summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog7
-rw-r--r--debian/patches/00list1
-rwxr-xr-xdebian/patches/04_utf8_bug_fix.dpatch141
3 files changed, 149 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 4d785be..32a095a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qt4-x11 (4.2.2-2) unstable; urgency=high
+
+ * debian/patches/04_utf8_bug_fix.dpatch: new patch to fix the "UTF-8
+ overlong sequence decoding vulnerability" [CVE-2007-0242]
+
+ -- Brian Nelson <pyro@debian.org> Fri, 30 Mar 2007 11:04:20 -0400
+
qt4-x11 (4.2.2-1) unstable; urgency=low
* New upstream release (Closes: #410862)
diff --git a/debian/patches/00list b/debian/patches/00list
index 7be0821..792db17 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1,6 +1,7 @@
01_qmake_for_debian
02_launch_assistant-qt4
03_launch_moc-qt4
+04_utf8_bug_fix
20_mips_atomic_ops
30_arm_ftbfs_fixes
31_arm_eabi_fix
diff --git a/debian/patches/04_utf8_bug_fix.dpatch b/debian/patches/04_utf8_bug_fix.dpatch
new file mode 100755
index 0000000..a5453ce
--- /dev/null
+++ b/debian/patches/04_utf8_bug_fix.dpatch
@@ -0,0 +1,141 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 04_utf8_bug_fix.dpatch by Brian Nelson <pyro@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad qt4-x11-4.2.2~/src/corelib/codecs/qutfcodec.cpp qt4-x11-4.2.2/src/corelib/codecs/qutfcodec.cpp
+--- qt4-x11-4.2.2~/src/corelib/codecs/qutfcodec.cpp 2006-11-27 12:26:05.000000000 -0500
++++ qt4-x11-4.2.2/src/corelib/codecs/qutfcodec.cpp 2007-03-30 10:38:53.000000000 -0400
+@@ -127,15 +127,19 @@
+ bool headerdone = false;
+ QChar replacement = QChar::ReplacementCharacter;
+ int need = 0;
++ int error = -1;
+ uint uc = 0;
++ uint min_uc = 0;
+ if (state) {
+ if (state->flags & IgnoreHeader)
+ headerdone = true;
+ if (state->flags & ConvertInvalidToNull)
+ replacement = QChar::Null;
+ need = state->remainingChars;
+- if (need)
++ if (need) {
+ uc = state->state_data[0];
++ min_uc = state->state_data[1];
++ }
+ }
+ if (!headerdone && len > 3
+ && (uchar)chars[0] == 0xef && (uchar)chars[1] == 0xbb && (uchar)chars[2] == 0xbf) {
+@@ -152,7 +156,7 @@
+ int invalid = 0;
+
+ for (int i=0; i<len; i++) {
+- ch = *chars++;
++ ch = chars[i];
+ if (need) {
+ if ((ch&0xc0) == 0x80) {
+ uc = (uc << 6) | (ch & 0x3f);
+@@ -163,14 +167,27 @@
+ uc -= 0x10000;
+ unsigned short high = uc/0x400 + 0xd800;
+ unsigned short low = uc%0x400 + 0xdc00;
++
++ // resize if necessary
++ long where = qch - result.unicode();
++ if (where + 2 >= result.size()) {
++ result.resize(where + 2);
++ qch = result.data() + where;
++ }
++
+ *qch++ = QChar(high);
+ *qch++ = QChar(low);
++ } else if ((uc < min_uc) || (uc >= 0xd800 && uc <= 0xdfff) || (uc >= 0xfffe)) {
++ // error
++ *qch++ = QChar::ReplacementCharacter;
++ ++invalid;
+ } else {
+ *qch++ = uc;
+ }
+ }
+ } else {
+ // error
++ i = error;
+ *qch++ = QChar::ReplacementCharacter;
+ ++invalid;
+ need = 0;
+@@ -181,12 +198,22 @@
+ } else if ((ch & 0xe0) == 0xc0) {
+ uc = ch & 0x1f;
+ need = 1;
++ error = i;
++ min_uc = 0x80;
+ } else if ((ch & 0xf0) == 0xe0) {
+ uc = ch & 0x0f;
+ need = 2;
++ error = i;
++ min_uc = 0x800;
+ } else if ((ch&0xf8) == 0xf0) {
+ uc = ch & 0x07;
+ need = 3;
++ error = i;
++ min_uc = 0x10000;
++ } else {
++ // error
++ *qch++ = QChar::ReplacementCharacter;
++ ++invalid;
+ }
+ }
+ }
+@@ -197,6 +224,7 @@
+ if (headerdone)
+ state->flags |= IgnoreHeader;
+ state->state_data[0] = need ? uc : 0;
++ state->state_data[1] = need ? min_uc : 0;
+ }
+ return result;
+ }
+diff -urNad qt4-x11-4.2.2~/src/corelib/tools/qstring.cpp qt4-x11-4.2.2/src/corelib/tools/qstring.cpp
+--- qt4-x11-4.2.2~/src/corelib/tools/qstring.cpp 2006-11-27 12:26:07.000000000 -0500
++++ qt4-x11-4.2.2/src/corelib/tools/qstring.cpp 2007-03-30 10:38:53.000000000 -0400
+@@ -3352,6 +3352,7 @@
+ result.resize(size); // worst case
+ ushort *qch = result.d->data;
+ uint uc = 0;
++ uint min_uc = 0;
+ int need = 0;
+ int error = -1;
+ uchar ch;
+@@ -3369,6 +3370,12 @@
+ ushort low = uc%0x400 + 0xdc00;
+ *qch++ = high;
+ *qch++ = low;
++ } else if ((uc < min_uc) || (uc >= 0xd800 && uc <= 0xdfff) || (uc >= 0xfffe)) {
++ // overlong seqence, UTF16 surrogate or BOM
++ i = error;
++ qch = addOne(qch, result);
++ *qch++ = 0xdbff;
++ *qch++ = 0xde00 + ((uchar)str[i]);
+ } else {
+ *qch++ = uc;
+ }
+@@ -3391,14 +3398,17 @@
+ uc = ch & 0x1f;
+ need = 1;
+ error = i;
++ min_uc = 0x80;
+ } else if ((ch & 0xf0) == 0xe0) {
+ uc = ch & 0x0f;
+ need = 2;
+ error = i;
++ min_uc = 0x800;
+ } else if ((ch&0xf8) == 0xf0) {
+ uc = ch & 0x07;
+ need = 3;
+ error = i;
++ min_uc = 0x10000;
+ } else {
+ // Error
+ qch = addOne(qch, result);