Pullup ticket #3118 - requested by markd

net/kdenetwork4: security patch Revisions pulled up: - net/kdenetwork4/Makefile 1.10 via patch - net/kdenetwork4/distinfo 1.9 via patch - net/kdenetwork4/patches/patch-ba 1.1 via patch - net/kdenetwork4/patches/patch-bb 1.1 via patch --- Subject: CVS commit: pkgsrc/net/kdenetwork4 Date: Monday 17 May 2010, 09:21:39 From: Mark Davies <markd@netbsd.org> To: pkgsrc-changes@netbsd.org Module Name: pkgsrc Committed By: markd Date: Sun May 16 21:21:39 UTC 2010 Modified Files: pkgsrc/net/kdenetwork4: Makefile distinfo Added Files: pkgsrc/net/kdenetwork4/patches: patch-ba patch-bb patch-bc patch-bd Log Message: Fix from KDE security advisory 20100513-1.
author: tron <tron> 2010-05-17 06:35:06 +0000
committer: tron <tron> 2010-05-17 06:35:06 +0000
commit: 59f357927020e1d67191653448d1fc17189f5602 (patch)
tree: 19d8b1b9a579746ec591bcbdcce3983e6048068e /net
parent: 9a94d25b697b69c295077c39864fd60374324da9 (diff)
download: pkgsrc-59f357927020e1d67191653448d1fc17189f5602.tar.gz
4 files changed, 92 insertions, 3 deletions
diff --git a/net/kdenetwork4/Makefile b/net/kdenetwork4/Makefile
index 06640b93b0a..667de12844a 100644
--- a/net/kdenetwork4/Makefile
+++ b/net/kdenetwork4/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.7 2010/03/24 19:43:28 asau Exp $
+# $NetBSD: Makefile,v 1.7.2.1 2010/05/17 06:35:06 tron Exp $
 
 DISTNAME=	kdenetwork-${_KDE_VERSION}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	net
 COMMENT=	Network modules for the KDE integrated X11 desktop
 
diff --git a/net/kdenetwork4/distinfo b/net/kdenetwork4/distinfo
index 62986a05fd6..2ae33ef898d 100644
--- a/net/kdenetwork4/distinfo
+++ b/net/kdenetwork4/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2010/01/27 10:38:40 markd Exp $
+$NetBSD: distinfo,v 1.6.2.1 2010/05/17 06:35:06 tron Exp $
 
 SHA1 (kdenetwork-4.3.5.tar.bz2) = b94ad996624e170c3a3c3d3a82dd54ca7f2d7910
 RMD160 (kdenetwork-4.3.5.tar.bz2) = fc631b631957ba49084c2b006d8cef35f2ea3435
@@ -6,3 +6,5 @@ Size (kdenetwork-4.3.5.tar.bz2) = 7384719 bytes
 SHA1 (patch-aa) = 0359cd86501c57197242c398d63c1fc77c60a4d0
 SHA1 (patch-ab) = 0743b3b6c994623c507b8bcd52ee01dad31cf56f
 SHA1 (patch-ae) = 765d48550d2d8b7a59a1593a669b0909fef3bd96
+SHA1 (patch-ba) = 21887be024e426414aad0e055caa3dfe69926dee
+SHA1 (patch-bb) = 5cc925ec0988476ab883312b6a9046540a2d70a3
diff --git a/net/kdenetwork4/patches/patch-ba b/net/kdenetwork4/patches/patch-ba
new file mode 100644
index 00000000000..85eb938fb4b
--- /dev/null
+++ b/net/kdenetwork4/patches/patch-ba
@@ -0,0 +1,60 @@
+$NetBSD: patch-ba,v 1.1.2.2 2010/05/17 06:35:07 tron Exp $
+
+--- kget/transfer-plugins/metalink/metalinker.cpp.orig	2008-01-04 23:59:18.000000000 +0000
++++ kget/transfer-plugins/metalink/metalinker.cpp
+@@ -1,6 +1,7 @@
+ /* This file is part of the KDE project
+ 
+    Copyright (C) 2007 Manolo Valdes <nolis71cu@gmail.com>
++   Copyright (C) 2010 Matthias Fuchs <mat69@gmx.net>
+ 
+    This program is free software; you can redistribute it and/or
+    modify it under the terms of the GNU General Public
+@@ -16,6 +17,21 @@
+ 
+ #include <QDomElement>
+ 
++bool MlinkFileData::isValidNameAttribute() const
++{
++    if (fileName.isEmpty()) {
++        kError(5001) << "Name attribute of Metalink::File is empty.";
++        return false;
++    }
++
++    if (fileName.contains(QRegExp("$(\\.\\.?)?/")) || fileName.contains("/../") || fileName.endsWith("/..")) {
++        kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << fileName;
++        return false;
++    }
++
++    return true;
++}
++
+ Metalinker::Metalinker()
+ {
+ }
+@@ -36,12 +52,24 @@ QList<MlinkFileData> Metalinker::parseMe
+ 
+     kDebug(5001) << files.length() << " <file> tags found";
+ 
++    QStringList fileNames;
+     for( uint i=0 ; i < files.length() ; ++i )
+     {
+         QDomNode file = files.item(i);
+         MlinkFileData data;
+-        data.fileName = file.toElement().attribute("name");
++        data.fileName = QUrl::fromPercentEncoding(file.toElement().attribute("name").toAscii());
+         kDebug(5001) << "filename: "<< data.fileName;
++        if (!data.isValidNameAttribute()) {
++            fileData.clear();
++            return fileData;
++        }
++
++        if (fileNames.contains(data.fileName)) {
++            kError(5001) << "Metalink::File name" << data.fileName << "exists multiple times.";
++            fileData.clear();
++            return fileData;
++        }
++        fileNames << data.fileName;
+ 
+         QDomNodeList hashes = file.toElement().
+             elementsByTagName("verification").
diff --git a/net/kdenetwork4/patches/patch-bb b/net/kdenetwork4/patches/patch-bb
new file mode 100644
index 00000000000..c7e41eaa136
--- /dev/null
+++ b/net/kdenetwork4/patches/patch-bb
@@ -0,0 +1,27 @@
+$NetBSD: patch-bb,v 1.1.2.2 2010/05/17 06:35:07 tron Exp $
+
+--- kget/transfer-plugins/metalink/metalinker.h.orig	2008-01-04 23:59:18.000000000 +0000
++++ kget/transfer-plugins/metalink/metalinker.h
+@@ -1,6 +1,7 @@
+ /* This file is part of the KDE project
+ 
+    Copyright (C) 2007 Manolo Valdes <nolis71cu@gmail.com>
++   Copyright (C) 2010 Matthias Fuchs <mat69@gmx.net>
+ 
+    This program is free software; you can redistribute it and/or
+    modify it under the terms of the GNU General Public
+@@ -18,6 +19,14 @@ class MlinkFileData
+ {
+     public:
+         MlinkFileData() {}
++
++        /**
++         * Controlls if the name attribute is valid, i.e. it is not empty and
++         * does not contain any directory traversal directives or information
++         * In case of faulty fileNames the MlinkFile gets discarded
++         */
++        bool isValidNameAttribute() const;
++
+         QString fileName;
+         QString md5;
+         QString sha256;
author	tron <tron>	2010-05-17 06:35:06 +0000
committer	tron <tron>	2010-05-17 06:35:06 +0000
commit	59f357927020e1d67191653448d1fc17189f5602 (patch)
tree	19d8b1b9a579746ec591bcbdcce3983e6048068e /net
parent	9a94d25b697b69c295077c39864fd60374324da9 (diff)
download	pkgsrc-59f357927020e1d67191653448d1fc17189f5602.tar.gz