diff options
author | Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com> | 2012-12-08 14:32:31 -0300 |
---|---|---|
committer | Pino Toscano <pino@debian.org> | 2012-12-30 00:43:36 +0100 |
commit | a2f80c8409d50cdf421284b20d27d65b17fc5fc7 (patch) | |
tree | 77206d4498494b5e3464099551fbe1a06ebf91a3 /debian | |
parent | 348185d68aa0dcbfedbdb738e7e3e079cd30a1a5 (diff) | |
download | qt4-x11-a2f80c8409d50cdf421284b20d27d65b17fc5fc7.tar.gz |
Backport upstream patch to solve MITM attack.
(cherry picked from commit 6c47829956931fe2cdce32ceb1b3215c1f6ba5b4)
Conflicts:
debian/changelog
Diffstat (limited to 'debian')
-rw-r--r-- | debian/changelog | 5 | ||||
-rw-r--r-- | debian/patches/make_rules_for_redirect_stricter.patch | 32 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 38 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index a584e57..9610fa9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,11 @@ qt4-x11 (4:4.8.2+dfsg-7) UNRELEASED; urgency=low * Re-enable parallel building for all the architectures, after 4:4.8.2+dfsg-5 accidentally disabled it. (Closes: #696961) + [ Lisandro Damián Nicanor Pérez Meyer ] + * Apply make_rules_for_redirect_stricter.patch taken from upstream to solve + a "man in the middle" attack, CVE-2012-5624. Thanks Thijs Kinkhorst + (Closes: #695156). + -- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Sun, 30 Dec 2012 00:32:00 +0100 qt4-x11 (4:4.8.2+dfsg-6) unstable; urgency=low diff --git a/debian/patches/make_rules_for_redirect_stricter.patch b/debian/patches/make_rules_for_redirect_stricter.patch new file mode 100644 index 0000000..3622927 --- /dev/null +++ b/debian/patches/make_rules_for_redirect_stricter.patch @@ -0,0 +1,32 @@ +From 8ca687050b2c9789724df2cf9955d7ad7dd2c060 Mon Sep 17 00:00:00 2001 +From: Richard Moore <rich@kde.org> +Date: Mon, 19 Nov 2012 20:48:39 +0000 +Subject: [PATCH] Make the rules for redirects a bit stricter. + +Change-Id: I7a3cec664aa028202de3d3bda9f499e4deb2998d +--- + src/declarative/qml/qdeclarativexmlhttprequest.cpp | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/declarative/qml/qdeclarativexmlhttprequest.cpp b/src/declarative/qml/qdeclarativexmlhttprequest.cpp +index 5378a15..3de89a5 100644 +--- a/src/declarative/qml/qdeclarativexmlhttprequest.cpp ++++ b/src/declarative/qml/qdeclarativexmlhttprequest.cpp +@@ -1272,9 +1272,11 @@ void QDeclarativeXMLHttpRequest::finished() + QVariant redirect = m_network->attribute(QNetworkRequest::RedirectionTargetAttribute); + if (redirect.isValid()) { + QUrl url = m_network->url().resolved(redirect.toUrl()); +- destroyNetwork(); +- requestFromUrl(url); +- return; ++ if (url.scheme().toLower() != QLatin1String("file")) { ++ destroyNetwork(); ++ requestFromUrl(url); ++ return; ++ } + } + } + +-- +1.7.10.4 + diff --git a/debian/patches/series b/debian/patches/series index d37d71b..f259b96 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,6 +7,7 @@ Fix-cursor-truncate-to-include-line-position.patch disable-SSL-compression-by-default.patch fix_jit_crash_on_x86_64.patch add_missing_map_noreserve.patch +make_rules_for_redirect_stricter.patch # qt-copy patches 0195-compositing-properties.diff |