diff -Nru qt4-x11-4.8.4+dfsg/debian/changelog qt4-x11-4.8.4+dfsg/debian/changelog --- qt4-x11-4.8.4+dfsg/debian/changelog 2013-10-13 13:08:08.000000000 +0100 +++ qt4-x11-4.8.4+dfsg/debian/changelog 2013-12-10 16:55:36.000000000 +0000 @@ -1,3 +1,13 @@ +qt4-x11 (4:4.8.4+dfsg-0ubuntu19) saucy-security; urgency=low + + * SECURITY UPDATE: [XML Entity Expansion Denial of Service] (LP: #1259577). + - Add CVE-2013-4549.diff + - add limit in src/xml/sax/qxml.cpp + - http://lists.qt-project.org/pipermail/announce/2013-December/000036.html + - CVE-2013-4549 + + -- Jonathan Riddell Tue, 10 Dec 2013 16:54:32 +0000 + qt4-x11 (4:4.8.4+dfsg-0ubuntu18) saucy; urgency=low * debian/patches/aarch64_fix_atomic_set.patch: diff -Nru qt4-x11-4.8.4+dfsg/debian/patches/CVE-2013-4549.patch qt4-x11-4.8.4+dfsg/debian/patches/CVE-2013-4549.patch --- qt4-x11-4.8.4+dfsg/debian/patches/CVE-2013-4549.patch 1970-01-01 01:00:00.000000000 +0100 +++ qt4-x11-4.8.4+dfsg/debian/patches/CVE-2013-4549.patch 2013-12-10 16:54:21.000000000 +0000 @@ -0,0 +1,107 @@ +--- a/src/xml/sax/qxml.cpp 2012-11-23 10:09:53.000000000 +0000 ++++ b/src/xml/sax/qxml.cpp 2013-12-10 16:28:28.130647095 +0000 +@@ -1,6 +1,6 @@ + /**************************************************************************** + ** +-** Copyright (C) 2012 Digia Plc and/or its subsidiary(-ies). ++** Copyright (C) 2013 Digia Plc and/or its subsidiary(-ies). + ** Contact: http://www.qt-project.org/legal + ** + ** This file is part of the QtXml module of the Qt Toolkit. +@@ -424,6 +424,12 @@ + int stringValueLen; + QString emptyStr; + ++ // The limit to the amount of times the DTD parsing functions can be called ++ // for the DTD currently being parsed. ++ static const int dtdRecursionLimit = 2; ++ // The maximum amount of characters an entity value may contain, after expansion. ++ static const int entityCharacterLimit = 1024; ++ + const QString &string(); + void stringClear(); + void stringAddC(QChar); +@@ -492,6 +498,7 @@ + void unexpectedEof(ParseFunction where, int state); + void parseFailed(ParseFunction where, int state); + void pushParseState(ParseFunction function, int state); ++ bool isExpandedEntityValueTooLarge(QString *errorMessage); + + Q_DECLARE_PUBLIC(QXmlSimpleReader) + QXmlSimpleReader *q_ptr; +@@ -5018,6 +5025,11 @@ + } + break; + case Mup: ++ if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) { ++ reportParseError(QString::fromLatin1( ++ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit)); ++ return false; ++ } + if (!parseMarkupdecl()) { + parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state); + return false; +@@ -6627,6 +6639,50 @@ + return false; + } + ++bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage) ++{ ++ QMap literalEntitySizes; ++ // The entity at (QMap) times. ++ QMap > referencesToOtherEntities; ++ QMap expandedSizes; ++ ++ // For every entity, check how many times all entity names were referenced in its value. ++ foreach (QString toSearch, entities.keys()) { ++ // The amount of characters that weren't entity names, but literals, like 'X'. ++ QString leftOvers = entities.value(toSearch); ++ // How many times was entityName referenced by toSearch? ++ foreach (QString entityName, entities.keys()) { ++ for (int i = 0; i < leftOvers.size() && i != -1; ) { ++ i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i); ++ if (i != -1) { ++ leftOvers.remove(i, entityName.size() + 2); ++ // The entityName we're currently trying to find was matched in this string; increase our count. ++ ++referencesToOtherEntities[toSearch][entityName]; ++ } ++ } ++ } ++ literalEntitySizes[toSearch] = leftOvers.size(); ++ } ++ ++ foreach (QString entity, referencesToOtherEntities.keys()) { ++ expandedSizes[entity] = literalEntitySizes[entity]; ++ foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) { ++ const int references = referencesToOtherEntities.value(entity).value(referenceTo); ++ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size. ++ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references; ++ } ++ ++ if (expandedSizes[entity] > entityCharacterLimit) { ++ if (errorMessage) { ++ *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3)."); ++ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit); ++ } ++ return true; ++ } ++ } ++ return false; ++} ++ + /* + Parse a EntityDecl [70]. + +@@ -6721,6 +6777,12 @@ + switch (state) { + case EValue: + if ( !entityExist(name())) { ++ QString errorMessage; ++ if (isExpandedEntityValueTooLarge(&errorMessage)) { ++ reportParseError(errorMessage); ++ return false; ++ } ++ + entities.insert(name(), string()); + if (declHnd) { + if (!declHnd->internalEntityDecl(name(), string())) { diff -Nru qt4-x11-4.8.4+dfsg/debian/patches/series qt4-x11-4.8.4+dfsg/debian/patches/series --- qt4-x11-4.8.4+dfsg/debian/patches/series 2013-10-13 13:08:08.000000000 +0100 +++ qt4-x11-4.8.4+dfsg/debian/patches/series 2013-12-10 16:54:28.000000000 +0000 @@ -69,3 +69,4 @@ aarch64.patch kubuntu_default_numbers.diff aarch64_fix_atomic_set.patch +CVE-2013-4549.patch