diff options
| author | markd <markd@pkgsrc.org> | 2011-05-07 22:25:08 +0000 |
|---|---|---|
| committer | markd <markd@pkgsrc.org> | 2011-05-07 22:25:08 +0000 |
| commit | 0ff2aa038f530b39e7731af6b5f930675edb5a7c (patch) | |
| tree | 16bb16fa31f8071eb0bfbd258f3bb170b508b205 /net/kdenetwork4 | |
| parent | ab1188b2591cf7bd54cabf10ac301aeb5f3aa955 (diff) | |
| download | pkgsrc-0ff2aa038f530b39e7731af6b5f930675edb5a7c.tar.gz | |
KGet does not properly sanitise the "name" attribute of the "file" element
of metalink files before using it to download files.
http://secunia.com/advisories/44124/
Diffstat (limited to 'net/kdenetwork4')
| -rw-r--r-- | net/kdenetwork4/Makefile | 4 | ||||
| -rw-r--r-- | net/kdenetwork4/distinfo | 3 | ||||
| -rw-r--r-- | net/kdenetwork4/patches/patch-kget_ui_metalinkcreator_metalinker.cpp | 21 |
3 files changed, 25 insertions, 3 deletions
diff --git a/net/kdenetwork4/Makefile b/net/kdenetwork4/Makefile index b60f1cb5cdf..0cbaa8c3cd6 100644 --- a/net/kdenetwork4/Makefile +++ b/net/kdenetwork4/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.22 2011/04/22 13:44:23 obache Exp $ +# $NetBSD: Makefile,v 1.23 2011/05/07 22:25:08 markd Exp $ DISTNAME= kdenetwork-${_KDE_VERSION} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= net COMMENT= Network modules for the KDE integrated X11 desktop diff --git a/net/kdenetwork4/distinfo b/net/kdenetwork4/distinfo index befe9e14d51..f13bdfe12c3 100644 --- a/net/kdenetwork4/distinfo +++ b/net/kdenetwork4/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.16 2011/01/23 07:55:15 markd Exp $ +$NetBSD: distinfo,v 1.17 2011/05/07 22:25:08 markd Exp $ SHA1 (kdenetwork-4.5.5.tar.bz2) = 2c7dd0bc1809ac477f46ddb966f232ca3f60bc0a RMD160 (kdenetwork-4.5.5.tar.bz2) = 769829e255830bf360d9796c0ea9dcb12faeac0b @@ -7,3 +7,4 @@ SHA1 (patch-aa) = 0359cd86501c57197242c398d63c1fc77c60a4d0 SHA1 (patch-ab) = 0743b3b6c994623c507b8bcd52ee01dad31cf56f SHA1 (patch-ae) = 765d48550d2d8b7a59a1593a669b0909fef3bd96 SHA1 (patch-af) = 5afe11d2691c0f3e9510d2cd1df5b4f736abafbe +SHA1 (patch-kget_ui_metalinkcreator_metalinker.cpp) = 1c3aaf24097c25120ff95b329e0995bc91843214 diff --git a/net/kdenetwork4/patches/patch-kget_ui_metalinkcreator_metalinker.cpp b/net/kdenetwork4/patches/patch-kget_ui_metalinkcreator_metalinker.cpp new file mode 100644 index 00000000000..621a5d277d8 --- /dev/null +++ b/net/kdenetwork4/patches/patch-kget_ui_metalinkcreator_metalinker.cpp @@ -0,0 +1,21 @@ +$NetBSD: patch-kget_ui_metalinkcreator_metalinker.cpp,v 1.1 2011/05/07 22:25:09 markd Exp $ + +http://secunia.com/advisories/44124/ + +--- kget/ui/metalinkcreator/metalinker.cpp 2011/04/09 09:24:33 1227468 ++++ kget/ui/metalinkcreator/metalinker.cpp 2011/04/09 09:25:23 1227469 +@@ -583,7 +583,13 @@ + return false; + } + +- if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) { ++ if (name.endsWith('/')) { ++ kError(5001) << "Name attribute of Metalink::File does not contain a file name:" << name; ++ return false; ++ } ++ ++ const QStringList components = name.split('/'); ++ if (name.startsWith('/') || components.contains("..") || components.contains(".")) { + kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name; + return false; + } |