1 |
scarabeus 09/07/30 13:34:27 |
2 |
|
3 |
Added: 4.2.4-CVE-2009-1725.patch 4.2.4-CVE-2009-1687.patch |
4 |
4.2.4-CVE-2009-1698.patch |
5 |
Log: |
6 |
Revision bump. Apply security fixes per bugs #279027 and #279187. Force due to unsynced tree. |
7 |
(Portage version: 2.2_rc33/cvs/Linux i686, RepoMan options: --force) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 kde-base/kdelibs/files/4.2.4-CVE-2009-1725.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/4.2.4-CVE-2009-1725.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/4.2.4-CVE-2009-1725.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: 4.2.4-CVE-2009-1725.patch |
16 |
=================================================================== |
17 |
--- branches/KDE/4.3/kdelibs/khtml/html/htmltokenizer.cpp 2009/07/25 09:02:54 1002162 |
18 |
+++ branches/KDE/4.3/kdelibs/khtml/html/htmltokenizer.cpp 2009/07/25 09:05:44 1002163 |
19 |
@@ -1038,7 +1038,7 @@ |
20 |
#ifdef TOKEN_DEBUG |
21 |
kDebug( 6036 ) << "unknown entity!"; |
22 |
#endif |
23 |
- checkBuffer(10); |
24 |
+ checkBuffer(11); |
25 |
// ignore the sequence, add it to the buffer as plaintext |
26 |
*dest++ = '&'; |
27 |
for(unsigned int i = 0; i < cBufferPos; i++) |
28 |
|
29 |
|
30 |
|
31 |
1.1 kde-base/kdelibs/files/4.2.4-CVE-2009-1687.patch |
32 |
|
33 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/4.2.4-CVE-2009-1687.patch?rev=1.1&view=markup |
34 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/4.2.4-CVE-2009-1687.patch?rev=1.1&content-type=text/plain |
35 |
|
36 |
Index: 4.2.4-CVE-2009-1687.patch |
37 |
=================================================================== |
38 |
--- branches/KDE/4.3/kdelibs/kjs/collector.cpp 2009/07/26 03:35:55 1002472 |
39 |
+++ branches/KDE/4.3/kdelibs/kjs/collector.cpp 2009/07/26 03:35:57 1002473 |
40 |
@@ -31,6 +31,7 @@ |
41 |
#include "value.h" |
42 |
|
43 |
#include <setjmp.h> |
44 |
+#include <limits.h> |
45 |
#include <algorithm> |
46 |
|
47 |
#if PLATFORM(DARWIN) |
48 |
@@ -109,6 +110,9 @@ |
49 |
|
50 |
void append(CollectorBlock* block) { |
51 |
if (m_used == m_capacity) { |
52 |
+ static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR; |
53 |
+ if (m_capacity > maxNumBlocks) |
54 |
+ CRASH(); |
55 |
m_capacity = max(MIN_ARRAY_SIZE, m_capacity * GROWTH_FACTOR); |
56 |
m_data = static_cast<CollectorBlock **>(fastRealloc(m_data, m_capacity * sizeof(CollectorBlock *))); |
57 |
} |
58 |
|
59 |
|
60 |
|
61 |
1.1 kde-base/kdelibs/files/4.2.4-CVE-2009-1698.patch |
62 |
|
63 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/4.2.4-CVE-2009-1698.patch?rev=1.1&view=markup |
64 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/4.2.4-CVE-2009-1698.patch?rev=1.1&content-type=text/plain |
65 |
|
66 |
Index: 4.2.4-CVE-2009-1698.patch |
67 |
=================================================================== |
68 |
--- branches/KDE/4.3/kdelibs/khtml/css/css_valueimpl.cpp 2009/07/26 03:39:55 1002474 |
69 |
+++ branches/KDE/4.3/kdelibs/khtml/css/css_valueimpl.cpp 2009/07/26 03:40:47 1002475 |
70 |
@@ -1212,7 +1212,9 @@ |
71 |
text = getValueName(m_value.ident); |
72 |
break; |
73 |
case CSSPrimitiveValue::CSS_ATTR: |
74 |
- // ### |
75 |
+ text = "attr("; |
76 |
+ text += DOMString( m_value.string ); |
77 |
+ text += ")"; |
78 |
break; |
79 |
case CSSPrimitiveValue::CSS_COUNTER: |
80 |
text = "counter("; |
81 |
|
82 |
--- branches/KDE/4.3/kdelibs/khtml/css/cssparser.cpp 2009/07/26 03:39:55 1002474 |
83 |
+++ branches/KDE/4.3/kdelibs/khtml/css/cssparser.cpp 2009/07/26 03:40:47 1002475 |
84 |
@@ -1513,6 +1513,14 @@ |
85 |
if ( args->size() != 1) |
86 |
return false; |
87 |
Value *a = args->current(); |
88 |
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) { |
89 |
+ isValid=false; |
90 |
+ break; |
91 |
+ } |
92 |
+ if (qString(a->string)[0] == '-') { |
93 |
+ isValid=false; |
94 |
+ break; |
95 |
+ } |
96 |
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR); |
97 |
} |
98 |
else |
99 |
@@ -1565,7 +1573,8 @@ |
100 |
|
101 |
CounterImpl *counter = new CounterImpl; |
102 |
Value *i = args->current(); |
103 |
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; |
104 |
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid; |
105 |
+ if (qString(i->string)[0] == '-') goto invalid; |
106 |
counter->m_identifier = domString(i->string); |
107 |
if (counters) { |
108 |
i = args->next(); |