From af8955d2d810a7ff660116494c01f095a2b1ba4a Mon Sep 17 00:00:00 2001 From: bsiegert Date: Sun, 6 Dec 2015 20:10:39 +0000 Subject: Pullup ticket #4868 - requested by wiz security/keepassx: security fix Revisions pulled up: - security/keepassx/Makefile 1.31 - security/keepassx/distinfo 1.8 - security/keepassx/patches/patch-src_lib_AutoTypeX11.cpp 1.2 - security/keepassx/patches/patch-src_lib_FileDialogs.cpp 1.1 - security/keepassx/patches/patch-src_lib_random.cpp 1.4 --- Module Name: pkgsrc Committed By: wiz Date: Sun Dec 6 14:20:34 UTC 2015 Modified Files: pkgsrc/security/keepassx: Makefile distinfo pkgsrc/security/keepassx/patches: patch-src_lib_AutoTypeX11.cpp patch-src_lib_random.cpp Added Files: pkgsrc/security/keepassx/patches: patch-src_lib_FileDialogs.cpp Log Message: Fix CVE-2015-8378 using the patch from Debian. Bump PKGREVISION. While here, clean up pkglint. --- security/keepassx/Makefile | 7 +++--- security/keepassx/distinfo | 7 +++--- .../keepassx/patches/patch-src_lib_AutoTypeX11.cpp | 4 ++- .../keepassx/patches/patch-src_lib_FileDialogs.cpp | 29 ++++++++++++++++++++++ security/keepassx/patches/patch-src_lib_random.cpp | 4 ++- 5 files changed, 42 insertions(+), 9 deletions(-) create mode 100644 security/keepassx/patches/patch-src_lib_FileDialogs.cpp diff --git a/security/keepassx/Makefile b/security/keepassx/Makefile index a2d91b90527..c21ede592b7 100644 --- a/security/keepassx/Makefile +++ b/security/keepassx/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.30 2015/04/25 14:24:48 tnn Exp $ -# +# $NetBSD: Makefile,v 1.30.4.1 2015/12/06 20:10:39 bsiegert Exp $ DISTNAME= keepassx-0.4.3 -PKGREVISION= 8 +PKGREVISION= 9 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=keepassx/} @@ -24,7 +23,7 @@ do-configure: ${QMAKE} -unix -o Makefile ${CONFIGURE_ARGS} keepassx.pro pre-install: - ${CP} ${WRKSRC}/bin/keepassx ${WRKSRC}/src + ${INSTALL_PROGRAM} ${WRKSRC}/bin/keepassx ${WRKSRC}/src .include "../../sysutils/desktop-file-utils/desktopdb.mk" .include "../../x11/qt4-libs/buildlink3.mk" diff --git a/security/keepassx/distinfo b/security/keepassx/distinfo index 8b837466b7e..451fb4d0f03 100644 --- a/security/keepassx/distinfo +++ b/security/keepassx/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.6 2014/01/05 01:01:47 rumko Exp $ +$NetBSD: distinfo,v 1.6.14.1 2015/12/06 20:10:39 bsiegert Exp $ SHA1 (keepassx-0.4.3.tar.gz) = d25ecc9d3caaa5a6d0f39a42c730a95997f37e2e RMD160 (keepassx-0.4.3.tar.gz) = 3e963d82dd6b8bc32e32dbb46efa9168bac1088b Size (keepassx-0.4.3.tar.gz) = 1368766 bytes SHA1 (patch-src_crypto_aes__endian.h) = 3a88c3ebf2ccaa2229aa7e0600b4f0e976b21772 -SHA1 (patch-src_lib_AutoTypeX11.cpp) = 00c112837d50cf01fc4fc7f76865e5407c90e901 -SHA1 (patch-src_lib_random.cpp) = 01cc7569a75bc3af8326f0903881c16d96d51551 +SHA1 (patch-src_lib_AutoTypeX11.cpp) = 3bd8421804ec549ba4a7a42907516534d7bbf6f3 +SHA1 (patch-src_lib_FileDialogs.cpp) = ab5d6caf0eea7d66b3b614fba3e92e6c48227cc3 +SHA1 (patch-src_lib_random.cpp) = dd50e9cb5a95f5db780aab727dfd4b0dcceac9ef diff --git a/security/keepassx/patches/patch-src_lib_AutoTypeX11.cpp b/security/keepassx/patches/patch-src_lib_AutoTypeX11.cpp index dcff27712a6..7cb2e0d05a7 100644 --- a/security/keepassx/patches/patch-src_lib_AutoTypeX11.cpp +++ b/security/keepassx/patches/patch-src_lib_AutoTypeX11.cpp @@ -1,4 +1,6 @@ -$NetBSD: patch-src_lib_AutoTypeX11.cpp,v 1.1 2013/05/04 12:59:48 joerg Exp $ +$NetBSD: patch-src_lib_AutoTypeX11.cpp,v 1.1.20.1 2015/12/06 20:10:39 bsiegert Exp $ + +Add a bunch of missing includes hidden by libstdc++ namespace pollution. --- src/lib/AutoTypeX11.cpp.orig 2013-05-04 00:34:27.000000000 +0000 +++ src/lib/AutoTypeX11.cpp diff --git a/security/keepassx/patches/patch-src_lib_FileDialogs.cpp b/security/keepassx/patches/patch-src_lib_FileDialogs.cpp new file mode 100644 index 00000000000..0c22d2240cc --- /dev/null +++ b/security/keepassx/patches/patch-src_lib_FileDialogs.cpp @@ -0,0 +1,29 @@ +$NetBSD: patch-src_lib_FileDialogs.cpp,v 1.1.2.2 2015/12/06 20:10:39 bsiegert Exp $ + +Description: Abort file save dialog gracefully on 'cancel' +Author: Reinhard Tartler +Bug-Debian: 791858 + +The Qt documentation says that pressing the "Cancel" button "returns a +null string" (cf http://doc.qt.io/qt-4.8/qfiledialog.html#details). The +default (and only) implementation of the File dialog ignores this case +and wrongly constructs a bogus filename. This patch bails out gracefully +and avoids cleartext passwords on the hard disk. + +Fixes CVE-2015-8378 + +https://anonscm.debian.org/cgit/collab-maint/keepassx.git/commit/?id=b3c9028db8ec3b8752ff47717ffc792d755c1294 + +--- src/lib/FileDialogs.cpp.orig 2009-10-08 19:27:39.000000000 +0000 ++++ src/lib/FileDialogs.cpp +@@ -118,6 +118,10 @@ QString QtStandardFileDialogs::saveFileD + SelectedFilter=Filters[SelectedFilterIndex]; + QString filepath = QFileDialog::getSaveFileName(parent,title,dir,toSingleStringFilter(Filters),&SelectedFilter, + ShowOverwriteWarning ? (QFileDialog::Option)0 : QFileDialog::DontConfirmOverwrite); ++ // Fixes CVE-2015-8378 ++ if (filepath.isEmpty()) ++ return filepath; ++ + LastFilter=Filters.indexOf(SelectedFilter); + + //Check whether the file has an extension which fits to the selected filter diff --git a/security/keepassx/patches/patch-src_lib_random.cpp b/security/keepassx/patches/patch-src_lib_random.cpp index ae07b0beb68..51f59ad3ada 100644 --- a/security/keepassx/patches/patch-src_lib_random.cpp +++ b/security/keepassx/patches/patch-src_lib_random.cpp @@ -1,4 +1,6 @@ -$NetBSD: patch-src_lib_random.cpp,v 1.3 2013/05/04 12:59:48 joerg Exp $ +$NetBSD: patch-src_lib_random.cpp,v 1.3.20.1 2015/12/06 20:10:39 bsiegert Exp $ + +Add a bunch of missing includes hidden by libstdc++ namespace pollution. --- src/lib/random.cpp.orig 2013-05-04 00:33:31.000000000 +0000 +++ src/lib/random.cpp -- cgit v1.2.3