diff options
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/00list | 1 | ||||
-rwxr-xr-x | debian/patches/04_utf8_bug_fix.dpatch | 141 |
3 files changed, 149 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 4d785be..32a095a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +qt4-x11 (4.2.2-2) unstable; urgency=high + + * debian/patches/04_utf8_bug_fix.dpatch: new patch to fix the "UTF-8 + overlong sequence decoding vulnerability" [CVE-2007-0242] + + -- Brian Nelson <pyro@debian.org> Fri, 30 Mar 2007 11:04:20 -0400 + qt4-x11 (4.2.2-1) unstable; urgency=low * New upstream release (Closes: #410862) diff --git a/debian/patches/00list b/debian/patches/00list index 7be0821..792db17 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1,6 +1,7 @@ 01_qmake_for_debian 02_launch_assistant-qt4 03_launch_moc-qt4 +04_utf8_bug_fix 20_mips_atomic_ops 30_arm_ftbfs_fixes 31_arm_eabi_fix diff --git a/debian/patches/04_utf8_bug_fix.dpatch b/debian/patches/04_utf8_bug_fix.dpatch new file mode 100755 index 0000000..a5453ce --- /dev/null +++ b/debian/patches/04_utf8_bug_fix.dpatch @@ -0,0 +1,141 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_utf8_bug_fix.dpatch by Brian Nelson <pyro@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad qt4-x11-4.2.2~/src/corelib/codecs/qutfcodec.cpp qt4-x11-4.2.2/src/corelib/codecs/qutfcodec.cpp +--- qt4-x11-4.2.2~/src/corelib/codecs/qutfcodec.cpp 2006-11-27 12:26:05.000000000 -0500 ++++ qt4-x11-4.2.2/src/corelib/codecs/qutfcodec.cpp 2007-03-30 10:38:53.000000000 -0400 +@@ -127,15 +127,19 @@ + bool headerdone = false; + QChar replacement = QChar::ReplacementCharacter; + int need = 0; ++ int error = -1; + uint uc = 0; ++ uint min_uc = 0; + if (state) { + if (state->flags & IgnoreHeader) + headerdone = true; + if (state->flags & ConvertInvalidToNull) + replacement = QChar::Null; + need = state->remainingChars; +- if (need) ++ if (need) { + uc = state->state_data[0]; ++ min_uc = state->state_data[1]; ++ } + } + if (!headerdone && len > 3 + && (uchar)chars[0] == 0xef && (uchar)chars[1] == 0xbb && (uchar)chars[2] == 0xbf) { +@@ -152,7 +156,7 @@ + int invalid = 0; + + for (int i=0; i<len; i++) { +- ch = *chars++; ++ ch = chars[i]; + if (need) { + if ((ch&0xc0) == 0x80) { + uc = (uc << 6) | (ch & 0x3f); +@@ -163,14 +167,27 @@ + uc -= 0x10000; + unsigned short high = uc/0x400 + 0xd800; + unsigned short low = uc%0x400 + 0xdc00; ++ ++ // resize if necessary ++ long where = qch - result.unicode(); ++ if (where + 2 >= result.size()) { ++ result.resize(where + 2); ++ qch = result.data() + where; ++ } ++ + *qch++ = QChar(high); + *qch++ = QChar(low); ++ } else if ((uc < min_uc) || (uc >= 0xd800 && uc <= 0xdfff) || (uc >= 0xfffe)) { ++ // error ++ *qch++ = QChar::ReplacementCharacter; ++ ++invalid; + } else { + *qch++ = uc; + } + } + } else { + // error ++ i = error; + *qch++ = QChar::ReplacementCharacter; + ++invalid; + need = 0; +@@ -181,12 +198,22 @@ + } else if ((ch & 0xe0) == 0xc0) { + uc = ch & 0x1f; + need = 1; ++ error = i; ++ min_uc = 0x80; + } else if ((ch & 0xf0) == 0xe0) { + uc = ch & 0x0f; + need = 2; ++ error = i; ++ min_uc = 0x800; + } else if ((ch&0xf8) == 0xf0) { + uc = ch & 0x07; + need = 3; ++ error = i; ++ min_uc = 0x10000; ++ } else { ++ // error ++ *qch++ = QChar::ReplacementCharacter; ++ ++invalid; + } + } + } +@@ -197,6 +224,7 @@ + if (headerdone) + state->flags |= IgnoreHeader; + state->state_data[0] = need ? uc : 0; ++ state->state_data[1] = need ? min_uc : 0; + } + return result; + } +diff -urNad qt4-x11-4.2.2~/src/corelib/tools/qstring.cpp qt4-x11-4.2.2/src/corelib/tools/qstring.cpp +--- qt4-x11-4.2.2~/src/corelib/tools/qstring.cpp 2006-11-27 12:26:07.000000000 -0500 ++++ qt4-x11-4.2.2/src/corelib/tools/qstring.cpp 2007-03-30 10:38:53.000000000 -0400 +@@ -3352,6 +3352,7 @@ + result.resize(size); // worst case + ushort *qch = result.d->data; + uint uc = 0; ++ uint min_uc = 0; + int need = 0; + int error = -1; + uchar ch; +@@ -3369,6 +3370,12 @@ + ushort low = uc%0x400 + 0xdc00; + *qch++ = high; + *qch++ = low; ++ } else if ((uc < min_uc) || (uc >= 0xd800 && uc <= 0xdfff) || (uc >= 0xfffe)) { ++ // overlong seqence, UTF16 surrogate or BOM ++ i = error; ++ qch = addOne(qch, result); ++ *qch++ = 0xdbff; ++ *qch++ = 0xde00 + ((uchar)str[i]); + } else { + *qch++ = uc; + } +@@ -3391,14 +3398,17 @@ + uc = ch & 0x1f; + need = 1; + error = i; ++ min_uc = 0x80; + } else if ((ch & 0xf0) == 0xe0) { + uc = ch & 0x0f; + need = 2; + error = i; ++ min_uc = 0x800; + } else if ((ch&0xf8) == 0xf0) { + uc = ch & 0x07; + need = 3; + error = i; ++ min_uc = 0x10000; + } else { + // Error + qch = addOne(qch, result); |