From bf4e60e8bfb5be3d1939f2f2b41973b3faf5f67b Mon Sep 17 00:00:00 2001
From: Michael Nottebrock <lofi@FreeBSD.org>
Date: Fri, 30 Mar 2007 18:15:08 +0000
Subject: Fix handling of overlong UTF8 sequences in Qt and kdelibs, which,
 unpatched, introduces XSS vulnerabilities in Konqueror and potentially affect
 any Qt/KDE applications which deal with URLs or paths from untrusted
 locations.

Security:	CVE-2007-0242
---
 x11/kdelibs3/Makefile                |  2 +-
 x11/kdelibs3/files/patch-kdelibs-kjs | 38 ++++++++++++++++++++++++++++++++++++
 x11/kdelibs4/Makefile                |  2 +-
 x11/kdelibs4/files/patch-kdelibs-kjs | 38 ++++++++++++++++++++++++++++++++++++
 4 files changed, 78 insertions(+), 2 deletions(-)
 create mode 100644 x11/kdelibs3/files/patch-kdelibs-kjs
 create mode 100644 x11/kdelibs4/files/patch-kdelibs-kjs

(limited to 'x11')

diff --git a/x11/kdelibs3/Makefile b/x11/kdelibs3/Makefile
index 29e6ba4a6d11..ae053ee1e061 100644
--- a/x11/kdelibs3/Makefile
+++ b/x11/kdelibs3/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde ipv6
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdelibs3/files/patch-kdelibs-kjs b/x11/kdelibs3/files/patch-kdelibs-kjs
new file mode 100644
index 000000000000..ca4456320ee9
--- /dev/null
+++ b/x11/kdelibs3/files/patch-kdelibs-kjs
@@ -0,0 +1,38 @@
+------------------------------------------------------------------------
+r645387 | porten | 2007-03-22 15:01:13 +0100 (Thu, 22 Mar 2007) | 4 lines
+
+substitute some of the invalid sequences with the standard replacement
+char. this matches Mozilla but not IE which leaves them unchanged (or
+throws an exception)
+
+------------------------------------------------------------------------
+--- kjs/function.cpp
++++ kjs/function.cpp
+@@ -244,11 +244,15 @@ UString decodeURI(ExecState *exec, UStri
+       }
+ 
+       // UTF-8 transform
++      const unsigned long replacementChar = 0xFFFD;
+       unsigned long V;
+       if (n == 2) {
+ 	unsigned long yyyyy = octets[0] & 0x1F;
+ 	unsigned long zzzzzz = octets[1] & 0x3F;
+ 	V = (yyyyy << 6) | zzzzzz;
++	// 2-byte sequence overlong for this value?
++	if (V < 0xFF)
++	  V = replacementChar;
+ 	C = UChar((unsigned short)V);
+       }
+       else if (n == 3) {
+@@ -256,6 +260,11 @@ UString decodeURI(ExecState *exec, UStri
+ 	unsigned long yyyyyy = octets[1] & 0x3F;
+ 	unsigned long zzzzzz = octets[2] & 0x3F;
+ 	V = (xxxx << 12) | (yyyyyy << 6) | zzzzzz;
++	// 3-byte sequence overlong for this value,
++	// an invalid value or UTF-16 surrogate?
++	if (V < 0x800 || V == 0xFFFE || V == 0xFFFF ||
++	    (V >= 0xD800 && V <= 0xDFFF))
++	  V = replacementChar;
+ 	C = UChar((unsigned short)V);
+       }
+       else {
diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index 29e6ba4a6d11..ae053ee1e061 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde ipv6
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdelibs4/files/patch-kdelibs-kjs b/x11/kdelibs4/files/patch-kdelibs-kjs
new file mode 100644
index 000000000000..ca4456320ee9
--- /dev/null
+++ b/x11/kdelibs4/files/patch-kdelibs-kjs
@@ -0,0 +1,38 @@
+------------------------------------------------------------------------
+r645387 | porten | 2007-03-22 15:01:13 +0100 (Thu, 22 Mar 2007) | 4 lines
+
+substitute some of the invalid sequences with the standard replacement
+char. this matches Mozilla but not IE which leaves them unchanged (or
+throws an exception)
+
+------------------------------------------------------------------------
+--- kjs/function.cpp
++++ kjs/function.cpp
+@@ -244,11 +244,15 @@ UString decodeURI(ExecState *exec, UStri
+       }
+ 
+       // UTF-8 transform
++      const unsigned long replacementChar = 0xFFFD;
+       unsigned long V;
+       if (n == 2) {
+ 	unsigned long yyyyy = octets[0] & 0x1F;
+ 	unsigned long zzzzzz = octets[1] & 0x3F;
+ 	V = (yyyyy << 6) | zzzzzz;
++	// 2-byte sequence overlong for this value?
++	if (V < 0xFF)
++	  V = replacementChar;
+ 	C = UChar((unsigned short)V);
+       }
+       else if (n == 3) {
+@@ -256,6 +260,11 @@ UString decodeURI(ExecState *exec, UStri
+ 	unsigned long yyyyyy = octets[1] & 0x3F;
+ 	unsigned long zzzzzz = octets[2] & 0x3F;
+ 	V = (xxxx << 12) | (yyyyyy << 6) | zzzzzz;
++	// 3-byte sequence overlong for this value,
++	// an invalid value or UTF-16 surrogate?
++	if (V < 0x800 || V == 0xFFFE || V == 0xFFFF ||
++	    (V >= 0xD800 && V <= 0xDFFF))
++	  V = replacementChar;
+ 	C = UChar((unsigned short)V);
+       }
+       else {
-- 
cgit v1.2.3