Bug#417649: 100% cpu utilization with kdelibs 4:3.5.5a.dfsg.1-8

Wed, 04 Apr 2007 02:45:07 -0700 

> 
> Attached is the diff from the version -7 and -8 (fixing a security bug). As
> you can see, we have not changed anything that can lead to this problem.
>

Attached now O)


diff -u kdelibs-3.5.5a.dfsg.1/debian/changelog kdelibs-3.5.5a.dfsg.1/debian/changelog
--- kdelibs-3.5.5a.dfsg.1/debian/changelog
+++ kdelibs-3.5.5a.dfsg.1/debian/changelog
@@ -1,3 +1,10 @@
+kdelibs (4:3.5.5a.dfsg.1-8) unstable; urgency=high
+
+  * Add patch to fix utf8-parsing vulnerability.
+  * Urgency high due to security fix.
+
+ -- Sune Vuorela <[EMAIL PROTECTED]>  Thu, 29 Mar 2007 21:19:35 +0200
+
 kdelibs (4:3.5.5a.dfsg.1-7) unstable; urgency=high
 
   * Add patch 46_CVE-2007-1564-kdelibs-3.5.6.diff: untrusted sites that allow 
only in patch2:
unchanged:
--- kdelibs-3.5.5a.dfsg.1.orig/debian/patches/47_kdelibs-kjs-utf8-parsing.diff
+++ kdelibs-3.5.5a.dfsg.1/debian/patches/47_kdelibs-kjs-utf8-parsing.diff
@@ -0,0 +1,38 @@
+------------------------------------------------------------------------
+r645387 | porten | 2007-03-22 15:01:13 +0100 (Thu, 22 Mar 2007) | 4 lines
+
+substitute some of the invalid sequences with the standard replacement
+char. this matches Mozilla but not IE which leaves them unchanged (or
+throws an exception)
+
+------------------------------------------------------------------------
+--- kjs/function.cpp
++++ kjs/function.cpp
+@@ -244,11 +244,15 @@ UString decodeURI(ExecState *exec, UStri
+       }
+ 
+       // UTF-8 transform
++      const unsigned long replacementChar = 0xFFFD;
+       unsigned long V;
+       if (n == 2) {
+ 	unsigned long yyyyy = octets[0] & 0x1F;
+ 	unsigned long zzzzzz = octets[1] & 0x3F;
+ 	V = (yyyyy << 6) | zzzzzz;
++	// 2-byte sequence overlong for this value?
++	if (V < 0xFF)
++	  V = replacementChar;
+ 	C = UChar((unsigned short)V);
+       }
+       else if (n == 3) {
+@@ -256,6 +260,11 @@ UString decodeURI(ExecState *exec, UStri
+ 	unsigned long yyyyyy = octets[1] & 0x3F;
+ 	unsigned long zzzzzz = octets[2] & 0x3F;
+ 	V = (xxxx << 12) | (yyyyyy << 6) | zzzzzz;
++	// 3-byte sequence overlong for this value,
++	// an invalid value or UTF-16 surrogate?
++	if (V < 0x800 || V == 0xFFFE || V == 0xFFFF ||
++	    (V >= 0xD800 && V <= 0xDFFF))
++	  V = replacementChar;
+ 	C = UChar((unsigned short)V);
+       }
+       else {

Reply via email to