+dtdRecursionLimit = 2; - } - - QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() -@@ -5035,6 +5043,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype() - } - break; - case Mup: -+if (dtdRecursionLimit 0 parameterEntities.size() dtdRecursionLimit) { -+reportParseError(QString::fromLatin1( -+DTD parsing exceeded recursion limit of %1.).arg(dtdRecursionLimit)); -+return false; -+} - if (!parseMarkupdecl()) { - parseFailed(QXmlSimpleReaderPrivate::parseDoctype, state); - return false; -@@ -6644,6 +6657,37 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() - return false; - } - -+bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) -+{ -+const QString value = string(); -+QMapQString, int referencedEntityCounts; -+foreach (QString entityName, entities.keys()) { -+for (int i = 0; i value.size() i != -1; ) { -+i = value.indexOf(entityName, i); -+if (i != -1) { -+// The entityName we're currently trying to find -+// was matched in this string; increase our count. -+++referencedEntityCounts[entityName]; -+i += entityName.size(); -+} -+} -+} -+ -+foreach (QString entityName, referencedEntityCounts.keys()) { -+const int timesReferenced = referencedEntityCounts[entityName]; -+const QString entityValue = entities[entityName]; -+if (entityValue.size() * timesReferenced 1024) { -+if (errorMessage) { -+*errorMessage = QString::fromLatin1(The XML entity \%1\ -+expands too a string that is too large to process when -+referencing \%2\ %3 times.).arg(entityName).arg(entityName).arg(timesReferenced); -+} -+
[arch-commits] Commit in qt5/trunk (5 files)
Date: Wednesday, May 8, 2013 @ 09:31:32 Author: andrea Revision: 184765 Add qdbusviewer desktop file Added: qt5/trunk/qdbusviewer.desktop Modified: qt5/trunk/PKGBUILD qt5/trunk/assistant.desktop qt5/trunk/designer.desktop qt5/trunk/linguist.desktop -+ PKGBUILD| 21 + assistant.desktop |2 +- designer.desktop|2 +- linguist.desktop|2 +- qdbusviewer.desktop |9 + 5 files changed, 25 insertions(+), 11 deletions(-) Modified: PKGBUILD === --- PKGBUILD2013-05-08 07:26:06 UTC (rev 184764) +++ PKGBUILD2013-05-08 07:31:32 UTC (rev 184765) @@ -31,12 +31,13 @@ options=('!libtool') _pkgfqn=qt-everywhere-opensource-src-${pkgver} source=(http://releases.qt-project.org/${pkgbase}/${pkgver}/single/${_pkgfqn}.tar.xz; -'assistant.desktop' 'designer.desktop' 'linguist.desktop' +'assistant.desktop' 'designer.desktop' 'linguist.desktop' 'qdbusviewer.desktop' 'use-python2.patch' 'gcc48.patch') md5sums=('2cab3518d86fe8f0638c7faea8b46397' - 'f1837a03fd0ebbd2da58975845f278e3' - '480fea1ed076992b688373c8db274be0' - '5595c24d5bb942c21e3a4d299e6d0bf1' + 'b2897dd6a2967bccf8f10e397aafee55' + '9638a78e502719ef8fe5f8d10d0361a9' + '188da8f4c87316e730ebf1c6217bf5a0' + '322b419b16c75d4de0ee7ad0a246caa1' 'd6ab43fb371be494e3bfd9b210c40bf1' '7927028e2374321c78a76df858e723d6') @@ -295,14 +296,18 @@ ${pkgdir}/usr/share/icons/hicolor/${size}x${size}/apps/linguist.png done - install -p -D -m644 src/assistant/assistant/images/assistant.png \ + install -D -m644 src/assistant/assistant/images/assistant.png \ ${pkgdir}/usr/share/icons/hicolor/32x32/apps/assistant.png - install -p -D -m644 src/assistant/assistant/images/assistant-128.png \ + install -D -m644 src/assistant/assistant/images/assistant-128.png \ ${pkgdir}/usr/share/icons/hicolor/128x128/apps/assistant.png - install -p -D -m644 src/designer/src/designer/images/designer.png \ + install -D -m644 src/designer/src/designer/images/designer.png \ ${pkgdir}/usr/share/icons/hicolor/128x128/apps/designer.png + install -D -m644 src/qdbus/qdbusviewer/images/qdbusviwer.png \ +${pkgdir}/usr/share/icons/hicolor/32x32/apps/qdbusviewer.png + install -D -m644 src/qdbus/qdbusviewer/images/qdbusviwer-128.png \ +${pkgdir}/usr/share/icons/hicolor/128x128/apps/qdbusviewer.png install -d ${pkgdir}/usr/share/applications - install -m644 ${srcdir}/{linguist,designer,assistant}.desktop \ + install -m644 ${srcdir}/{linguist,designer,assistant,qdbusviewer}.desktop \ ${pkgdir}/usr/share/applications/ # Fix wrong path in prl files Modified: assistant.desktop === --- assistant.desktop 2013-05-08 07:26:06 UTC (rev 184764) +++ assistant.desktop 2013-05-08 07:31:32 UTC (rev 184765) @@ -1,7 +1,7 @@ [Desktop Entry] Name=Qt Assistant Comment=Shows Qt documentation and examples -Exec=/usr/bin/assistant +Exec=/usr/lib/qt/bin/assistant Icon=assistant Terminal=false Type=Application Modified: designer.desktop === --- designer.desktop2013-05-08 07:26:06 UTC (rev 184764) +++ designer.desktop2013-05-08 07:31:32 UTC (rev 184765) @@ -2,7 +2,7 @@ Name=Qt Designer GenericName=Interface Designer Comment=Design GUIs for Qt applications -Exec=/usr/bin/designer +Exec=/usr/lib/qt/bin/designer Icon=designer MimeType=application/x-designer; Terminal=false Modified: linguist.desktop === --- linguist.desktop2013-05-08 07:26:06 UTC (rev 184764) +++ linguist.desktop2013-05-08 07:31:32 UTC (rev 184765) @@ -1,7 +1,7 @@ [Desktop Entry] Name=Qt Linguist Comment=Add translations to Qt applications -Exec=/usr/bin/linguist +Exec=/usr/lib/qt/bin/linguist Icon=linguist MimeType=text/vnd.trolltech.linguist;application/x-linguist; Terminal=false Added: qdbusviewer.desktop === --- qdbusviewer.desktop (rev 0) +++ qdbusviewer.desktop 2013-05-08 07:31:32 UTC (rev 184765) @@ -0,0 +1,9 @@ +[Desktop Entry] +Name=Qt QDbusViewer +GenericName=D-Bus Debugger +Comment=Debug D-Bus applications +Exec=/usr/lib/qt/bin/qdbusviewer +Icon=qdbusviewer +Terminal=false +Type=Application +Categories=Qt;Development;Debugger;