Possible remote code execution, CVE-2007-3388, bug #187465.

(Portage version: 2.1.3.1)

1 files changed, 261 insertions, 0 deletions

diff --git a/x11-libs/qt/files/0185-fix-format-strings.diff b/x11-libs/qt/files/0185-fix-format-strings.diff
new file mode 100644
index 000000000000..eed38b4785fa
--- /dev/null
+++ b/x11-libs/qt/files/0185-fix-format-strings.diff
@@ -0,0 +1,261 @@
+qt-bugs@ issue : N171087
+Trolltech task ID : 
+bugs.kde.org number :
+applied: no
+author: Dirk Mueller <mueller@kde.org>
+
+This patch fixes various code issues with handling format strings
+None of them seem to be exceptionally bad, but its better safe
+than sorry.
+
+
+--- src/corelib/global/qglobal.h
++++ src/corelib/global/qglobal.h
+@@ -1266,8 +1266,16 @@ Q_CORE_EXPORT void qFatal(const char *, 
+ #ifdef QT3_SUPPORT
+ Q_CORE_EXPORT QT3_SUPPORT void qSystemWarning(const char *msg, int code = -1);
+ #endif /* QT3_SUPPORT */
+-Q_CORE_EXPORT void qErrnoWarning(int code, const char *msg, ...);
+-Q_CORE_EXPORT void qErrnoWarning(const char *msg, ...);
++Q_CORE_EXPORT void qErrnoWarning(int code, const char *msg, ...)
++#if defined(Q_CC_GNU) && !defined(__INSURE__)
++    __attribute__ ((format (printf, 2, 3)))
++#endif
++    ;
++Q_CORE_EXPORT void qErrnoWarning(const char *msg, ...)
++#if defined(Q_CC_GNU) && !defined(__INSURE__)
++    __attribute__ ((format (printf, 1, 2)))
++#endif
++    ;
+ 
+ #if (defined(QT_NO_DEBUG_OUTPUT) || defined(QT_NO_TEXTSTREAM)) && !defined(QT_NO_DEBUG_STREAM)
+ #define QT_NO_DEBUG_STREAM
+--- src/corelib/tools/qbytearray.h
++++ src/corelib/tools/qbytearray.h
+@@ -71,8 +71,16 @@ Q_CORE_EXPORT int qstricmp(const char *,
+ Q_CORE_EXPORT int qstrnicmp(const char *, const char *, uint len);
+ 
+ // implemented in qvsnprintf.cpp
+-Q_CORE_EXPORT int qvsnprintf(char *str, size_t n, const char *fmt, va_list ap);
+-Q_CORE_EXPORT int qsnprintf(char *str, size_t n, const char *fmt, ...);
++Q_CORE_EXPORT int qvsnprintf(char *str, size_t n, const char *fmt, va_list ap)
++#if defined(Q_CC_GNU) && !defined(__INSURE__)
++        __attribute__ ((format (printf, 3, 0)))
++#endif
++    ;
++Q_CORE_EXPORT int qsnprintf(char *str, size_t n, const char *fmt, ...)
++#if defined(Q_CC_GNU) && !defined(__INSURE__)
++        __attribute__ ((format (printf, 3, 4)))
++#endif
++    ;
+ 
+ #ifdef QT3_SUPPORT
+ inline QT3_SUPPORT void *qmemmove(void *dst, const void *src, uint len)
+--- src/gui/painting/qprintengine_pdf_p.h
++++ src/gui/painting/qprintengine_pdf_p.h
+@@ -148,7 +148,11 @@ private:
+     void writePage();
+ 
+     int addXrefEntry(int object, bool printostr = true);
+-    void xprintf(const char* fmt, ...);
++    void xprintf(const char* fmt, ...)
++#if defined(Q_CC_GNU) && !defined(__INSURE__)
++        __attribute__ ((format (printf, 2, 3)))
++#endif
++        ;
+     inline void write(const QByteArray &data) {
+         stream->writeRawData(data.constData(), data.size());
+         streampos += data.size();
+--- src/gui/painting/qprintengine_pdf.cpp
++++ src/gui/painting/qprintengine_pdf.cpp
+@@ -386,9 +386,8 @@ int QPdfEnginePrivate::addConstantAlphaO
+         object = addXrefEntry(-1);
+         QByteArray alphaDef;
+         QPdf::ByteStream s(&alphaDef);
+-        s << "<< /ca " << (alpha/qreal(255.)) << ">>\n";
+-        xprintf(alphaDef.constData());
+-        xprintf("endobj\n");
++        s << "<< /ca " << (alpha/qreal(255.)) << ">>";
++        xprintf("%s\nendobj\n", alphaDef.constData());
+     }
+     currentPage->graphicStates.append(object);
+     return object;
+--- src/qt3support/tools/q3gcache.cpp
++++ src/qt3support/tools/q3gcache.cpp
+@@ -622,7 +622,7 @@ void Q3GCache::statistics() const
+ #if defined(QT_DEBUG)
+     QString line;
+     line.fill(QLatin1Char('*'), 80);
+-    qDebug(line.ascii());
++    qDebug("%s", line.ascii());
+     qDebug("CACHE STATISTICS:");
+     qDebug("cache contains %d item%s, with a total cost of %d",
+ 	   count(), count() != 1 ? "s" : "", tCost);
+@@ -643,7 +643,7 @@ void Q3GCache::statistics() const
+ 	   lruList->dumps != 1 ? "have" : "has", lruList->dumpCosts);
+     qDebug("Statistics from internal dictionary class:");
+     dict->statistics();
+-    qDebug(line.ascii());
++    qDebug("%s", line.ascii());
+ #endif
+ }
+ 
+--- src/qt3support/tools/q3gdict.cpp
++++ src/qt3support/tools/q3gdict.cpp
+@@ -828,11 +828,11 @@ void Q3GDict::statistics() const
+     QString line;
+     line.fill(QLatin1Char('-'), 60);
+     double real, ideal;
+-    qDebug(line.ascii());
++    qDebug("%s", line.ascii());
+     qDebug("DICTIONARY STATISTICS:");
+     if (count() == 0) {
+         qDebug("Empty!");
+-        qDebug(line.ascii());
++        qDebug("%s", line.ascii());
+         return;
+     }
+     real = 0.0;
+@@ -853,7 +853,7 @@ void Q3GDict::statistics() const
+         while (b--)
+             *pbuf++ = '*';
+         *pbuf = '\0';
+-        qDebug(buf);
++        qDebug("%s", buf);
+         i++;
+     }
+     qDebug("Array size = %d", size());
+@@ -861,7 +861,7 @@ void Q3GDict::statistics() const
+     qDebug("Real dist  = %g", real);
+     qDebug("Rand dist  = %g", ideal);
+     qDebug("Real/Rand  = %g", real/ideal);
+-    qDebug(line.ascii());
++    qDebug("%s", line.ascii());
+ #endif // QT_DEBUG
+ }
+ 
+--- src/qt3support/tools/q3cstring.h
++++ src/qt3support/tools/q3cstring.h
+@@ -57,7 +57,11 @@ public:
+     }
+ 
+     Q3CString        copy()        const { return *this; }
+-    Q3CString    &sprintf(const char *format, ...);
++    Q3CString    &sprintf(const char *format, ...)
++#if defined(Q_CC_GNU) && !defined(__INSURE__)
++        __attribute__ ((format (printf, 2, 3)))
++#endif
++        ;
+ 
+     Q3CString        left(uint len)  const { return QByteArray::left(len); }
+     Q3CString        right(uint len) const { return QByteArray::right(len); }
+--- tools/designer/src/lib/uilib/formbuilderextra.cpp
++++ tools/designer/src/lib/uilib/formbuilderextra.cpp
+@@ -33,9 +33,7 @@ namespace QFormInternal {
+ #endif
+
+ void uiLibWarning(const QString &message) {
+-    QString prefixedMessage = QLatin1String("Designer: ");
+-    prefixedMessage += message;
+-    qWarning(prefixedMessage.toUtf8().constData());
++    qWarning("Designer: %s", qPrintable(message));
+ }
+
+ QFormBuilderExtra::QFormBuilderExtra() :
+--- tools/designer/src/lib/shared/qdesigner_utils.cpp
++++ tools/designer/src/lib/shared/qdesigner_utils.cpp
+@@ -40,9 +40,7 @@ namespace qdesigner_internal
+ {
+     QDESIGNER_SHARED_EXPORT void designerWarning(const QString &message)
+     {
+-        QString prefixedMessage = QLatin1String("Designer: ");
+-        prefixedMessage += message;
+-        qWarning(prefixedMessage.toUtf8().constData());
++        qWarning("Designer: %s", qPrintable(message));
+     }
+
+     QString EnumType::id() const
+--- tools/qtestlib/src/qtest_global.h
++++ tools/qtestlib/src/qtest_global.h
+@@ -59,7 +59,11 @@ namespace QTest
+     enum SkipMode { SkipSingle = 1, SkipAll = 2 };
+     enum TestFailMode { Abort = 1, Continue = 2 };
+ 
+-    int Q_TESTLIB_EXPORT qt_snprintf(char *str, int size, const char *format, ...);
++    int Q_TESTLIB_EXPORT qt_snprintf(char *str, int size, const char *format, ...)
++#if defined(Q_CC_GNU) && !defined(__INSURE__)
++        __attribute__ ((format (printf, 3, 4)))
++#endif
++        ;
+ }
+ 
+ QT_END_HEADER
+--- tools/assistant/config.cpp
++++ tools/assistant/config.cpp
+@@ -73,12 +73,12 @@ Config *Config::loadConfig(const QString
+ 
+     QFile file(profileFileName);
+     if (!file.exists()) {
+-        qWarning( (QLatin1String("File does not exist: ") + profileFileName).toAscii().constData() );
++        qWarning( "File does not exist: %s", qPrintable(profileFileName) );
+         return 0;
+     }
+     DocuParser *parser = DocuParser::createParser( profileFileName );
+     if (!parser) {
+-        qWarning( (QLatin1String("Failed to create parser for file: ") + profileFileName).toAscii().constData() );
++        qWarning( "Failed to create parser for file: %s", qPrintable(profileFileName) );
+         return 0;
+     }
+     if (parser->parserVersion() < DocuParser::Qt320) {
+@@ -89,7 +89,7 @@ Config *Config::loadConfig(const QString
+     parser->parse(&file);
+     config->profil = profileParser->profile();
+     if (!config->profil) {
+-        qWarning( (QLatin1String("Config::loadConfig(), no profile in: ") + profileFileName).toAscii().constData() );
++        qWarning( "Config::loadConfig(), no profile in: %s", qPrintable(profileFileName) );
+         return 0;
+     }
+     config->profil->setProfileType(Profile::UserProfile);
+--- tools/assistant/index.cpp
++++ tools/assistant/index.cpp
+@@ -180,7 +180,7 @@ void Index::parseDocument( const QString
+ {
+     QFile file( filename );
+     if ( !file.open(QFile::ReadOnly) ) {
+-        qWarning( (QLatin1String("can not open file ") + filename).toAscii().constData() );
++        qWarning( "can not open file %s", qPrintable(filename) );
+         return;
+     }
+ 
+@@ -352,7 +352,7 @@ QString Index::getDocumentTitle( const Q
+ 
+     QFile file( fileName );
+     if ( !file.open( QFile::ReadOnly ) ) {
+-        qWarning( (QLatin1String("cannot open file ") + fileName).toAscii().constData() );
++        qWarning( "cannot open file %s", qPrintable(fileName) );
+         return fileName;
+     }
+     QTextStream s( &file );
+@@ -474,7 +474,7 @@ bool Index::searchForPattern( const QStr
+     QString fName = url.toLocalFile();
+     QFile file( fName );
+     if ( !file.open( QFile::ReadOnly ) ) {
+-        qWarning( (QLatin1String("cannot open file ") + fName).toAscii().constData() );
++        qWarning( "cannot open file %s", qPrintable(fName) );
+         return false;
+     }
+ 
+--- tools/linguist/shared/profileevaluator.h
++++ tools/linguist/shared/profileevaluator.h
+@@ -88,7 +88,11 @@ protected:
+ 
+ private:
+     void logMessage(const QString &msg, MessageType mt = MT_DebugLevel2);
+-    void logMessage(MessageType mt, const char *msg, ...);
++    void logMessage(MessageType mt, const char *msg, ...)
++#if defined(Q_CC_GNU) && !defined(__INSURE__)
++        __attribute__ ((format (printf, 3, 4)))
++#endif
++        ;
+     QString expandVariableReferences(const QString &value);
+     QString evaluateExpandFunction(const QByteArray &func, const QString &arguments);