Fix various format string vulnerabilities in Qt3 and Qt4.

Security: http://trolltech.com/company/newsroom/announcements/press.2007-07-27.750375 Security: CVE-2007-3388
author: Michael Nottebrock <lofi@FreeBSD.org> 2007-07-30 21:53:10 +0000
committer: Michael Nottebrock <lofi@FreeBSD.org> 2007-07-30 21:53:10 +0000
commit: a8f26cf2528829331b50adcf0c3594d662123aae (patch)
tree: e2380040f7ba8f19dbf86e79a2f79cc9ba50273c /x11-toolkits
parent: - share/pixmaps is listed in mtree (diff)
4 files changed, 233 insertions, 5 deletions
diff --git a/x11-toolkits/qt33/Makefile b/x11-toolkits/qt33/Makefile
index 7ccfc0177073..4cc5f5f9d0ea 100644
--- a/x11-toolkits/qt33/Makefile
+++ b/x11-toolkits/qt33/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	qt
 PORTVERSION=	3.3.8
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES?=	x11-toolkits ipv6
 MASTER_SITES=	${MASTER_SITE_QT}
 DISTNAME=	qt-x11-free-${PORTVERSION}
@@ -23,6 +23,7 @@ LIB_DEPENDS+=	mng:${PORTSDIR}/graphics/libmng \
 		png:${PORTSDIR}/graphics/png \
 		jpeg:${PORTSDIR}/graphics/jpeg
 
+EXTRA_PATCHES=	${PATCHDIR}/0081-format-string-fixes.diff
 CONFLICTS=	linguist-0.* qt-2.* qt-3.0.* \
 		qt-3.1.* qt-3.2.* qt-designer-2.* xfmail-1.5.[0-5] \
 		xfmail-1.5.5_[1-2]
@@ -122,7 +123,7 @@ CONFIGURE_ARGS+=-no-nas-sound
 .endif
 
 .if defined(WITH_KDE_PATCHES)
-EXTRA_PATCHES=	${PATCHDIR}/0001-dnd_optimization.patch \
+EXTRA_PATCHES+=	${PATCHDIR}/0001-dnd_optimization.patch \
 		${PATCHDIR}/0002-dnd_active_window_fix.patch \
 		${PATCHDIR}/0007-qpixmap_constants.patch \
 		${PATCHDIR}/0015-qiconview-finditem.patch \
@@ -155,8 +156,8 @@ CONFLICTS+=	qt-copy-[0-9]*
 .endif
 
 .if exists(${X11BASE}/include/qt2/qapp.h)
-BROKEN=	"You have QT2 headers installed!  Installing this port"
-BROKEN+="will result in conflicts between QT3 and QT2!"
+BROKEN=	You have QT2 headers installed!  Installing this port
+BROKEN+=will result in conflicts between QT3 and QT2!
 .endif
 
 post-patch:
diff --git a/x11-toolkits/qt33/files/0081-format-string-fixes.diff b/x11-toolkits/qt33/files/0081-format-string-fixes.diff
new file mode 100644
index 000000000000..d647874f6c4d
--- /dev/null
+++ b/x11-toolkits/qt33/files/0081-format-string-fixes.diff
@@ -0,0 +1,197 @@
+qt-bugs@ issue : none
+bugs.kde.org number : none
+applied: no
+author: Dirk Mueller/TT
+
+Fixes various, partially exploitable format string errors on Qt 3.x code base.
+
+
+--- src/widgets/qtextedit.cpp	Mon Jul 16 10:44:40 CEST 2007
++++ src/widgets/qtextedit.cpp	Mon Jul 16 10:44:40 CEST 2007
+
+@@ -6349,7 +6349,7 @@
+ 		    cur = tag->prev;
+ 		    if ( !cur ) {
+ #ifdef QT_CHECK_RANGE
+-			qWarning( "QTextEdit::optimParseTags: no left-tag for '<" + tag->tag + ">' in line %d.", tag->line + 1 );
++			qWarning( "QTextEdit::optimParseTags: no left-tag for '<%s>' in line %d.", tag->tag.ascii(), tag->line + 1 );
+ #endif
+ 			return; // something is wrong - give up
+ 		    }
+@@ -6372,7 +6372,7 @@
+ 				    break;
+ 				} else if ( !cur->leftTag ) {
+ #ifdef QT_CHECK_RANGE
+-				    qWarning( "QTextEdit::optimParseTags: mismatching %s-tag for '<" + cur->tag + ">' in line %d.", cur->tag[0] == '/' ? "left" : "right", cur->line + 1 );
++				    qWarning( "QTextEdit::optimParseTags: mismatching %s-tag for '<%s>' in line %d.", cur->tag[0] == '/' ? "left" : "right", cur->tag.ascii(), cur->line + 1 );
+ #endif
+ 				    return; // something is amiss - give up
+ 				}
+--- src/sql/qdatatable.cpp	Mon Jul 16 10:45:03 CEST 2007
++++ src/sql/qdatatable.cpp	Mon Jul 16 10:45:03 CEST 2007
+
+@@ -1043,8 +1043,8 @@
+ 	return FALSE;
+     if ( !sqlCursor()->canInsert() ) {
+ #ifdef QT_CHECK_RANGE
+-	qWarning("QDataTable::insertCurrent: insert not allowed for " +
+-		 sqlCursor()->name() );
++	qWarning("QDataTable::insertCurrent: insert not allowed for %s",
++		 sqlCursor()->name().latin1() );
+ #endif
+ 	endInsert();
+ 	return FALSE;
+@@ -1117,16 +1117,16 @@
+ 	return FALSE;
+     if ( sqlCursor()->primaryIndex().count() == 0 ) {
+ #ifdef QT_CHECK_RANGE
+-	qWarning("QDataTable::updateCurrent: no primary index for " +
+-		 sqlCursor()->name() );
++	qWarning("QDataTable::updateCurrent: no primary index for %s",
++		 sqlCursor()->name().latin1() );
+ #endif
+ 	endUpdate();
+ 	return FALSE;
+     }
+     if ( !sqlCursor()->canUpdate() ) {
+ #ifdef QT_CHECK_RANGE
+-	qWarning("QDataTable::updateCurrent: updates not allowed for " +
+-		 sqlCursor()->name() );
++	qWarning("QDataTable::updateCurrent: updates not allowed for %s",
++		 sqlCursor()->name().latin1() );
+ #endif
+ 	endUpdate();
+ 	return FALSE;
+@@ -1191,8 +1191,8 @@
+ 	return FALSE;
+     if ( sqlCursor()->primaryIndex().count() == 0 ) {
+ #ifdef QT_CHECK_RANGE
+-	qWarning("QDataTable::deleteCurrent: no primary index " +
+-		 sqlCursor()->name() );
++	qWarning("QDataTable::deleteCurrent: no primary index %s",
++		 sqlCursor()->name().latin1() );
+ #endif
+ 	return FALSE;
+     }
+
+--- src/sql/qsqldatabase.cpp	Mon Jul 16 10:45:03 CEST 2007
++++ src/sql/qsqldatabase.cpp	Mon Jul 16 10:45:03 CEST 2007
+
+@@ -234,7 +234,8 @@
+ 	db->open();
+ #ifdef QT_CHECK_RANGE
+ 	if ( !db->isOpen() )
+-	    qWarning("QSqlDatabaseManager::database: unable to open database: " + db->lastError().databaseText() + ": " + db->lastError().driverText() );
++	    qWarning("QSqlDatabaseManager::database: unable to open database: %s: %s",
++                    db->lastError().databaseText().latin1(), db->lastError().driverText().latin1() );
+ #endif
+     }
+     return db;
+@@ -686,7 +687,7 @@
+     if ( !d->driver ) {
+ #ifdef QT_CHECK_RANGE
+ 	qWarning( "QSqlDatabase: %s driver not loaded", type.latin1() );
+-	qWarning( "QSqlDatabase: available drivers: " + drivers().join(" ") );
++	qWarning( "QSqlDatabase: available drivers: %s", drivers().join(" ").latin1() );
+ #endif
+ 	d->driver = new QNullDriver();
+ 	d->driver->setLastError( QSqlError( "Driver not loaded", "Driver not loaded" ) );
+
+--- src/sql/qsqlindex.cpp	Mon Jul 16 10:45:03 CEST 2007
++++ src/sql/qsqlindex.cpp	Mon Jul 16 10:45:03 CEST 2007
+
+@@ -273,7 +273,7 @@
+ 	if ( field )
+ 	    newSort.append( *field, desc );
+ 	else
+-	    qWarning( "QSqlIndex::fromStringList: unknown field: '" + f + "'" );
++	    qWarning( "QSqlIndex::fromStringList: unknown field: '%s'", f.latin1());
+     }
+     return newSort;
+ }
+
+--- src/sql/qsqlrecord.cpp	Mon Jul 16 10:45:03 CEST 2007
++++ src/sql/qsqlrecord.cpp	Mon Jul 16 10:45:03 CEST 2007
+
+@@ -298,7 +298,7 @@
+ 	    return i;
+     }
+ #ifdef QT_CHECK_RANGE
+-    qWarning( "QSqlRecord::position: unable to find field " + name );
++    qWarning( "QSqlRecord::position: unable to find field %s", name.latin1() );
+ #endif
+     return -1;
+ }
+@@ -313,7 +313,7 @@
+     checkDetach();
+     if ( !sh->d->contains( i ) ) {
+ #ifdef QT_CHECK_RANGE
+-	qWarning( "QSqlRecord::field: index out of range: " + QString::number( i ) );
++	qWarning( "QSqlRecord::field: index out of range: %d", i );
+ #endif
+ 	return 0;
+     }
+@@ -344,7 +344,7 @@
+ {
+     if ( !sh->d->contains( i ) ) {
+ #ifdef QT_CHECK_RANGE
+-	qWarning( "QSqlRecord::field: index out of range: " + QString::number( i ) );
++	qWarning( "QSqlRecord::field: index out of range: %d", i  );
+ #endif // QT_CHECK_RANGE
+ 	return 0;
+     }
+
+--- src/tools/qglobal.cpp	Mon Jul 16 10:45:03 CEST 2007
++++ src/tools/qglobal.cpp	Mon Jul 16 10:45:03 CEST 2007
+
+@@ -680,7 +680,7 @@
+     if ( code != -1 )
+ 	qWarning( "%s\n\tError code %d - %s", msg, code, strerror( code ) );
+     else
+-	qWarning( msg );
++	qWarning( "%s", msg );
+ #endif
+ #else
+     Q_UNUSED( msg );
+
+--- src/xml/qsvgdevice.cpp	Mon Jul 16 10:45:03 CEST 2007
++++ src/xml/qsvgdevice.cpp	Mon Jul 16 10:45:03 CEST 2007
+
+@@ -978,7 +978,7 @@
+ 		// ### catch references to embedded .svg files
+ 		QPixmap pix;
+ 		if ( !pix.load( href ) ) {
+-		    qWarning( "QSvgDevice::play: Couldn't load image "+href );
++		    qWarning( "QSvgDevice::play: Couldn't load image %s", href.latin1() );
+ 		    break;
+ 		}
+ 		pt->drawPixmap( QRect( x1, y1, w, h ), pix );
+@@ -1024,8 +1024,8 @@
+                 break;
+ 	    }
+ 	case InvalidElement:
+-	    qWarning( "QSvgDevice::play: unknown element type " +
+-		      node.nodeName() );
++	    qWarning( "QSvgDevice::play: unknown element type %s",
++		      node.nodeName().latin1() );
+ 	    break;
+ 	};
+ 
+@@ -1111,7 +1111,7 @@
+ {
+     QRegExp reg( QString::fromLatin1("([+-]?\\d*\\.*\\d*[Ee]?[+-]?\\d*)(em|ex|px|%|pt|pc|cm|mm|in|)$") );
+     if ( reg.search( str ) == -1 ) {
+-	qWarning( "QSvgDevice::parseLen: couldn't parse " + str );
++	qWarning( "QSvgDevice::parseLen: couldn't parse %s ", str.latin1() );
+ 	if ( ok )
+ 	    *ok = FALSE;
+ 	return 0.0;
+@@ -1140,7 +1140,7 @@
+ 	else if ( u == "pc" )
+ 	    dbl *= m.logicalDpiX() / 6.0;
+ 	else
+-	    qWarning( "QSvgDevice::parseLen: Unknown unit " + u );
++	    qWarning( "QSvgDevice::parseLen: Unknown unit %s",  u.latin1() );
+     }
+     if ( ok )
+ 	*ok = TRUE;
diff --git a/x11-toolkits/qt4-gui/Makefile b/x11-toolkits/qt4-gui/Makefile
index b00393eff1af..9433e4b16a3e 100644
--- a/x11-toolkits/qt4-gui/Makefile
+++ b/x11-toolkits/qt4-gui/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	gui
 PORTVERSION=	${QT4_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES?=	x11-toolkits
 MASTER_SITES=	${MASTER_SITE_QT}
 PKGNAMEPREFIX=	qt4-
@@ -46,6 +46,7 @@ EXTRACT_AFTER_ARGS=| ${TAR} -xf - \
 	--exclude '${DISTNAME}/tools/qtconfig' --exclude '${DISTNAME}/tools/qvfb'
 WRKSRC=		${WRKDIR}/${DISTNAME}/src/${PORTNAME}
 CONFIGURE_WRKSRC=${WRKSRC}/../../
+PATCH_WRKSRC=${CONFIGURE_WRKSRC}
 
 OPTIONS=	CUPS "Enable printing support (requires CUPS)" off \
 		NAS "Enable sound support (requires NAS)" off
diff --git a/x11-toolkits/qt4-gui/files/patch-0185-fix-format-strings.diff b/x11-toolkits/qt4-gui/files/patch-0185-fix-format-strings.diff
new file mode 100644
index 000000000000..ce23edfdf7b9
--- /dev/null
+++ b/x11-toolkits/qt4-gui/files/patch-0185-fix-format-strings.diff
@@ -0,0 +1,29 @@
+--- src/gui/painting/qprintengine_pdf_p.h
++++ src/gui/painting/qprintengine_pdf_p.h
+@@ -148,7 +148,11 @@ private:
+     void writePage();
+ 
+     int addXrefEntry(int object, bool printostr = true);
+-    void xprintf(const char* fmt, ...);
++    void xprintf(const char* fmt, ...)
++#if defined(Q_CC_GNU) && !defined(__INSURE__)
++        __attribute__ ((format (printf, 2, 3)))
++#endif
++        ;
+     inline void write(const QByteArray &data) {
+         stream->writeRawData(data.constData(), data.size());
+         streampos += data.size();
+--- src/gui/painting/qprintengine_pdf.cpp
++++ src/gui/painting/qprintengine_pdf.cpp
+@@ -386,9 +386,8 @@ int QPdfEnginePrivate::addConstantAlphaO
+         object = addXrefEntry(-1);
+         QByteArray alphaDef;
+         QPdf::ByteStream s(&alphaDef);
+-        s << "<< /ca " << (alpha/qreal(255.)) << ">>\n";
+-        xprintf(alphaDef.constData());
+-        xprintf("endobj\n");
++        s << "<< /ca " << (alpha/qreal(255.)) << ">>";
++        xprintf("%s\nendobj\n", alphaDef.constData());
+     }
+     currentPage->graphicStates.append(object);
+     return object;
+\ No newline at end of file
author	Michael Nottebrock <lofi@FreeBSD.org>	2007-07-30 21:53:10 +0000
committer	Michael Nottebrock <lofi@FreeBSD.org>	2007-07-30 21:53:10 +0000
commit	a8f26cf2528829331b50adcf0c3594d662123aae (patch)
tree	e2380040f7ba8f19dbf86e79a2f79cc9ba50273c /x11-toolkits
parent	- share/pixmaps is listed in mtree (diff)