diff --git a/qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch b/qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch new file mode 100644 index 0000000..e4e32b3 --- /dev/null +++ b/qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch @@ -0,0 +1,267 @@ +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y 2010-02-25 17:07:29.114742034 +0100 +@@ -416,7 +416,9 @@ valid_rule: + ; + + rule: +- valid_rule ++ valid_rule { ++ static_cast(parser)->m_hadSyntacticallyValidCSSRule = true; ++ } + | invalid_rule + | invalid_at + | invalid_import +@@ -1517,8 +1519,12 @@ invalid_rule: + ; + + invalid_block: +- '{' error invalid_block_list error closing_brace +- | '{' error closing_brace ++ '{' error invalid_block_list error closing_brace { ++ static_cast(parser)->invalidBlockHit(); ++ } ++ | '{' error closing_brace { ++ static_cast(parser)->invalidBlockHit(); ++ } + ; + + invalid_block_list: +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp 2010-02-25 17:13:34.292803953 +0100 +@@ -25,6 +25,7 @@ + #include "CachedCSSStyleSheet.h" + #include "DocLoader.h" + #include "Document.h" ++#include "SecurityOrigin.h" + #include "MediaList.h" + #include "Settings.h" + #include +@@ -60,11 +61,21 @@ void CSSImportRule::setCSSStyleSheet(con + m_styleSheet->setParent(0); + m_styleSheet = CSSStyleSheet::create(this, url, charset); + ++ bool crossOriginCSS = false; ++ bool validMIMEType = false; + CSSStyleSheet* parent = parentStyleSheet(); + bool strict = !parent || parent->useStrictParsing(); +- String sheetText = sheet->sheetText(strict); ++ bool enforceMIMEType = strict; ++ ++ String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType); + m_styleSheet->parseString(sheetText, strict); + ++ if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url))) ++ crossOriginCSS = true; ++ ++ if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader()) ++ m_styleSheet = CSSStyleSheet::create(this, url, charset); ++ + if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) { + // Work around . + DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css")); +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-25 17:07:29.101741771 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp 2010-02-25 17:07:29.117741744 +0100 +@@ -139,6 +139,7 @@ CSSParser::CSSParser(bool strictParsing) + , m_currentShorthand(0) + , m_implicitShorthand(false) + , m_hasFontFaceOnlyValues(false) ++ , m_hadSyntacticallyValidCSSRule(false) + , m_defaultNamespace(starAtom) + , m_data(0) + , yy_start(1) +@@ -5175,6 +5176,12 @@ WebKitCSSKeyframeRule* CSSParser::create + return keyframePtr; + } + ++void CSSParser::invalidBlockHit() ++{ ++ if (m_styleSheet && !m_hadSyntacticallyValidCSSRule) ++ m_styleSheet->setHasSyntacticallyValidCSSHeader(false); ++} ++ + static int cssPropertyID(const UChar* propertyName, unsigned length) + { + if (!length) +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h 2010-02-25 17:07:29.117741744 +0100 +@@ -191,6 +191,7 @@ namespace WebCore { + bool addVariableDeclarationBlock(const CSSParserString&); + bool checkForVariables(CSSParserValueList*); + void addUnresolvedProperty(int propId, bool important); ++ void invalidBlockHit(); + + Vector* reusableSelectorVector() { return &m_reusableSelectorVector; } + +@@ -212,6 +213,7 @@ namespace WebCore { + bool m_implicitShorthand; + + bool m_hasFontFaceOnlyValues; ++ bool m_hadSyntacticallyValidCSSRule; + + Vector m_variableNames; + Vector > m_variableValues; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp 2010-02-25 17:07:29.118741824 +0100 +@@ -41,6 +41,7 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe + , m_loadCompleted(false) + , m_strictParsing(!parentSheet || parentSheet->useStrictParsing()) + , m_isUserStyleSheet(parentSheet ? parentSheet->isUserStyleSheet() : false) ++ , m_hasSyntacticallyValidCSSHeader(true) + { + } + +@@ -52,6 +53,7 @@ CSSStyleSheet::CSSStyleSheet(Node* paren + , m_loadCompleted(false) + , m_strictParsing(false) + , m_isUserStyleSheet(false) ++ , m_hasSyntacticallyValidCSSHeader(true) + { + } + +@@ -61,6 +63,7 @@ CSSStyleSheet::CSSStyleSheet(CSSRule* ow + , m_charset(charset) + , m_loadCompleted(false) + , m_strictParsing(!ownerRule || ownerRule->useStrictParsing()) ++ , m_hasSyntacticallyValidCSSHeader(true) + { + CSSStyleSheet* parentSheet = ownerRule ? ownerRule->parentStyleSheet() : 0; + m_doc = parentSheet ? parentSheet->doc() : 0; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h 2010-02-25 17:07:29.118741824 +0100 +@@ -95,6 +95,8 @@ public: + + void setIsUserStyleSheet(bool b) { m_isUserStyleSheet = b; } + bool isUserStyleSheet() const { return m_isUserStyleSheet; } ++ void setHasSyntacticallyValidCSSHeader(bool b) { m_hasSyntacticallyValidCSSHeader = b; } ++ bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; } + + private: + CSSStyleSheet(Node* ownerNode, const String& href, const String& charset); +@@ -110,6 +112,7 @@ private: + bool m_loadCompleted : 1; + bool m_strictParsing : 1; + bool m_isUserStyleSheet : 1; ++ bool m_hasSyntacticallyValidCSSHeader : 1; + }; + + } // namespace +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp 2010-02-25 17:07:29.118741824 +0100 +@@ -203,7 +203,10 @@ void ProcessingInstruction::setCSSStyleS + #endif + RefPtr newSheet = CSSStyleSheet::create(this, url, charset); + m_sheet = newSheet; +- parseStyleSheet(sheet->sheetText()); ++ // We don't need the cross-origin security check here because we are ++ // getting the sheet text in "strict" mode. This enforces a valid CSS MIME ++ // type. ++ parseStyleSheet(sheet->sheetText(true)); + newSheet->setTitle(m_title); + newSheet->setMedia(MediaList::create(newSheet.get(), m_media)); + newSheet->setDisabled(m_alternate); +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp 2010-02-25 17:07:29.119741915 +0100 +@@ -260,14 +260,27 @@ void HTMLLinkElement::setCSSStyleSheet(c + bool strictParsing = !document()->inCompatMode(); + bool enforceMIMEType = strictParsing; + ++ bool crossOriginCSS = false; ++ bool validMIMEType = false; + // Check to see if we should enforce the MIME type of the CSS resource in strict mode. + // Running in iWeb 2 is one example of where we don't want to - + if (enforceMIMEType && document()->page() && !document()->page()->settings()->enforceCSSMIMETypeInStrictMode()) + enforceMIMEType = false; + +- String sheetText = sheet->sheetText(enforceMIMEType); ++ String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType); + m_sheet->parseString(sheetText, strictParsing); + ++ // If we're loading a stylesheet cross-origin, and the MIME type is not ++ // standard, require the CSS to at least start with a syntactically ++ // valid CSS rule. ++ // This prevents an attacker playing games by injecting CSS strings into ++ // HTML, XML, JSON, etc. etc. ++ if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url))) ++ crossOriginCSS = true; ++ ++ if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader()) ++ m_sheet = CSSStyleSheet::create(this, url, charset); ++ + if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) { + // Work around . + DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css")); +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp 2010-02-25 17:07:29.119741915 +0100 +@@ -71,11 +71,11 @@ String CachedCSSStyleSheet::encoding() c + return m_decoder->encoding().name(); + } + +-const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType) const ++const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType, bool* hasValidMIMEType) const + { + ASSERT(!isPurgeable()); + +- if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType)) ++ if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType, hasValidMIMEType)) + return String(); + + if (!m_decodedSheetText.isNull()) +@@ -122,12 +122,12 @@ void CachedCSSStyleSheet::error() + checkNotify(); + } + +-bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType) const ++bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const + { + if (errorOccurred()) + return false; + +- if (!enforceMIMEType) ++ if (!enforceMIMEType && !hasValidMIMEType) + return true; + + // This check exactly matches Firefox. Note that we grab the Content-Type +@@ -138,7 +138,12 @@ bool CachedCSSStyleSheet::canUseSheet(bo + // This code defaults to allowing the stylesheet for non-HTTP protocols so + // folks can use standards mode for local HTML documents. + String mimeType = extractMIMETypeFromMediaType(response().httpHeaderField("Content-Type")); +- return mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type"); ++ bool typeOK = mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type"); ++ if (hasValidMIMEType) ++ *hasValidMIMEType = typeOK; ++ if (!enforceMIMEType) ++ return true; ++ return typeOK; + } + + } +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h 2010-02-25 17:07:29.120741848 +0100 +@@ -40,7 +40,7 @@ namespace WebCore { + CachedCSSStyleSheet(const String& URL, const String& charset); + virtual ~CachedCSSStyleSheet(); + +- const String sheetText(bool enforceMIMEType = true) const; ++ const String sheetText(bool enforceMIMEType = true, bool* hasValidMIMEType = 0) const; + + virtual void didAddClient(CachedResourceClient*); + +@@ -56,7 +56,7 @@ namespace WebCore { + void checkNotify(); + + private: +- bool canUseSheet(bool enforceMIMEType) const; ++ bool canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const; + + protected: + RefPtr m_decoder; diff --git a/qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch b/qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch new file mode 100644 index 0000000..f9ce041 --- /dev/null +++ b/qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch @@ -0,0 +1,85 @@ +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp 2010-02-25 15:50:05.987741463 +0100 +@@ -515,11 +515,13 @@ bool HTMLFormElement::isURLAttribute(Att + + void HTMLFormElement::registerImgElement(HTMLImageElement* e) + { ++ ASSERT(imgElements.find(e) == notFound); + imgElements.append(e); + } + + void HTMLFormElement::removeImgElement(HTMLImageElement* e) + { ++ ASSERT(imgElements.find(e) == notFound); + removeFromVector(imgElements, e); + } + +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp 2010-02-25 15:43:45.016742027 +0100 +@@ -209,6 +209,40 @@ void HTMLImageElement::removedFromDocume + HTMLElement::removedFromDocument(); + } + ++void HTMLImageElement::insertedIntoTree(bool deep) ++{ ++ if (m_form) { ++ // m_form was set by constructor. In debug builds, check that it's an ancestor indeed. ++#ifndef NDEBUG ++ for (Node* ancestor = parentNode(); /* no end condition - there must be a form ancestor */; ancestor = ancestor->parentNode()) { ++ ASSERT(ancestor); ++ if (ancestor->hasTagName(formTag)) { ++ ASSERT(m_form == static_cast(ancestor)); ++ break; ++ } ++ } ++#endif ++ } else { ++ for (Node* ancestor = parentNode(); ancestor; ancestor = ancestor->parentNode()) { ++ if (ancestor->hasTagName(formTag)) { ++ m_form = static_cast(ancestor); ++ m_form->registerImgElement(this); ++ break; ++ } ++ } ++ } ++ ++ HTMLElement::insertedIntoTree(deep); ++} ++ ++void HTMLImageElement::removedFromTree(bool deep) ++{ ++ if (m_form) ++ m_form->removeImgElement(this); ++ m_form = 0; ++ HTMLElement::removedFromTree(deep); ++} ++ + int HTMLImageElement::width(bool ignorePendingStylesheets) const + { + if (!renderer()) { +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h 2010-02-25 15:41:18.340929598 +0100 +@@ -45,8 +45,6 @@ public: + + virtual void attach(); + virtual RenderObject* createRenderer(RenderArena*, RenderStyle*); +- virtual void insertedIntoDocument(); +- virtual void removedFromDocument(); + + virtual bool canStartSelection() const { return false; } + +@@ -105,6 +103,11 @@ public: + virtual void addSubresourceAttributeURLs(ListHashSet&) const; + + private: ++ virtual void insertedIntoDocument(); ++ virtual void removedFromDocument(); ++ virtual void insertedIntoTree(bool deep); ++ virtual void removedFromTree(bool deep); ++ + HTMLImageLoader m_imageLoader; + String usemap; + bool ismap; diff --git a/qt-x11-opensource-src-4.5.3-cve-2010-0046-css-format-mem-corruption.patch b/qt-x11-opensource-src-4.5.3-cve-2010-0046-css-format-mem-corruption.patch new file mode 100644 index 0000000..c5755a4 --- /dev/null +++ b/qt-x11-opensource-src-4.5.3-cve-2010-0046-css-format-mem-corruption.patch @@ -0,0 +1,25 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption 2009-09-29 13:01:35.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp 2010-02-04 15:00:24.778776273 +0100 +@@ -3085,6 +3085,12 @@ bool CSSParser::parseFontWeight(bool imp + return false; + } + ++static bool isValidFormatFunction(CSSParserValue* val) ++{ ++ CSSParserValueList* args = val->function->args; ++ return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT); ++} ++ + bool CSSParser::parseFontFaceSrc() + { + RefPtr values(CSSValueList::createCommaSeparated()); +@@ -3111,7 +3117,7 @@ bool CSSParser::parseFontFaceSrc() + CSSParserValue* a = args->current(); + uriValue.clear(); + parsedValue = CSSFontFaceSrcValue::createLocal(a->string); +- } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) { ++ } else if (allowFormat && uriValue && isValidFormatFunction(val)) { + expectComma = true; + allowFormat = false; + uriValue->setFormat(args->current()->string); diff --git a/qt-x11-opensource-src-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch b/qt-x11-opensource-src-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch new file mode 100644 index 0000000..6739bc4 --- /dev/null +++ b/qt-x11-opensource-src-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch @@ -0,0 +1,29 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl 2009-09-29 13:01:36.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-02-04 15:43:15.707711730 +0100 +@@ -1025,8 +1025,15 @@ void RenderText::position(InlineBox* box + if (!s->m_len) { + // We want the box to be destroyed. + s->remove(); ++ if (m_firstTextBox == s) ++ m_firstTextBox = s->nextTextBox(); ++ else ++ s->prevTextBox()->setNextLineBox(s->nextTextBox()); ++ if (m_lastTextBox == s) ++ m_lastTextBox = s->prevTextBox(); ++ else ++ s->nextTextBox()->setPreviousLineBox(s->prevTextBox()); + s->destroy(renderArena()); +- m_firstTextBox = m_lastTextBox = 0; + return; + } + +@@ -1203,7 +1210,7 @@ void RenderText::checkConsistency() cons + #ifdef CHECK_CONSISTENCY + const InlineTextBox* prev = 0; + for (const InlineTextBox* child = m_firstTextBox; child != 0; child = child->nextTextBox()) { +- ASSERT(child->object() == this); ++ ASSERT(child->renderer() == this); + ASSERT(child->prevTextBox() == prev); + prev = child; + } diff --git a/qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch b/qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch new file mode 100644 index 0000000..12251e2 --- /dev/null +++ b/qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch @@ -0,0 +1,13 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags 2009-09-29 13:01:36.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp 2010-02-04 15:54:25.399651321 +0100 +@@ -1208,7 +1208,8 @@ void HTMLParser::handleResidualStyleClos + prevMaxElem->next = elem; + ASSERT(newNodePtr); + prevMaxElem->node = newNodePtr; +- prevMaxElem->didRefNode = false; ++ newNodePtr->ref(); ++ prevMaxElem->didRefNode = true; + } else + delete elem; + } diff --git a/qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch b/qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch new file mode 100644 index 0000000..0b20a85 --- /dev/null +++ b/qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch @@ -0,0 +1,21 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached 2009-09-29 13:01:36.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp 2010-02-04 17:50:07.931656712 +0100 +@@ -616,12 +616,15 @@ void HTMLInputElement::parseMappedAttrib + m_autocomplete = Off; + registerForActivationCallbackIfNeeded(); + } else { +- if (m_autocomplete == Off) +- unregisterForActivationCallbackIfNeeded(); ++ bool needsToUnregister = m_autocomplete == Off; ++ + if (attr->isEmpty()) + m_autocomplete = Uninitialized; + else + m_autocomplete = On; ++ ++ if (needsToUnregister) ++ unregisterForActivationCallbackIfNeeded(); + } + } else if (attr->name() == typeAttr) { + setInputType(attr->value()); diff --git a/qt.spec b/qt.spec index b09a629..5c33627 100644 --- a/qt.spec +++ b/qt.spec @@ -13,7 +13,7 @@ Summary: Qt toolkit Name: qt Epoch: 1 Version: 4.6.2 -Release: 7%{?dist} +Release: 8%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -60,6 +60,12 @@ Patch54: qt-x11-opensource-src-4.5.1-mysql_config.patch Patch55: qt-everywhere-opensource-src-4.6.2-cups.patch # security patches +Patch100: qt-x11-opensource-src-4.5.3-cve-2010-0046-css-format-mem-corruption.patch +Patch101: qt-x11-opensource-src-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch +Patch102: qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch +Patch103: qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch +Patch104: qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch +Patch105: qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch # kde-qt git patches Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch @@ -410,6 +416,12 @@ Qt libraries used for drawing widgets and OpenGL items. %patch55 -p1 -b .cups-1 # security fixes +%patch100 -p1 -b .cve-2010-0046-css-format-mem-corruption +%patch101 -p1 -b .cve-2010-0049-freed-line-boxes-ltr-rtl +%patch102 -p1 -b .cve-2010-0050-crash-misnested-style-tags +%patch103 -p1 -b .cve-2010-0052-destroyed-input-cached +%patch104 -p1 -b .cve-2010-0051-lax-css-parsing-cross-domain-theft +%patch105 -p1 -b .cve-2010-0054-image-element-pointer-name-getter # kde-qt branch %patch201 -p1 -b .kde-qt-0001 @@ -1015,6 +1027,11 @@ fi %changelog +* Wed Mar 17 2010 Jaroslav Reznik - 4.6.2-8 +- WebKit security update: + CVE-2010-0046, CVE-2010-0049, CVE-2010-0050, CVE-2010-0051, + CVE-2010-0052, CVE-2010-0054 + * Sat Mar 13 2010 Kevin Kofler - 4.6.2-7 - BR alsa-lib-devel (for QtMultimedia)