|
|
Author: than
Update of /cvs/dist/rpms/qt/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv10033
Modified Files:
qt.spec
Added Files:
qt3-CVE-2007-3388.patch utf8-bug-qt3-CVE-2007-0242.diff
Log Message:
- CVE-2007-3388 qt format string flaw
- CVE-2007-0242 qt UTF8 improper character expansion
qt3-CVE-2007-3388.patch:
0 files changed
--- NEW FILE qt3-CVE-2007-3388.patch ---
--- qt3/src/widgets/qtextedit.cpp Mon Jul 16 10:44:40 CEST 2007
+++ qt3/src/widgets/qtextedit.cpp Mon Jul 16 10:44:40 CEST 2007
@@ -6349,7 +6349,7 @@
cur = tag->prev;
if ( !cur ) {
#ifdef QT_CHECK_RANGE
- qWarning( "QTextEdit::optimParseTags: no left-tag for
'<" + tag->tag + ">' in line %d.", tag->line + 1 );
+ qWarning( "QTextEdit::optimParseTags: no left-tag for
'<%s>' in line %d.", tag->tag.ascii(), tag->line + 1 );
#endif
return; // something is wrong - give up
}
@@ -6372,7 +6372,7 @@
break;
} else if ( !cur->leftTag ) {
#ifdef QT_CHECK_RANGE
- qWarning( "QTextEdit::optimParseTags:
mismatching %s-tag for '<" + cur->tag + ">' in line %d.", cur->tag[0] == '/' ?
"left" : "right", cur->line + 1 );
+ qWarning( "QTextEdit::optimParseTags:
mismatching %s-tag for '<%s>' in line %d.", cur->tag[0] == '/' ? "left" :
"right", cur->tag.ascii(), cur->line + 1 );
#endif
return; // something is amiss - give up
}
--- qt3/src/sql/qdatatable.cpp Mon Jul 16 10:45:03 CEST 2007
+++ qt3/src/sql/qdatatable.cpp Mon Jul 16 10:45:03 CEST 2007
@@ -1043,8 +1043,8 @@
return FALSE;
if ( !sqlCursor()->canInsert() ) {
#ifdef QT_CHECK_RANGE
- qWarning("QDataTable::insertCurrent: insert not allowed for " +
- sqlCursor()->name() );
+ qWarning("QDataTable::insertCurrent: insert not allowed for %s",
+ sqlCursor()->name().latin1() );
#endif
endInsert();
return FALSE;
@@ -1117,16 +1117,16 @@
return FALSE;
if ( sqlCursor()->primaryIndex().count() == 0 ) {
#ifdef QT_CHECK_RANGE
- qWarning("QDataTable::updateCurrent: no primary index for " +
- sqlCursor()->name() );
+ qWarning("QDataTable::updateCurrent: no primary index for %s",
+ sqlCursor()->name().latin1() );
#endif
endUpdate();
return FALSE;
}
if ( !sqlCursor()->canUpdate() ) {
#ifdef QT_CHECK_RANGE
- qWarning("QDataTable::updateCurrent: updates not allowed for " +
- sqlCursor()->name() );
+ qWarning("QDataTable::updateCurrent: updates not allowed for %s",
+ sqlCursor()->name().latin1() );
#endif
endUpdate();
return FALSE;
@@ -1191,8 +1191,8 @@
return FALSE;
if ( sqlCursor()->primaryIndex().count() == 0 ) {
#ifdef QT_CHECK_RANGE
- qWarning("QDataTable::deleteCurrent: no primary index " +
- sqlCursor()->name() );
+ qWarning("QDataTable::deleteCurrent: no primary index %s",
+ sqlCursor()->name().latin1() );
#endif
return FALSE;
}
--- qt3/src/sql/qsqldatabase.cpp Mon Jul 16 10:45:03 CEST 2007
+++ qt3/src/sql/qsqldatabase.cpp Mon Jul 16 10:45:03 CEST 2007
@@ -234,7 +234,8 @@
db->open();
#ifdef QT_CHECK_RANGE
if ( !db->isOpen() )
- qWarning("QSqlDatabaseManager::database: unable to open database: "
+ db->lastError().databaseText() + ": " + db->lastError().driverText() );
+ qWarning("QSqlDatabaseManager::database: unable to open database:
%s: %s",
+ db->lastError().databaseText().latin1(),
db->lastError().driverText().latin1() );
#endif
}
return db;
@@ -686,7 +687,7 @@
if ( !d->driver ) {
#ifdef QT_CHECK_RANGE
qWarning( "QSqlDatabase: %s driver not loaded", type.latin1() );
- qWarning( "QSqlDatabase: available drivers: " + drivers().join(" ") );
+ qWarning( "QSqlDatabase: available drivers: %s", drivers().join("
").latin1() );
#endif
d->driver = new QNullDriver();
d->driver->setLastError( QSqlError( "Driver not loaded", "Driver not
loaded" ) );
--- qt3/src/sql/qsqlindex.cpp Mon Jul 16 10:45:03 CEST 2007
+++ qt3/src/sql/qsqlindex.cpp Mon Jul 16 10:45:03 CEST 2007
@@ -273,7 +273,7 @@
if ( field )
newSort.append( *field, desc );
else
- qWarning( "QSqlIndex::fromStringList: unknown field: '" + f + "'" );
+ qWarning( "QSqlIndex::fromStringList: unknown field: '%s'",
f.latin1());
}
return newSort;
}
--- qt3/src/sql/qsqlrecord.cpp Mon Jul 16 10:45:03 CEST 2007
+++ qt3/src/sql/qsqlrecord.cpp Mon Jul 16 10:45:03 CEST 2007
@@ -298,7 +298,7 @@
return i;
}
#ifdef QT_CHECK_RANGE
- qWarning( "QSqlRecord::position: unable to find field " + name );
+ qWarning( "QSqlRecord::position: unable to find field %s", name.latin1() );
#endif
return -1;
}
@@ -313,7 +313,7 @@
checkDetach();
if ( !sh->d->contains( i ) ) {
#ifdef QT_CHECK_RANGE
- qWarning( "QSqlRecord::field: index out of range: " + QString::number(
i ) );
+ qWarning( "QSqlRecord::field: index out of range: %d", i );
#endif
return 0;
}
@@ -344,7 +344,7 @@
{
if ( !sh->d->contains( i ) ) {
#ifdef QT_CHECK_RANGE
- qWarning( "QSqlRecord::field: index out of range: " + QString::number(
i ) );
+ qWarning( "QSqlRecord::field: index out of range: %d", i );
#endif // QT_CHECK_RANGE
return 0;
}
--- qt3/src/tools/qglobal.cpp Mon Jul 16 10:45:03 CEST 2007
+++ qt3/src/tools/qglobal.cpp Mon Jul 16 10:45:03 CEST 2007
@@ -680,7 +680,7 @@
if ( code != -1 )
qWarning( "%s\n\tError code %d - %s", msg, code, strerror( code ) );
else
- qWarning( msg );
+ qWarning( "%s", msg );
#endif
#else
Q_UNUSED( msg );
--- qt3/src/xml/qsvgdevice.cpp Mon Jul 16 10:45:03 CEST 2007
+++ qt3/src/xml/qsvgdevice.cpp Mon Jul 16 10:45:03 CEST 2007
@@ -978,7 +978,7 @@
// ### catch references to embedded .svg files
QPixmap pix;
if ( !pix.load( href ) ) {
- qWarning( "QSvgDevice::play: Couldn't load image "+href );
+ qWarning( "QSvgDevice::play: Couldn't load image %s",
href.latin1() );
break;
}
pt->drawPixmap( QRect( x1, y1, w, h ), pix );
@@ -1024,8 +1024,8 @@
break;
}
case InvalidElement:
- qWarning( "QSvgDevice::play: unknown element type " +
- node.nodeName() );
+ qWarning( "QSvgDevice::play: unknown element type %s",
+ node.nodeName().latin1() );
break;
};
@@ -1111,7 +1111,7 @@
{
QRegExp reg(
QString::fromLatin1("([+-]?\\d*\\.*\\d*[Ee]?[+-]?\\d*)(em|ex|px|%|pt|pc|cm|mm|in|)$")
);
if ( reg.search( str ) == -1 ) {
- qWarning( "QSvgDevice::parseLen: couldn't parse " + str );
+ qWarning( "QSvgDevice::parseLen: couldn't parse %s ", str.latin1() );
if ( ok )
*ok = FALSE;
return 0.0;
@@ -1140,7 +1140,7 @@
else if ( u == "pc" )
dbl *= m.logicalDpiX() / 6.0;
else
- qWarning( "QSvgDevice::parseLen: Unknown unit " + u );
+ qWarning( "QSvgDevice::parseLen: Unknown unit %s", u.latin1() );
}
if ( ok )
*ok = TRUE;
utf8-bug-qt3-CVE-2007-0242.diff:
codecs/qutfcodec.cpp | 16 +++++++++++++++-
tools/qstring.cpp | 10 ++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
--- NEW FILE utf8-bug-qt3-CVE-2007-0242.diff ---
--- src/codecs/qutfcodec.cpp
+++ src/codecs/qutfcodec.cpp
@@ -154,6 +154,7 @@
class QUtf8Decoder : public QTextDecoder {
uint uc;
+ uint min_uc;
int need;
bool headerDone;
public:
@@ -167,8 +168,9 @@
result.setLength( len ); // worst case
QChar *qch = (QChar *)result.unicode();
uchar ch;
+ int error = -1;
for (int i=0; i<len; i++) {
- ch = *chars++;
+ ch = chars[i];
if (need) {
if ( (ch&0xc0) == 0x80 ) {
uc = (uc << 6) | (ch & 0x3f);
@@ -182,6 +184,8 @@
*qch++ = QChar(high);
*qch++ = QChar(low);
headerDone = TRUE;
+ } else if ((uc < min_uc) || (uc >= 0xd800 && uc <=
0xdfff) || (uc >= 0xfffe)) {
+ *qch++ = QChar::replacement;
} else {
if (headerDone || QChar(uc) != QChar::byteOrderMark)
*qch++ = uc;
@@ -190,6 +194,7 @@
}
} else {
// error
+ i = error;
*qch++ = QChar::replacement;
need = 0;
}
@@ -200,12 +205,21 @@
} else if ((ch & 0xe0) == 0xc0) {
uc = ch & 0x1f;
need = 1;
+ error = i;
+ min_uc = 0x80;
} else if ((ch & 0xf0) == 0xe0) {
uc = ch & 0x0f;
need = 2;
+ error = i;
+ min_uc = 0x800;
} else if ((ch&0xf8) == 0xf0) {
uc = ch & 0x07;
need = 3;
+ error = i;
+ min_uc = 0x10000;
+ } else {
+ // error
+ *qch++ = QChar::replacement;
}
}
}
--- src/tools/qstring.cpp
+++ src/tools/qstring.cpp
@@ -5805,6 +5805,7 @@
result.setLength( len ); // worst case
QChar *qch = (QChar *)result.unicode();
uint uc = 0;
+ uint min_uc = 0;
int need = 0;
int error = -1;
uchar ch;
@@ -5822,6 +5823,12 @@
unsigned short low = uc%0x400 + 0xdc00;
*qch++ = QChar(high);
*qch++ = QChar(low);
+ } else if (uc < min_uc || (uc >= 0xd800 && uc <= 0xdfff) ||
(uc >= 0xfffe)) {
+ // overlong seqence, UTF16 surrogate or BOM
+ i = error;
+ qch = addOne(qch, result);
+ *qch++ = QChar(0xdbff);
+ *qch++ = QChar(0xde00+((uchar)utf8[i]));
} else {
*qch++ = uc;
}
@@ -5844,14 +5851,17 @@
uc = ch & 0x1f;
need = 1;
error = i;
+ min_uc = 0x80;
} else if ((ch & 0xf0) == 0xe0) {
uc = ch & 0x0f;
need = 2;
error = i;
+ min_uc = 0x800;
} else if ((ch&0xf8) == 0xf0) {
uc = ch & 0x07;
need = 3;
error = i;
+ min_uc = 0x10000;
} else {
// Error
qch = addOne(qch, result);
Index: qt.spec
===================================================================
RCS file: /cvs/dist/rpms/qt/FC-6/qt.spec,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -r1.127 -r1.128
--- qt.spec 14 Jun 2007 11:58:45 -0000 1.127
+++ qt.spec 29 Aug 2007 17:11:12 -0000 1.128
@@ -1,7 +1,7 @@
Summary: The shared library for the Qt GUI toolkit.
Name: qt
Version: 3.3.8
-Release: 1%{?dist}
+Release: 1%{?dist}.1
Epoch: 1
License: GPL/QPL
Group: System Environment/Libraries
@@ -63,6 +63,10 @@
Patch200: qt-x11-free-3.3.4-fullscreen.patch
Patch201: qt-x11-free-3.3.8-bz#243722-mysql.patch
+# security patces
+Patch300: qt3-CVE-2007-3388.patch
+Patch301: utf8-bug-qt3-CVE-2007-0242.diff
+
%define qt_dirname qt-3.3
%define qtdir %{_libdir}/%{qt_dirname}
%define qt_docdir %{_docdir}/qt-devel-%{version}
@@ -286,6 +290,10 @@
%patch200 -p1 -b .fullscreen
%patch201 -p1 -b .bz#243722-mysql
+# security patches
+%patch300 -p1 -b .CVE-2007-3388
+%patch301 -p0 -b .CVE-2007-0242
+
# convert to UTF-8
iconv -f iso-8859-1 -t utf-8 < doc/man/man3/qdial.3qt > doc/man/man3/qdial.3qt_
mv doc/man/man3/qdial.3qt_ doc/man/man3/qdial.3qt
@@ -546,6 +554,10 @@
%changelog
+* Wed Aug 29 2007 Than Ngo <than@xxxxxxxxxx> - 1:3.3.8-1.fc6.1
+- CVE-2007-3388 qt format string flaw
+- CVE-2007-0242 qt UTF8 improper character expansion
+
* Thu Jun 14 2007 Than Ngo <than@xxxxxxxxxx> - 1:3.3.8-1.fc6
- backport to fix #bz243722, Applications using qt-mysql crash if database is
removed before QApplication is destroyed
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|