fix CVE-2015-9541

2020-09-21 20:38:29 +08:00 · 2020-09-21 20:38:29 +08:00 · 9c17f843d8
commit 9c17f843d8
parent c183621eef
2 changed files with 164 additions and 1 deletions
--- a/CVE-2015-9541.patch
+++ b/CVE-2015-9541.patch
@ -0,0 +1,159 @@
+From fd4be84d23a0db4186cb42e736a9de3af722c7f7 Mon Sep 17 00:00:00 2001
+From: Lars Knoll <lars.knoll@qt.io>
+Date: Wed, 26 Feb 2020 10:42:10 +0100
+Subject: Add an expansion limit for entities
+
+Recursively defined entities can easily exhaust all available
+memory. Limit entity expansion to a default of 4096 characters to
+avoid DoS attacks when a user loads untrusted content.
+
+Added a setter and getter to allow modifying the expansion limit.
+
+[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now by default
+limit the expansion of entities to 4096 characters. Documents where
+a single entity expands to more characters than the limit are not
+considered well formed. The limit is there to avoid DoS attacks through
+recursively expanding entities when loading untrusted content. The
+limit can be changed through the QXmlStreamReader::setEntityExpansionLimit()
+method.
+
+Fixes: QTBUG-47417
+Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9
+Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+---
+ src/corelib/serialization/qxmlstream.cpp           | 36 ++++++++++++++++++
+ src/corelib/serialization/qxmlstream.g             | 14 ++++++-
+ src/corelib/serialization/qxmlstream.h             |  2 +
+ src/corelib/serialization/qxmlstream_p.h           | 14 ++++++-
+ .../serialization/qxmlstream/tst_qxmlstream.cpp    | 44 +++++++++++++++++++++-
+ 5 files changed, 106 insertions(+), 4 deletions(-)
+
+diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
+index 7ff87885a5..d7fb0d0d41 100644
+--- a/src/corelib/serialization/qxmlstream.cpp
+++ b/src/corelib/serialization/qxmlstream.cpp
+@@ -2041,6 +2041,42 @@ QStringRef QXmlStreamReader::dtdSystemId() const
+    return QStringRef();
+ }
+ 
+/*!
+  \since 5.15
+
+  Returns the maximum amount of characters a single entity is
+  allowed to expand into. If a single entity expands past the
+  given limit, the document is not considered well formed.
+
+  \sa setEntityExpansionLimit
+*/
+int QXmlStreamReader::entityExpansionLimit() const
+{
+    Q_D(const QXmlStreamReader);
+    return d->entityExpansionLimit;
+}
+
+/*!
+  \since 5.15
+
+  Sets the maximum amount of characters a single entity is
+  allowed to expand into to \a limit. If a single entity expands
+  past the given limit, the document is not considered well formed.
+
+  The limit is there to prevent DoS attacks when loading unknown
+  XML documents where recursive entity expansion could otherwise
+  exhaust all available memory.
+
+  The default value for this property is 4096 characters.
+
+  \sa entityExpansionLimit
+*/
+void QXmlStreamReader::setEntityExpansionLimit(int limit)
+{
+    Q_D(QXmlStreamReader);
+    d->entityExpansionLimit = limit;
+}
+
+ /*!  If the tokenType() is \l StartElement, this function returns the
+   element's namespace declarations. Otherwise an empty vector is
+   returned.
+diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
+index 12ecc9bdb2..b623de9505 100644
+--- a/src/corelib/serialization/qxmlstream.g
+++ b/src/corelib/serialization/qxmlstream.g
+@@ -285,9 +285,19 @@ public:
+     QHash<QStringView, Entity> entityHash;
+     QHash<QStringView, Entity> parameterEntityHash;
+     QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+    int entityExpansionLimit = 4096;
+    int entityLength = 0;
+     inline bool referenceEntity(Entity &entity) {
+         if (entity.isCurrentlyReferenced) {
+-            raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+            raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+            return false;
+        }
+        // entityLength represents the amount of additional characters the
+        // entity expands into (can be negative for e.g. &amp;). It's used to
+        // avoid DoS attacks through recursive entity expansions
+        entityLength += entity.value.size() - entity.name.size() - 2;
+        if (entityLength > entityExpansionLimit) {
+            raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
+             return false;
+         }
+         entity.isCurrentlyReferenced = true;
+@@ -838,6 +848,8 @@ entity_done ::= ENTITY_DONE;
+ /.
+         case $rule_number:
+             entityReferenceStack.pop()->isCurrentlyReferenced = false;
+            if (entityReferenceStack.isEmpty())
+                entityLength = 0;
+             clearSym();
+         break;
+ ./
+diff --git a/src/corelib/serialization/qxmlstream.h b/src/corelib/serialization/qxmlstream.h
+index 7d0aa64570..c8647e0465 100644
+--- a/src/corelib/serialization/qxmlstream.h
+++ b/src/corelib/serialization/qxmlstream.h
+@@ -426,6 +426,8 @@ public:
+     QStringRef dtdPublicId() const;
+     QStringRef dtdSystemId() const;
+ 
+    int entityExpansionLimit() const;
+    void setEntityExpansionLimit(int limit);
+ 
+     enum Error {
+         NoError,
+diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
+index 9c94e6d434..103b123b10 100644
+--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
+@@ -774,9 +774,19 @@ public:
+     QHash<QStringView, Entity> entityHash;
+     QHash<QStringView, Entity> parameterEntityHash;
+     QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+    int entityExpansionLimit = 4096;
+    int entityLength = 0;
+     inline bool referenceEntity(Entity &entity) {
+         if (entity.isCurrentlyReferenced) {
+-            raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+            raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+            return false;
+        }
+        // entityLength represents the amount of additional characters the
+        // entity expands into (can be negative for e.g. &amp;). It's used to
+        // avoid DoS attacks through recursive entity expansions
+        entityLength += entity.value.size() - entity.name.size() - 2;
+        if (entityLength > entityExpansionLimit) {
+            raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
+             return false;
+         }
+         entity.isCurrentlyReferenced = true;
+@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse()
+ 
+         case 10:
+             entityReferenceStack.pop()->isCurrentlyReferenced = false;
+            if (entityReferenceStack.isEmpty())
+                entityLength = 0;
+             clearSym();
+         break;
+ 
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@ -13,7 +13,7 @@
 Name:             qt5-qtbase
 Summary:          Core component of Qt toolkit
 Version:          5.11.1
-Release:          11
+Release:          12
 License:          LGPLv2 with exceptions or GPLv3 with exceptions
 Url:              http://qt-project.org/
 Source0:          https://download.qt.io/new_archive/qt/5.11/%{version}/submodules/qtbase-everywhere-src-%{version}.tar.xz
@ -36,6 +36,7 @@ Patch0010:        qtbase-everywhere-src-5.11.1-python3.patch
 Patch0011:        qt5-qtbase-glibc.patch

 Patch6000:        CVE-2018-15518.patch 
+Patch6001:        CVE-2015-9541.patch

 BuildRequires:    pkgconfig(libsystemd) cups-devel desktop-file-utils findutils
 BuildRequires:    libjpeg-devel libmng-devel libtiff-devel pkgconfig(alsa)
@ -402,6 +403,9 @@ fi


 %changelog
+* Mon Sep 21 2020 wutao <wutao61@huawei.com> - 5.11.1-12
+- fix CVE-2015-9541
+
 * Mon Sep 14 2020 liuweibo <liuweibo10@huawei.com> - 5.11.1-11
 - Fix Source0