ioslave PASV port scanning vulnerability (CVE-2007-1564) fix.

plus fix against KJS for similar issue to the Qt UTF-8 overlong sequence
decoding vulnerability.  Bump PKGREVISION.

3 files changed, 48 insertions, 4 deletions

diff --git a/x11/kdelibs3/Makefile b/x11/kdelibs3/Makefile
index 1295e2c485b..36b14076864 100644
--- a/x11/kdelibs3/Makefile
+++ b/x11/kdelibs3/Makefile
@@ -1,13 +1,13 @@
-# $NetBSD: Makefile,v 1.123 2007/02/22 19:27:27 wiz Exp $
+# $NetBSD: Makefile,v 1.124 2007/04/06 12:59:17 markd Exp $
 
 DISTNAME=	kdelibs-${_KDE_VERSION}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	x11
 COMMENT=	Support libraries for the KDE integrated X11 desktop
 
 PATCH_SITES=	ftp://ftp.kde.org/pub/kde/security_patches/ \
 		http://mirrors.isc.org/pub/kde/security_patches/
-PATCHFILES=	post-3.5.6-kdelibs.diff
+PATCHFILES=	post-3.5.6-kdelibs.diff CVE-2007-1564-kdelibs-3.5.6.diff
 
 .include "../../meta-pkgs/kde3/Makefile.kde3"
 
diff --git a/x11/kdelibs3/distinfo b/x11/kdelibs3/distinfo
index 2333e242937..e64228184f3 100644
--- a/x11/kdelibs3/distinfo
+++ b/x11/kdelibs3/distinfo
@@ -1,5 +1,8 @@
-$NetBSD: distinfo,v 1.84 2007/02/07 12:17:18 markd Exp $
+$NetBSD: distinfo,v 1.85 2007/04/06 12:59:17 markd Exp $
 
+SHA1 (CVE-2007-1564-kdelibs-3.5.6.diff) = a296f0dff11007f835bdbca23b259ad8483aa4c9
+RMD160 (CVE-2007-1564-kdelibs-3.5.6.diff) = 894a9c5f51da21022b9448da957893a57384c065
+Size (CVE-2007-1564-kdelibs-3.5.6.diff) = 2835 bytes
 SHA1 (kdelibs-3.5.6.tar.bz2) = 2cc15499bd2191bd9333cfd1892b5ecf1199fbfd
 RMD160 (kdelibs-3.5.6.tar.bz2) = ce8c088e13f0e59238719600da9c768eac58b57d
 Size (kdelibs-3.5.6.tar.bz2) = 15509460 bytes
@@ -12,6 +15,7 @@ SHA1 (patch-ac) = f4a8fc2bfcf8a414e690eafd51607250b9f51890
 SHA1 (patch-ad) = d8ddcea1a281474b7694979b14744c5e06b56b65
 SHA1 (patch-ae) = b259a376dca4a335fbc5167868330c25c7691912
 SHA1 (patch-af) = 3f9075e84e56da7dac6ba0d893d215cc4cd11bfa
+SHA1 (patch-ag) = 525ba127f5de78d02a14f9c3c9f306fc4e14d1fa
 SHA1 (patch-aj) = 2ec8d33ce6684da7c60759cf395b78fa4ac2eaec
 SHA1 (patch-an) = d34a3cc0ac0b92921bcaeb9b05c5b7a99ee3566c
 SHA1 (patch-ao) = 7ae360b2ee2332ec3017dfd468457f2c1b139308
diff --git a/x11/kdelibs3/patches/patch-ag b/x11/kdelibs3/patches/patch-ag
new file mode 100644
index 00000000000..5fa68b6a1a7
--- /dev/null
+++ b/x11/kdelibs3/patches/patch-ag
@@ -0,0 +1,40 @@
+$NetBSD: patch-ag,v 1.10 2007/04/06 12:59:18 markd Exp $
+
+------------------------------------------------------------------------
+r645387 | porten | 2007-03-22 15:01:13 +0100 (Thu, 22 Mar 2007) | 4 lines
+
+substitute some of the invalid sequences with the standard replacement
+char. this matches Mozilla but not IE which leaves them unchanged (or
+throws an exception)
+
+------------------------------------------------------------------------
+--- kjs/function.cpp
++++ kjs/function.cpp
+@@ -244,11 +244,15 @@ UString decodeURI(ExecState *exec, UStri
+       }
+ 
+       // UTF-8 transform
++      const unsigned long replacementChar = 0xFFFD;
+       unsigned long V;
+       if (n == 2) {
+ 	unsigned long yyyyy = octets[0] & 0x1F;
+ 	unsigned long zzzzzz = octets[1] & 0x3F;
+ 	V = (yyyyy << 6) | zzzzzz;
++	// 2-byte sequence overlong for this value?
++	if (V < 0xFF)
++	  V = replacementChar;
+ 	C = UChar((unsigned short)V);
+       }
+       else if (n == 3) {
+@@ -256,6 +260,11 @@ UString decodeURI(ExecState *exec, UStri
+ 	unsigned long yyyyyy = octets[1] & 0x3F;
+ 	unsigned long zzzzzz = octets[2] & 0x3F;
+ 	V = (xxxx << 12) | (yyyyyy << 6) | zzzzzz;
++	// 3-byte sequence overlong for this value,
++	// an invalid value or UTF-16 surrogate?
++	if (V < 0x800 || V == 0xFFFE || V == 0xFFFF ||
++	    (V >= 0xD800 && V <= 0xDFFF))
++	  V = replacementChar;
+ 	C = UChar((unsigned short)V);
+       }
+       else {