From 55b1a8f87df1e8c50993952ef0df090e3b2b7529 Mon Sep 17 00:00:00 2001 From: jackie_wu Date: Mon, 21 Sep 2020 15:19:37 +0800 Subject: [PATCH] fix CVE-2015-9541 --- CVE-2015-9541.patch | 94 +++++++++++++++++++++++++++++++++++++++++++++ qt.spec | 6 ++- 2 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 CVE-2015-9541.patch diff --git a/CVE-2015-9541.patch b/CVE-2015-9541.patch new file mode 100644 index 0000000..ef96c92 --- /dev/null +++ b/CVE-2015-9541.patch @@ -0,0 +1,94 @@ +From f432c08882ffebe5074ea28de871559a98a4d094 Mon Sep 17 00:00:00 2001 +From: Lars Knoll +Date: Wed, 26 Feb 2020 10:42:10 +0100 +Subject: Add an expansion limit for entities + +Recursively defined entities can easily exhaust all available +memory. Limit entity expansion to a default of 4096 characters to +avoid DoS attacks when a user loads untrusted content. + +[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now +limit the expansion of entities to 4096 characters. Documents where +a single entity expands to more characters than the limit are not +considered well formed. The limit is there to avoid DoS attacks through +recursively expanding entities when loading untrusted content. Qt 5.15 +will add methods that allow changing that limit. + +Fixes: QTBUG-47417 +Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9 +Reviewed-by: Oswald Buddenhagen +Reviewed-by: Volker Hilsheimer +(cherry picked from commit fd4be84d23a0db4186cb42e736a9de3af722c7f7) +Reviewed-by: Eirik Aavitsland +--- + src/corelib/serialization/qxmlstream.g | 14 ++++++++++++- + src/corelib/serialization/qxmlstream_p.h | 14 ++++++++++++- + +diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g +index 10bfcd491c..5726bafb26 100644 +--- a/src/corelib/xml/qxmlstream.g ++++ b/src/corelib/xml/qxmlstream.g +@@ -279,9 +279,19 @@ public: + QHash entityHash; + QHash parameterEntityHash; + QXmlStreamSimpleStackentityReferenceStack; ++ int entityExpansionLimit = 4096; ++ int entityLength = 0; + inline bool referenceEntity(Entity &entity) { + if (entity.isCurrentlyReferenced) { +- raiseWellFormedError(QXmlStream::tr("Recursive entity detected.")); ++ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected.")); ++ return false; ++ } ++ // entityLength represents the amount of additional characters the ++ // entity expands into (can be negative for e.g. &). It's used to ++ // avoid DoS attacks through recursive entity expansions ++ entityLength += entity.value.size() - entity.name.size() - 2; ++ if (entityLength > entityExpansionLimit) { ++ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit.")); + return false; + } + entity.isCurrentlyReferenced = true; +@@ -844,6 +854,8 @@ entity_done ::= ENTITY_DONE; + /. + case $rule_number: + entityReferenceStack.pop()->isCurrentlyReferenced = false; ++ if (entityReferenceStack.isEmpty()) ++ entityLength = 0; + clearSym(); + break; + ./ +diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h +index 61f501f81b..31053f8e0b 100644 +--- a/src/corelib/xml/qxmlstream_p.h ++++ b/src/corelib/xml/qxmlstream_p.h +@@ -774,9 +774,19 @@ public: + QHash entityHash; + QHash parameterEntityHash; + QXmlStreamSimpleStackentityReferenceStack; ++ int entityExpansionLimit = 4096; ++ int entityLength = 0; + inline bool referenceEntity(Entity &entity) { + if (entity.isCurrentlyReferenced) { +- raiseWellFormedError(QXmlStream::tr("Recursive entity detected.")); ++ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected.")); ++ return false; ++ } ++ // entityLength represents the amount of additional characters the ++ // entity expands into (can be negative for e.g. &). It's used to ++ // avoid DoS attacks through recursive entity expansions ++ entityLength += entity.value.size() - entity.name.size() - 2; ++ if (entityLength > entityExpansionLimit) { ++ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit.")); + return false; + } + entity.isCurrentlyReferenced = true; +@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse() + + case 10: + entityReferenceStack.pop()->isCurrentlyReferenced = false; ++ if (entityReferenceStack.isEmpty()) ++ entityLength = 0; + clearSym(); + break; + diff --git a/qt.spec b/qt.spec index 5582f17..0ed2a89 100644 --- a/qt.spec +++ b/qt.spec @@ -13,7 +13,7 @@ Name: qt Epoch: 1 Version: 4.8.7 -Release: 50 +Release: 51 Summary: A software toolkit for developing applications License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT URL: http://qt-project.org/ @@ -79,6 +79,7 @@ Patch6002: CVE-2018-19871.patch Patch6003: CVE-2018-19870.patch Patch6004: CVE-2018-19873.patch Patch45: CVE-2020-17507.patch +Patch46: CVE-2015-9541.patch BuildRequires: cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa) BuildRequires: pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng) @@ -445,6 +446,9 @@ fi %{_qt4_prefix}/examples/ %changelog +* Mon Sep 21 2020 wutao - 1:4.8.7-51 +- fix CVE-2015-9541 + * Sun Sep 20 2020 shaoqiang kang - 1:4.8.7-50 - fix CVE-2020-17507 -- Gitee