rpms/kdelibs/F-10 kdelibs-4.2.3-fixPopupForPlasmaboard.patch, NONE, 1.1 kdelibs-4.2.4-cve-2009-0945.patch, NONE, 1.1 kdelibs-4.2.4-cve-2009-1690.patch, NONE, 1.1 kdelibs-4.2.4-cve-2009-2537-select-length.patch, NONE, 1.1 kdelibs-4.2.98-cve-2009-1687.patch, NONE, 1.1 kdelibs-4.2.98-cve-2009-1698.patch, NONE, 1.1 kdelibs-4.2.98-cve-2009-1725.patch, NONE, 1.1 kdelibs-4.1.96-parallel_devel.patch, 1.1, 1.2 kdelibs.spec, 1.431, 1.432
Kevin Kofler
kkofler at fedoraproject.org
Sun Jul 26 05:28:18 UTC 2009
Author: kkofler
Update of /cvs/pkgs/rpms/kdelibs/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19647/F-10
Modified Files:
kdelibs-4.1.96-parallel_devel.patch kdelibs.spec
Added Files:
kdelibs-4.2.3-fixPopupForPlasmaboard.patch
kdelibs-4.2.4-cve-2009-0945.patch
kdelibs-4.2.4-cve-2009-1690.patch
kdelibs-4.2.4-cve-2009-2537-select-length.patch
kdelibs-4.2.98-cve-2009-1687.patch
kdelibs-4.2.98-cve-2009-1698.patch
kdelibs-4.2.98-cve-2009-1725.patch
Log Message:
Sync from F11:
* Sun Jul 26 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.4-6
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
* Thu Jul 23 2009 Jaroslav Reznik <jreznik at redhat.com> - 4.2.4-5
- CVE-2009-2537 - select length DoS
- correct fixPopupForPlasmaboard.patch
* Wed Jul 08 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.4-4
- fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki)
* Mon Jun 15 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.4-3
- fixPopupForPlasmaboard.patch
kdelibs-4.2.3-fixPopupForPlasmaboard.patch:
popupapplet.cpp | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- NEW FILE kdelibs-4.2.3-fixPopupForPlasmaboard.patch ---
From: =?iso-8859-1?q?Bj=F6rn_Ruberg?= <bjoern at ruberg-wegener.de>
To: kde-packager at kde.org
Subject: kdelibs patch for making virtual keyboard work
Date: Sat, 6 Jun 2009 23:40:47 +0200
Message-Id: <200906062340.47628.bjoern at ruberg-wegener.de>
Hello,
I want you to have a look at the patch attached. It's from current KDE 4.2 and
4.3 trunk. It didn't make it into KDE 4.2.4, but maybe you want to apply it to
your KDE packages.
It is needed for making the plasmoid plasmaboard working. Plasmaboard is a
virtual keyboard for plasma. Find it here:
http://www.kde-look.org/content/show.php/Plasmaboard?content=101822
Without the patch, opening plasmaboard will steal window focus, what makes the
plasmoid useless.
Please notify me if this patch find its way in your distribution so I can
maintain a list for the plasmaboard users.
Regards,
Björn Ruberg
Index: kdelibs/plasma/popupapplet.cpp
===================================================================
--- kdelibs/plasma/popupapplet.cpp (Revision 976120)
+++ kdelibs/plasma/popupapplet.cpp (Arbeitskopie)
@@ -275,11 +275,7 @@
//stuff out of your Dialog (extenders). Monitor WindowDeactivate events so we can
//emulate the same kind of behavior as Qt::Popup (close when you click somewhere
//else.
- dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint);
- updateDialogFlags();
- KWindowSystem::setState(dialog->winId(), NET::SkipTaskbar | NET::SkipPager);
- dialog->installEventFilter(q);
-
+
q->setMinimumSize(QSize(0, 0));
if (gWidget) {
Corona *corona = qobject_cast<Corona *>(gWidget->scene());
@@ -289,14 +285,25 @@
corona->addOffscreenWidget(gWidget);
dialog->setGraphicsWidget(gWidget);
}
+
+ dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint | (gWidget->windowFlags() & Qt::X11BypassWindowManagerHint));
} else if (qWidget) {
QVBoxLayout *l_layout = new QVBoxLayout(dialog);
l_layout->setSpacing(0);
l_layout->setMargin(0);
l_layout->addWidget(qWidget);
dialog->adjustSize();
+
+ dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint | (qWidget->windowFlags() & Qt::X11BypassWindowManagerHint));
}
+ else {
+ dialog->setWindowFlags(Qt::FramelessWindowHint | Qt::WindowStaysOnTopHint);
+ }
+ updateDialogFlags();
+ KWindowSystem::setState(dialog->winId(), NET::SkipTaskbar | NET::SkipPager);
+ dialog->installEventFilter(q);
+
QObject::connect(dialog, SIGNAL(dialogResized()), q, SLOT(dialogSizeChanged()));
QObject::connect(dialog, SIGNAL(dialogVisible(bool)), q, SLOT(dialogStatusChanged(bool)));
}
kdelibs-4.2.4-cve-2009-0945.patch:
SVGList.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- NEW FILE kdelibs-4.2.4-cve-2009-0945.patch ---
Index: khtml/svg/SVGList.h
===================================================================
--- khtml/svg/SVGList.h (revision 983301)
+++ khtml/svg/SVGList.h (revision 983302)
@@ -97,7 +97,11 @@
Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&)
{
- m_vector.insert(index, newItem);
+ if (index < m_vector.size()) {
+ m_vector.insert(index, newItem);
+ } else {
+ m_vector.append(newItem);
+ }
return newItem;
}
kdelibs-4.2.4-cve-2009-1690.patch:
htmlparser.cpp | 12 +++++-------
htmlparser.h | 2 +-
2 files changed, 6 insertions(+), 8 deletions(-)
--- NEW FILE kdelibs-4.2.4-cve-2009-1690.patch ---
Index: khtml/html/htmlparser.h
===================================================================
--- khtml/html/htmlparser.h (revision 983315)
+++ khtml/html/htmlparser.h (revision 983316)
@@ -157,7 +157,7 @@
/*
* the head element. Needed for crappy html which defines <base> after </head>
*/
- DOM::HTMLHeadElementImpl *head;
+ RefPtr<DOM::HTMLHeadElementImpl> head;
/*
* a possible <isindex> element in the head. Compatibility hack for
Index: khtml/html/htmlparser.cpp
===================================================================
--- khtml/html/htmlparser.cpp (revision 983315)
+++ khtml/html/htmlparser.cpp (revision 983316)
@@ -216,7 +216,6 @@
form = 0;
map = 0;
- head = 0;
end = false;
isindex = 0;
@@ -678,8 +677,7 @@
case ID_BASE:
if(!head) {
head = new HTMLHeadElementImpl(document);
- e = head;
- insertNode(e);
+ insertNode(head.get());
handled = true;
}
break;
@@ -894,7 +892,7 @@
case ID_HEAD:
if(!head && (current->id() == ID_HTML || current->isDocumentNode())) {
head = new HTMLHeadElementImpl(document);
- n = head;
+ n = head.get();
}
break;
case ID_BODY:
@@ -1907,19 +1905,19 @@
head = new HTMLHeadElementImpl(document);
HTMLElementImpl *body = doc()->body();
int exceptioncode = 0;
- doc()->documentElement()->insertBefore(head, body, exceptioncode);
+ doc()->documentElement()->insertBefore(head.get(), body, exceptioncode);
if ( exceptioncode ) {
#ifdef PARSER_DEBUG
kDebug( 6035 ) << "creation of head failed!!!!:" << exceptioncode;
#endif
- delete head;
+ delete head.get();
head = 0;
}
// If the body does not exist yet, then the <head> should be pushed as the current block.
if (head && !body) {
pushBlock(head->id(), tagPriority(head->id()));
- setCurrent(head);
+ setCurrent(head.get());
}
}
kdelibs-4.2.4-cve-2009-2537-select-length.patch:
kjs_html.cpp | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- NEW FILE kdelibs-4.2.4-cve-2009-2537-select-length.patch ---
diff -up kdelibs-4.2.4/khtml/ecma/kjs_html.cpp.cve-2009-2537-select-length kdelibs-4.2.4/khtml/ecma/kjs_html.cpp
--- kdelibs-4.2.4/khtml/ecma/kjs_html.cpp.cve-2009-2537-select-length 2009-03-26 15:44:13.000000000 +0100
+++ kdelibs-4.2.4/khtml/ecma/kjs_html.cpp 2009-07-23 10:35:55.908865609 +0200
@@ -69,6 +69,9 @@
#include <QtCore/QList>
#include <QtCore/QHash>
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
+#define MAX_SELECT_LENGTH 10000
+
using namespace DOM;
namespace KJS {
@@ -2428,8 +2431,12 @@ void KJS::HTMLElement::putValueProperty(
case SelectValue: { select.setValue(str.implementation()); return; }
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
JSObject *coll = getSelectHTMLCollection(exec, select.options(), &select)->getObject();
+
if ( coll )
- coll->put(exec,"length",value);
+ if (value->toInteger(exec) >= MAX_SELECT_LENGTH)
+ setDOMException(exec, DOMException::INDEX_SIZE_ERR);
+ else
+ coll->put(exec, "length", value);
return;
}
// read-only: form
kdelibs-4.2.98-cve-2009-1687.patch:
collector.cpp | 4 ++++
1 file changed, 4 insertions(+)
--- NEW FILE kdelibs-4.2.98-cve-2009-1687.patch ---
diff -ur kdelibs-4.2.98/kjs/collector.cpp kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp
--- kdelibs-4.2.98/kjs/collector.cpp 2009-04-30 20:02:44.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1687/kjs/collector.cpp 2009-07-26 03:52:44.000000000 +0200
@@ -31,6 +31,7 @@
#include "value.h"
#include <setjmp.h>
+#include <limits.h>
#include <algorithm>
#if PLATFORM(DARWIN)
@@ -109,6 +110,9 @@
void append(CollectorBlock* block) {
if (m_used == m_capacity) {
+ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR;
+ if (m_capacity > maxNumBlocks)
+ CRASH();
m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR);
m_data = static_cast<CollectorBlock **>(fastRealloc(m_data, m_capacity * sizeof(CollectorBlock *)));
}
kdelibs-4.2.98-cve-2009-1698.patch:
css_valueimpl.cpp | 4 +++-
cssparser.cpp | 11 ++++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
--- NEW FILE kdelibs-4.2.98-cve-2009-1698.patch ---
diff -ur kdelibs-4.2.98/khtml/css/cssparser.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp
--- kdelibs-4.2.98/khtml/css/cssparser.cpp 2009-07-21 17:16:12.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/cssparser.cpp 2009-07-26 04:19:38.000000000 +0200
@@ -1513,6 +1513,14 @@
if ( args->size() != 1)
return false;
Value *a = args->current();
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+ isValid=false;
+ break;
+ }
+ if (qString(a->string)[0] == '-') {
+ isValid=false;
+ break;
+ }
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
}
else
@@ -1565,7 +1573,8 @@
CounterImpl *counter = new CounterImpl;
Value *i = args->current();
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+ if (qString(i->string)[0] == '-') goto invalid;
counter->m_identifier = domString(i->string);
if (counters) {
i = args->next();
diff -ur kdelibs-4.2.98/khtml/css/css_valueimpl.cpp kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp
--- kdelibs-4.2.98/khtml/css/css_valueimpl.cpp 2009-05-14 19:27:35.000000000 +0200
+++ kdelibs-4.2.98-cve-2009-1698/khtml/css/css_valueimpl.cpp 2009-07-26 04:17:28.000000000 +0200
@@ -1212,7 +1212,9 @@
text = getValueName(m_value.ident);
break;
case CSSPrimitiveValue::CSS_ATTR:
- // ###
+ text = "attr(";
+ text += DOMString( m_value.string );
+ text += ")";
break;
case CSSPrimitiveValue::CSS_COUNTER:
text = "counter(";
kdelibs-4.2.98-cve-2009-1725.patch:
htmltokenizer.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE kdelibs-4.2.98-cve-2009-1725.patch ---
Index: khtml/html/htmltokenizer.cpp
===================================================================
--- khtml/html/htmltokenizer.cpp (revision 1002162)
+++ khtml/html/htmltokenizer.cpp (revision 1002163)
@@ -1038,7 +1038,7 @@
#ifdef TOKEN_DEBUG
kDebug( 6036 ) << "unknown entity!";
#endif
- checkBuffer(10);
+ checkBuffer(11);
// ignore the sequence, add it to the buffer as plaintext
*dest++ = '&';
for(unsigned int i = 0; i < cBufferPos; i++)
kdelibs-4.1.96-parallel_devel.patch:
cmake/modules/FindKDE4Internal.cmake | 36 ++++++++++++++--------------
doc/api/doxygen-preprocess-kcfg.sh | 4 +--
kdecore/kconfig_compiler/CMakeLists.txt | 6 ++--
kdecore/kconfig_compiler/checkkcfg.pl | 4 +--
kdeui/tests/kconfig_compiler/CMakeLists.txt | 2 -
kdewidgets/CMakeLists.txt | 12 ++++-----
6 files changed, 33 insertions(+), 31 deletions(-)
Index: kdelibs-4.1.96-parallel_devel.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kdelibs/F-10/kdelibs-4.1.96-parallel_devel.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- kdelibs-4.1.96-parallel_devel.patch 23 Jan 2009 18:59:58 -0000 1.1
+++ kdelibs-4.1.96-parallel_devel.patch 26 Jul 2009 05:28:18 -0000 1.2
@@ -208,3 +208,12 @@ diff -up kdelibs-4.1.96/kdewidgets/CMake
set(kdewidgets_PART_SRCS
classpreviews.cpp
+@@ -66,7 +66,7 @@
+
+ add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/kde3supportwidgets.cpp
+ COMMAND "${MAKEKDEWIDGETS_EXECUTABLE}" -o ${CMAKE_CURRENT_BINARY_DIR}/kde3supportwidgets.cpp ${CMAKE_CURRENT_SOURCE_DIR}/kde3support.widgets
+- MAIN_DEPENDENCY kde3support.widgets DEPENDS makekdewidgets)
++ MAIN_DEPENDENCY kde3support.widgets DEPENDS makekdewidgets4)
+
+ set(kde3supportwidgets_PART_SRCS
+ classpreviews.cpp
Index: kdelibs.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kdelibs/F-10/kdelibs.spec,v
retrieving revision 1.431
retrieving revision 1.432
diff -u -p -r1.431 -r1.432
--- kdelibs.spec 1 Jun 2009 11:51:50 -0000 1.431
+++ kdelibs.spec 26 Jul 2009 05:28:18 -0000 1.432
@@ -1,6 +1,6 @@
Summary: K Desktop Environment 4 - Libraries
Version: 4.2.4
-Release: 2%{?dist}
+Release: 6%{?dist}
%if 0%{?fedora} > 8
Name: kdelibs
@@ -80,11 +80,26 @@ Patch18: kdelibs-4.1.72-kstandarddirs.pa
Patch20: kdelibs-4.1.70-cmake.patch
Patch22: kdelibs-4.1.96-cmake.patch
+# upstreamable
+Patch50: kdelibs-4.2.3-fixPopupForPlasmaboard.patch
+
# upstream
# 4.2 branch
+# fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
+Patch100: kdelibs-4.2.4-cve-2009-1690.patch
+# fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
+Patch101: kdelibs-4.2.4-cve-2009-0945.patch
# 4.3 branch
Patch200: kdelibs-4.1.96-AllowExternalPaths.patch
+# fix CVE-2009-2537 - select length DoS
+Patch201: kdelibs-4.2.4-cve-2009-2537-select-length.patch
+# fix CVE-2009-1725 - crash, possible ACE in numeric character references
+Patch202: kdelibs-4.2.98-cve-2009-1725.patch
+# fix CVE-2009-1687 - possible ACE in KJS (FIXME: now aborts, so still crashes)
+Patch203: kdelibs-4.2.98-cve-2009-1687.patch
+# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
+Patch204: kdelibs-4.2.98-cve-2009-1698.patch
BuildRequires: qt4-devel >= 4.4.0
# qt4%{_?_isa} isn't provided yet -- Rex
@@ -216,11 +231,19 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{versi
%patch20 -p1 -b .xxcmake
%patch22 -p1 -b .kdepimlibs-cmake
+%patch50 -p1 -b .fixPopupForPlasmaboard
+
# upstream patches
# 4.2
+%patch100 -p0 -b .cve-2009-1690
+%patch101 -p0 -b .cve-2009-0945
# 4.3
%patch200 -p1 -b .AllowExternalPaths
+%patch201 -p1 -b .cve-2009-2537-select-length
+%patch202 -p0 -b .cve-2009-1725
+%patch203 -p1 -b .cve-2009-1687
+%patch204 -p1 -b .cve-2009-1698
%build
@@ -403,6 +426,23 @@ rm -rf %{buildroot}
%changelog
+* Sun Jul 26 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.4-6
+- fix CVE-2009-1725 - crash, possible ACE in numeric character references
+- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
+- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
+- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
+- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
+
+* Thu Jul 23 2009 Jaroslav Reznik <jreznik at redhat.com> - 4.2.4-5
+- CVE-2009-2537 - select length DoS
+- correct fixPopupForPlasmaboard.patch
+
+* Wed Jul 08 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.4-4
+- fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki)
+
+* Mon Jun 15 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.4-3
+- fixPopupForPlasmaboard.patch
+
* Mon Jun 1 2009 Lukáš Tinkl <ltinkl at redhat.com> - 4.2.4-2
- respun tarball
More information about the fedora-extras-commits
mailing list