From 76078aea2e778defe516b39bd4367dedd4a71ca5 Mon Sep 17 00:00:00 2001 From: Jaroslav Reznik Date: Oct 25 2010 15:28:32 +0000 Subject: CVE-2010-1822 fix --- diff --git a/qt-everywhere-opensource-src-4.7.0-CVE-2010-1822-crash-svg-image.patch b/qt-everywhere-opensource-src-4.7.0-CVE-2010-1822-crash-svg-image.patch new file mode 100644 index 0000000..32b9713 --- /dev/null +++ b/qt-everywhere-opensource-src-4.7.0-CVE-2010-1822-crash-svg-image.patch @@ -0,0 +1,26 @@ +diff -up qt-everywhere-opensource-src-4.7.0/src/3rdparty/webkit/WebCore/svg/SVGGElement.cpp.CVE-2010-1822-crash-svg-image qt-everywhere-opensource-src-4.7.0/src/3rdparty/webkit/WebCore/svg/SVGGElement.cpp +--- qt-everywhere-opensource-src-4.7.0/src/3rdparty/webkit/WebCore/svg/SVGGElement.cpp.CVE-2010-1822-crash-svg-image 2010-09-10 11:05:20.000000000 +0200 ++++ qt-everywhere-opensource-src-4.7.0/src/3rdparty/webkit/WebCore/svg/SVGGElement.cpp 2010-10-25 14:22:06.542771102 +0200 +@@ -86,6 +86,11 @@ RenderObject* SVGGElement::createRendere + return new (arena) RenderSVGTransformableContainer(this); + } + ++bool SVGGElement::rendererIsNeeded(RenderStyle*) ++{ ++ return parentNode() && parentNode()->isSVGElement(); ++} ++ + } + + #endif // ENABLE(SVG) +diff -up qt-everywhere-opensource-src-4.7.0/src/3rdparty/webkit/WebCore/svg/SVGGElement.h.CVE-2010-1822-crash-svg-image qt-everywhere-opensource-src-4.7.0/src/3rdparty/webkit/WebCore/svg/SVGGElement.h +--- qt-everywhere-opensource-src-4.7.0/src/3rdparty/webkit/WebCore/svg/SVGGElement.h.CVE-2010-1822-crash-svg-image 2010-09-10 11:05:21.000000000 +0200 ++++ qt-everywhere-opensource-src-4.7.0/src/3rdparty/webkit/WebCore/svg/SVGGElement.h 2010-10-25 14:28:37.467854695 +0200 +@@ -43,6 +43,7 @@ namespace WebCore { + virtual void parseMappedAttribute(MappedAttribute*); + virtual void svgAttributeChanged(const QualifiedName&); + virtual void synchronizeProperty(const QualifiedName&); ++ virtual bool rendererIsNeeded(RenderStyle*); + virtual void childrenChanged(bool changedByParser = false, Node* beforeChange = 0, Node* afterChange = 0, int childCountDelta = 0); + + virtual RenderObject* createRenderer(RenderArena*, RenderStyle*); diff --git a/qt.spec b/qt.spec index 5d6c3b5..cceac00 100644 --- a/qt.spec +++ b/qt.spec @@ -18,7 +18,7 @@ Summary: Qt toolkit Name: qt Epoch: 1 Version: 4.7.0 -Release: 7%{?dist} +Release: 8%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT @@ -82,8 +82,6 @@ Patch62: qt-4.6.3-indic-rendering-bz636399.patch # fix 24bit color issue Patch63: qt-everywhere-opensource-src-4.7.0-bpp24.patch -# security patches - ## upstream patches Patch100: qt-everywhere-opensource-src-4.7.0-QTBUG-13567-QTreeView.patch # http://bugreports.qt.nokia.com/browse/QTBUG-6185 @@ -96,6 +94,9 @@ Patch204: 0004-This-patch-adds-support-for-using-isystem-to-allow-p.patch Patch205: 0005-When-tabs-are-inserted-or-removed-in-a-QTabBar.patch Patch212: 0012-Add-context-to-tr-calls-in-QShortcut.patch +# security patches +Patch300: qt-everywhere-opensource-src-4.7.0-CVE-2010-1822-crash-svg-image.patch + # gstreamer logos Source10: http://gstreamer.freedesktop.org/data/images/artwork/gstreamer-logo.svg Source11: hi16-phonon-gstreamer.png @@ -440,8 +441,6 @@ Qt libraries used for drawing widgets and OpenGL items. %patch62 -p1 -b .indic-rendering-bz636399 %patch63 -p1 -b .bpp24 -# security fixes - # upstream patches %patch100 -p1 -b .QTBUG-13567-QTreeView %patch101 -p1 -b .QTBUG-6185 @@ -454,6 +453,9 @@ Qt libraries used for drawing widgets and OpenGL items. %patch212 -p1 -b .kde-qt-0012 %endif +# security fixes +%patch300 -p1 -b .CVE-2010-1822-crash-svg-image + # drop -fexceptions from $RPM_OPT_FLAGS RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'` @@ -1106,6 +1108,9 @@ fi %changelog +* Mon Oct 25 2010 Jaroslav Reznik - 4.7.0-8 +- QtWebKit, CVE-2010-1822: crash by processing certain SVG images (#640290) + * Mon Oct 18 2010 Rex Dieter - 4.7.0-7 - qt-devel contains residues from patch run (#639463)