diff options
author | tron <tron> | 2010-05-17 06:35:06 +0000 |
---|---|---|
committer | tron <tron> | 2010-05-17 06:35:06 +0000 |
commit | 59f357927020e1d67191653448d1fc17189f5602 (patch) | |
tree | 19d8b1b9a579746ec591bcbdcce3983e6048068e /net | |
parent | 9a94d25b697b69c295077c39864fd60374324da9 (diff) | |
download | pkgsrc-59f357927020e1d67191653448d1fc17189f5602.tar.gz |
Pullup ticket #3118 - requested by markd
net/kdenetwork4: security patch
Revisions pulled up:
- net/kdenetwork4/Makefile 1.10 via patch
- net/kdenetwork4/distinfo 1.9 via patch
- net/kdenetwork4/patches/patch-ba 1.1 via patch
- net/kdenetwork4/patches/patch-bb 1.1 via patch
---
Subject: CVS commit: pkgsrc/net/kdenetwork4
Date: Monday 17 May 2010, 09:21:39
From: Mark Davies <markd@netbsd.org>
To: pkgsrc-changes@netbsd.org
Module Name: pkgsrc
Committed By: markd
Date: Sun May 16 21:21:39 UTC 2010
Modified Files:
pkgsrc/net/kdenetwork4: Makefile distinfo
Added Files:
pkgsrc/net/kdenetwork4/patches: patch-ba patch-bb patch-bc patch-bd
Log Message:
Fix from KDE security advisory 20100513-1.
Diffstat (limited to 'net')
-rw-r--r-- | net/kdenetwork4/Makefile | 4 | ||||
-rw-r--r-- | net/kdenetwork4/distinfo | 4 | ||||
-rw-r--r-- | net/kdenetwork4/patches/patch-ba | 60 | ||||
-rw-r--r-- | net/kdenetwork4/patches/patch-bb | 27 |
4 files changed, 92 insertions, 3 deletions
diff --git a/net/kdenetwork4/Makefile b/net/kdenetwork4/Makefile index 06640b93b0a..667de12844a 100644 --- a/net/kdenetwork4/Makefile +++ b/net/kdenetwork4/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.7 2010/03/24 19:43:28 asau Exp $ +# $NetBSD: Makefile,v 1.7.2.1 2010/05/17 06:35:06 tron Exp $ DISTNAME= kdenetwork-${_KDE_VERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= net COMMENT= Network modules for the KDE integrated X11 desktop diff --git a/net/kdenetwork4/distinfo b/net/kdenetwork4/distinfo index 62986a05fd6..2ae33ef898d 100644 --- a/net/kdenetwork4/distinfo +++ b/net/kdenetwork4/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.6 2010/01/27 10:38:40 markd Exp $ +$NetBSD: distinfo,v 1.6.2.1 2010/05/17 06:35:06 tron Exp $ SHA1 (kdenetwork-4.3.5.tar.bz2) = b94ad996624e170c3a3c3d3a82dd54ca7f2d7910 RMD160 (kdenetwork-4.3.5.tar.bz2) = fc631b631957ba49084c2b006d8cef35f2ea3435 @@ -6,3 +6,5 @@ Size (kdenetwork-4.3.5.tar.bz2) = 7384719 bytes SHA1 (patch-aa) = 0359cd86501c57197242c398d63c1fc77c60a4d0 SHA1 (patch-ab) = 0743b3b6c994623c507b8bcd52ee01dad31cf56f SHA1 (patch-ae) = 765d48550d2d8b7a59a1593a669b0909fef3bd96 +SHA1 (patch-ba) = 21887be024e426414aad0e055caa3dfe69926dee +SHA1 (patch-bb) = 5cc925ec0988476ab883312b6a9046540a2d70a3 diff --git a/net/kdenetwork4/patches/patch-ba b/net/kdenetwork4/patches/patch-ba new file mode 100644 index 00000000000..85eb938fb4b --- /dev/null +++ b/net/kdenetwork4/patches/patch-ba @@ -0,0 +1,60 @@ +$NetBSD: patch-ba,v 1.1.2.2 2010/05/17 06:35:07 tron Exp $ + +--- kget/transfer-plugins/metalink/metalinker.cpp.orig 2008-01-04 23:59:18.000000000 +0000 ++++ kget/transfer-plugins/metalink/metalinker.cpp +@@ -1,6 +1,7 @@ + /* This file is part of the KDE project + + Copyright (C) 2007 Manolo Valdes <nolis71cu@gmail.com> ++ Copyright (C) 2010 Matthias Fuchs <mat69@gmx.net> + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public +@@ -16,6 +17,21 @@ + + #include <QDomElement> + ++bool MlinkFileData::isValidNameAttribute() const ++{ ++ if (fileName.isEmpty()) { ++ kError(5001) << "Name attribute of Metalink::File is empty."; ++ return false; ++ } ++ ++ if (fileName.contains(QRegExp("$(\\.\\.?)?/")) || fileName.contains("/../") || fileName.endsWith("/..")) { ++ kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << fileName; ++ return false; ++ } ++ ++ return true; ++} ++ + Metalinker::Metalinker() + { + } +@@ -36,12 +52,24 @@ QList<MlinkFileData> Metalinker::parseMe + + kDebug(5001) << files.length() << " <file> tags found"; + ++ QStringList fileNames; + for( uint i=0 ; i < files.length() ; ++i ) + { + QDomNode file = files.item(i); + MlinkFileData data; +- data.fileName = file.toElement().attribute("name"); ++ data.fileName = QUrl::fromPercentEncoding(file.toElement().attribute("name").toAscii()); + kDebug(5001) << "filename: "<< data.fileName; ++ if (!data.isValidNameAttribute()) { ++ fileData.clear(); ++ return fileData; ++ } ++ ++ if (fileNames.contains(data.fileName)) { ++ kError(5001) << "Metalink::File name" << data.fileName << "exists multiple times."; ++ fileData.clear(); ++ return fileData; ++ } ++ fileNames << data.fileName; + + QDomNodeList hashes = file.toElement(). + elementsByTagName("verification"). diff --git a/net/kdenetwork4/patches/patch-bb b/net/kdenetwork4/patches/patch-bb new file mode 100644 index 00000000000..c7e41eaa136 --- /dev/null +++ b/net/kdenetwork4/patches/patch-bb @@ -0,0 +1,27 @@ +$NetBSD: patch-bb,v 1.1.2.2 2010/05/17 06:35:07 tron Exp $ + +--- kget/transfer-plugins/metalink/metalinker.h.orig 2008-01-04 23:59:18.000000000 +0000 ++++ kget/transfer-plugins/metalink/metalinker.h +@@ -1,6 +1,7 @@ + /* This file is part of the KDE project + + Copyright (C) 2007 Manolo Valdes <nolis71cu@gmail.com> ++ Copyright (C) 2010 Matthias Fuchs <mat69@gmx.net> + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public +@@ -18,6 +19,14 @@ class MlinkFileData + { + public: + MlinkFileData() {} ++ ++ /** ++ * Controlls if the name attribute is valid, i.e. it is not empty and ++ * does not contain any directory traversal directives or information ++ * In case of faulty fileNames the MlinkFile gets discarded ++ */ ++ bool isValidNameAttribute() const; ++ + QString fileName; + QString md5; + QString sha256; |