From 8028615ebcbe0b2b3dbb9e16cf171a7420b6198a Mon Sep 17 00:00:00 2001 From: Kevin Mihelich Date: Wed, 11 Dec 2013 20:41:53 +0000 Subject: [PATCH] extra/qt5 to 5.1.1-6 --- extra/qt5/CVE-2013-4549.patch | 235 ++++++++++++++++++++++++++++++++++ extra/qt5/PKGBUILD | 77 +++++++++-- extra/qt5/libmng2.patch | 34 +++++ 3 files changed, 336 insertions(+), 10 deletions(-) create mode 100644 extra/qt5/CVE-2013-4549.patch create mode 100644 extra/qt5/libmng2.patch diff --git a/extra/qt5/CVE-2013-4549.patch b/extra/qt5/CVE-2013-4549.patch new file mode 100644 index 000000000..6111aa8fe --- /dev/null +++ b/extra/qt5/CVE-2013-4549.patch @@ -0,0 +1,235 @@ +From 46a8885ae486e238a39efa5119c2714f328b08e4 Mon Sep 17 00:00:00 2001 +From: Mitch Curtis +Date: Fri, 27 Sep 2013 12:32:28 +0200 +Subject: [PATCH] Disallow deep or widely nested entity references. + +Nested references with a depth of 2 or greater will fail. References +that partially expand to greater than 1024 characters will also fail. + +Change-Id: Id4e49d6f7cf51e3a247efdb4c6c7c9bd9b223f6e +Reviewed-by: Richard J. Moore +Reviewed-by: Lars Knoll + +From f1053d94f59f053ce4acad9320df14f1fbe4faac Mon Sep 17 00:00:00 2001 +From: Mitch Curtis +Date: Mon, 11 Nov 2013 14:27:40 +0100 +Subject: [PATCH] Fully expand entities to ensure deep or widely nested ones fail parsing + +With 46a8885ae486e238a39efa5119c2714f328b08e4, we failed when parsing +entities whose partially expanded size was greater than 1024 +characters. That was not enough, so now we fully expand all entities. + +Amends 46a8885ae486e238a39efa5119c2714f328b08e4. + +Change-Id: Ie80720d7e04d825eb4eebf528140eb94806c02b1 +Reviewed-by: Richard J. Moore +Reviewed-by: Lars Knoll + +diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp +index 45c0f3e..e6d78d3 100644 +--- a/src/xml/sax/qxml.cpp ++++ b/src/xml/sax/qxml.cpp +@@ -424,6 +424,10 @@ private: + int stringValueLen; + QString emptyStr; + ++ // The limit to the amount of times the DTD parsing functions can be called ++ // for the DTD currently being parsed. ++ int dtdRecursionLimit; ++ + const QString &string(); + void stringClear(); + void stringAddC(QChar); +@@ -493,6 +497,8 @@ private: + void parseFailed(ParseFunction where, int state); + void pushParseState(ParseFunction function, int state); + ++ bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); ++ + Q_DECLARE_PUBLIC(QXmlSimpleReader) + QXmlSimpleReader *q_ptr; + +@@ -2757,6 +2763,8 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) + useNamespacePrefixes = false; + reportWhitespaceCharData = true; + reportEntities = false; ++ ++ dtdRecursionLimit = 2; + } + + QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() +@@ -5035,6 +5043,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype() + } + break; + case Mup: ++ if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) { ++ reportParseError(QString::fromLatin1( ++ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit)); ++ return false; ++ } + if (!parseMarkupdecl()) { + parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state); + return false; +@@ -6644,6 +6657,37 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() + return false; + } + ++bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) ++{ ++ const QString value = string(); ++ QMap referencedEntityCounts; ++ foreach (QString entityName, entities.keys()) { ++ for (int i = 0; i < value.size() && i != -1; ) { ++ i = value.indexOf(entityName, i); ++ if (i != -1) { ++ // The entityName we're currently trying to find ++ // was matched in this string; increase our count. ++ ++referencedEntityCounts[entityName]; ++ i += entityName.size(); ++ } ++ } ++ } ++ ++ foreach (QString entityName, referencedEntityCounts.keys()) { ++ const int timesReferenced = referencedEntityCounts[entityName]; ++ const QString entityValue = entities[entityName]; ++ if (entityValue.size() * timesReferenced > 1024) { ++ if (errorMessage) { ++ *errorMessage = QString::fromLatin1("The XML entity \"%1\"" ++ "expands too a string that is too large to process when " ++ "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); ++ } ++ return true; ++ } ++ } ++ return false; ++} ++ + /* + Parse a EntityDecl [70]. + +@@ -6738,6 +6782,15 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() + switch (state) { + case EValue: + if ( !entityExist(name())) { ++ QString errorMessage; ++ if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { ++ // The entity at entityName is entityValue.size() characters ++ // long in its unexpanded form, and was mentioned timesReferenced times, ++ // resulting in a string that would be greater than 1024 characters. ++ reportParseError(errorMessage); ++ return false; ++ } ++ + entities.insert(name(), string()); + if (declHnd) { + if (!declHnd->internalEntityDecl(name(), string())) { +diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp +index e6d78d3..f3a1e47 100644 +--- a/src/xml/sax/qxml.cpp ++++ b/src/xml/sax/qxml.cpp +@@ -426,7 +426,9 @@ private: + + // The limit to the amount of times the DTD parsing functions can be called + // for the DTD currently being parsed. +- int dtdRecursionLimit; ++ static const int dtdRecursionLimit = 2; ++ // The maximum amount of characters an entity value may contain, after expansion. ++ static const int entityCharacterLimit = 1024; + + const QString &string(); + void stringClear(); +@@ -497,7 +499,7 @@ private: + void parseFailed(ParseFunction where, int state); + void pushParseState(ParseFunction function, int state); + +- bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); ++ bool isExpandedEntityValueTooLarge(QString *errorMessage); + + Q_DECLARE_PUBLIC(QXmlSimpleReader) + QXmlSimpleReader *q_ptr; +@@ -2763,8 +2765,6 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) + useNamespacePrefixes = false; + reportWhitespaceCharData = true; + reportEntities = false; +- +- dtdRecursionLimit = 2; + } + + QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() +@@ -6657,30 +6657,43 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() + return false; + } + +-bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) ++bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage) + { +- const QString value = string(); +- QMap referencedEntityCounts; +- foreach (QString entityName, entities.keys()) { +- for (int i = 0; i < value.size() && i != -1; ) { +- i = value.indexOf(entityName, i); +- if (i != -1) { +- // The entityName we're currently trying to find +- // was matched in this string; increase our count. +- ++referencedEntityCounts[entityName]; +- i += entityName.size(); ++ QMap literalEntitySizes; ++ // The entity at (QMap) times. ++ QMap > referencesToOtherEntities; ++ QMap expandedSizes; ++ ++ // For every entity, check how many times all entity names were referenced in its value. ++ foreach (QString toSearch, entities.keys()) { ++ // The amount of characters that weren't entity names, but literals, like 'X'. ++ QString leftOvers = entities.value(toSearch); ++ // How many times was entityName referenced by toSearch? ++ foreach (QString entityName, entities.keys()) { ++ for (int i = 0; i < leftOvers.size() && i != -1; ) { ++ i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i); ++ if (i != -1) { ++ leftOvers.remove(i, entityName.size() + 2); ++ // The entityName we're currently trying to find was matched in this string; increase our count. ++ ++referencesToOtherEntities[toSearch][entityName]; ++ } + } + } ++ literalEntitySizes[toSearch] = leftOvers.size(); + } + +- foreach (QString entityName, referencedEntityCounts.keys()) { +- const int timesReferenced = referencedEntityCounts[entityName]; +- const QString entityValue = entities[entityName]; +- if (entityValue.size() * timesReferenced > 1024) { ++ foreach (QString entity, referencesToOtherEntities.keys()) { ++ expandedSizes[entity] = literalEntitySizes[entity]; ++ foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) { ++ const int references = referencesToOtherEntities.value(entity).value(referenceTo); ++ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size. ++ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references; ++ } ++ ++ if (expandedSizes[entity] > entityCharacterLimit) { + if (errorMessage) { +- *errorMessage = QString::fromLatin1("The XML entity \"%1\"" +- "expands too a string that is too large to process when " +- "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); ++ *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3)."); ++ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit); + } + return true; + } +@@ -6783,10 +6796,7 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() + case EValue: + if ( !entityExist(name())) { + QString errorMessage; +- if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { +- // The entity at entityName is entityValue.size() characters +- // long in its unexpanded form, and was mentioned timesReferenced times, +- // resulting in a string that would be greater than 1024 characters. ++ if (isExpandedEntityValueTooLarge(&errorMessage)) { + reportParseError(errorMessage); + return false; + } +-- +1.7 diff --git a/extra/qt5/PKGBUILD b/extra/qt5/PKGBUILD index c072d177b..f59f0909c 100644 --- a/extra/qt5/PKGBUILD +++ b/extra/qt5/PKGBUILD @@ -31,12 +31,12 @@ pkgname=('qt5-base' 'qt5-x11extras' 'qt5-xmlpatterns') pkgver=5.1.1 -pkgrel=5 +pkgrel=6 arch=('i686' 'x86_64') url='http://qt-project.org/' license=('GPL3' 'LGPL' 'FDL' 'custom') makedepends=('libxcb' 'xcb-proto' 'xcb-util' 'xcb-util-image' 'xcb-util-wm' 'xcb-util-keysyms' - 'mesa' 'at-spi2-core' 'alsa-lib' 'gstreamer0.10-base-plugins' + 'mesa' 'at-spi2-core' 'alsa-lib' 'gstreamer0.10-base-plugins' 'libmng' 'libjpeg-turbo' 'cups' 'libpulse' 'hicolor-icon-theme' 'desktop-file-utils' 'postgresql-libs' 'libmariadbclient' 'sqlite' 'unixodbc' 'python2' 'ruby' 'gperf' 'libxslt' 'libxcomposite' 'fontconfig' @@ -47,7 +47,7 @@ source=("http://download.qt-project.org/official_releases/qt/5.1/${pkgver}/singl 'assistant.desktop' 'designer.desktop' 'linguist.desktop' 'qdbusviewer.desktop' 'use-python2.patch' 'deppath_gnu.patch' 'rpi.patch' 'undef_B0.patch' - 'bison3.patch') + 'bison3.patch' 'CVE-2013-4549.patch' 'libmng2.patch') md5sums=('44a507beebef73eb364b5a2ec7bbe090' 'b2897dd6a2967bccf8f10e397aafee55' '9638a78e502719ef8fe5f8d10d0361a9' @@ -57,7 +57,9 @@ md5sums=('44a507beebef73eb364b5a2ec7bbe090' '21e4389ed0dd9c37e7cb48712d3bff91' '3f8d2f8fb4e5715f7ce79950fac3c31f' '8a9ba2d990d8840a2114fcffb9f9d2a4' - '6b162cd2bc104f0ae83ca039401be7bf') + '6b162cd2bc104f0ae83ca039401be7bf' + 'e59ba552e12408dcc9486cdbb1f233e3' + '478647fa057d190a7d789cf78995167b') prepare() { cd ${_pkgfqn} @@ -86,6 +88,12 @@ prepare() { # Fix build with bison 3.x cd qtwebkit patch -p1 -i "${srcdir}"/bison3.patch + + cd ../qtbase + patch -p1 -i "${srcdir}"/CVE-2013-4549.patch + + cd ../qtimageformats + patch -p1 -i "${srcdir}"/libmng2.patch } build() { @@ -145,13 +153,13 @@ package_qt5-base() { 'libmariadbclient: MariaDB driver' 'unixodbc: ODBC driver') conflicts=('qt') + options=('staticlibs') #libQt5PlatformSupport builds static only cd ${_pkgfqn}/qtbase make INSTALL_ROOT="${pkgdir}" install - cd "${srcdir}" - install -D -m644 ${_pkgfqn}/qtbase/LGPL_EXCEPTION.txt \ - ${pkgdir}/usr/share/licenses/${pkgbase}/LGPL_EXCEPTION.txt + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt # Fix wrong path in prl files find "${pkgdir}/usr/lib" -type f -name '*.prl' \ @@ -185,6 +193,9 @@ package_qt5-declarative() { for b in "${pkgdir}"/usr/lib/qt/bin/*; do ln -s /usr/lib/qt/bin/$(basename $b) "${pkgdir}"/usr/bin/$(basename $b)-qt5 done + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-doc() { @@ -194,11 +205,14 @@ package_qt5-doc() { conflicts=('qt-doc') replaces=('qt-doc') provides=('qt-doc') - options=('docs') + options=('docs' '!emptydirs') groups=() cd ${_pkgfqn} make INSTALL_ROOT="${pkgdir}" install_docs + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-jsbackend() { @@ -211,6 +225,9 @@ package_qt5-jsbackend() { # Fix wrong path in prl files find "${pkgdir}/usr/lib" -type f -name '*.prl' \ -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-xmlpatterns() { @@ -230,6 +247,9 @@ package_qt5-xmlpatterns() { for b in "${pkgdir}"/usr/lib/qt/bin/*; do ln -s /usr/lib/qt/bin/$(basename $b) "${pkgdir}"/usr/bin/$(basename $b)-qt5 done + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-translations() { @@ -239,6 +259,9 @@ package_qt5-translations() { cd ${_pkgfqn}/qttranslations make INSTALL_ROOT="${pkgdir}" install + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-multimedia() { @@ -252,6 +275,9 @@ package_qt5-multimedia() { # Fix wrong path in prl files find "${pkgdir}/usr/lib" -type f -name '*.prl' \ -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-graphicaleffects() { @@ -260,15 +286,21 @@ package_qt5-graphicaleffects() { cd ${_pkgfqn}/qtgraphicaleffects make INSTALL_ROOT="${pkgdir}" install + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-imageformats() { pkgdesc='A cross-platform application and UI framework (Images plugins)' - depends=('qt5-base' 'libtiff') + depends=('qt5-base' 'libtiff' 'libmng') conflicts=('qt') cd ${_pkgfqn}/qtimageformats make INSTALL_ROOT="${pkgdir}" install + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-quick1() { @@ -288,6 +320,9 @@ package_qt5-quick1() { for b in "${pkgdir}"/usr/lib/qt/bin/*; do ln -s /usr/lib/qt/bin/$(basename $b) "${pkgdir}"/usr/bin/$(basename $b)-qt5 done + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-quickcontrols() { @@ -296,6 +331,9 @@ package_qt5-quickcontrols() { cd ${_pkgfqn}/qtquickcontrols make INSTALL_ROOT="${pkgdir}" install + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-script() { @@ -309,6 +347,9 @@ package_qt5-script() { # Fix wrong path in prl files find "${pkgdir}/usr/lib" -type f -name '*.prl' \ -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-sensors() { @@ -321,6 +362,9 @@ package_qt5-sensors() { # Fix wrong path in prl files find "${pkgdir}/usr/lib" -type f -name '*.prl' \ -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-serialport() { @@ -333,6 +377,9 @@ package_qt5-serialport() { # Fix wrong path in prl files find "${pkgdir}/usr/lib" -type f -name '*.prl' \ -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-svg() { @@ -346,6 +393,9 @@ package_qt5-svg() { # Fix wrong path in prl files find "${pkgdir}/usr/lib" -type f -name '*.prl' \ -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-tools() { @@ -355,7 +405,7 @@ package_qt5-tools() { optdepends=('qt5-doc: documentation') install='qt5-tools.install' conflicts=('qt') - options=('staticlibs') # libQtUiTools builds as static only + options=('staticlibs') # libQt5UiTools builds as static only cd ${_pkgfqn}/qttools make INSTALL_ROOT="${pkgdir}" install @@ -390,11 +440,15 @@ package_qt5-tools() { for b in "${pkgdir}"/usr/lib/qt/bin/*; do ln -s /usr/lib/qt/bin/$(basename $b) "${pkgdir}"/usr/bin/$(basename $b)-qt5 done + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } package_qt5-webkit() { pkgdesc='A cross-platform application and UI framework (QtWebKit)' depends=('qt5-declarative' 'gstreamer0.10-base' 'libxslt' 'libxcomposite' 'qt5-sensors') + license=('GPL3' 'LGPL' 'FDL') cd ${_pkgfqn}/qtwebkit make INSTALL_ROOT="${pkgdir}" install @@ -417,4 +471,7 @@ package_qt5-x11extras() { # Fix wrong path in prl files find "${pkgdir}/usr/lib" -type f -name '*.prl' \ -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d;s/\(QMAKE_PRL_LIBS =\).*/\1/' {} \; + + install -D -m644 LGPL_EXCEPTION.txt \ + "${pkgdir}"/usr/share/licenses/${pkgname}/LGPL_EXCEPTION.txt } diff --git a/extra/qt5/libmng2.patch b/extra/qt5/libmng2.patch new file mode 100644 index 000000000..0e23f60f7 --- /dev/null +++ b/extra/qt5/libmng2.patch @@ -0,0 +1,34 @@ +From 9ae386653c321c8ddc10fad5ea88f32ebb3d3ffe Mon Sep 17 00:00:00 2001 +From: aavit +Date: Fri, 22 Nov 2013 15:04:23 +0100 +Subject: [PATCH] Recognize newer libmng versions in config test + +libmng 2.0.x has been released and is compatible and usable, but since +it no longer provides a VERSION_MAJOR macro, the config test would fail. + +Task-number: QTBUG-34894 +Change-Id: I106aa258de0851af01d1bb016c2971dd8e30fd24 +Reviewed-by: Liang Qi +--- + config.tests/libmng/libmng.cpp | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/config.tests/libmng/libmng.cpp b/config.tests/libmng/libmng.cpp +index 9def33e..fc3e693 100644 +--- a/config.tests/libmng/libmng.cpp ++++ b/config.tests/libmng/libmng.cpp +@@ -46,9 +46,11 @@ int main(int, char **) + mng_handle hMNG; + mng_cleanup(&hMNG); + ++#if defined(MNG_VERSION_MAJOR) + #if MNG_VERSION_MAJOR < 1 || (MNG_VERSION_MAJOR == 1 && MNG_VERSION_MINOR == 0 && MNG_VERSION_RELEASE < 9) + #error System libmng version is less than 1.0.9; using built-in version instead. + #endif ++#endif + + return 0; + } +-- +1.7.1 +