diff options
Diffstat (limited to 'debian')
-rw-r--r-- | debian/changelog | 5 | ||||
-rw-r--r-- | debian/patches/make_rules_for_redirect_stricter.patch | 32 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 38 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index a584e57..9610fa9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,11 @@ qt4-x11 (4:4.8.2+dfsg-7) UNRELEASED; urgency=low * Re-enable parallel building for all the architectures, after 4:4.8.2+dfsg-5 accidentally disabled it. (Closes: #696961) + [ Lisandro Damián Nicanor Pérez Meyer ] + * Apply make_rules_for_redirect_stricter.patch taken from upstream to solve + a "man in the middle" attack, CVE-2012-5624. Thanks Thijs Kinkhorst + (Closes: #695156). + -- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Sun, 30 Dec 2012 00:32:00 +0100 qt4-x11 (4:4.8.2+dfsg-6) unstable; urgency=low diff --git a/debian/patches/make_rules_for_redirect_stricter.patch b/debian/patches/make_rules_for_redirect_stricter.patch new file mode 100644 index 0000000..3622927 --- /dev/null +++ b/debian/patches/make_rules_for_redirect_stricter.patch @@ -0,0 +1,32 @@ +From 8ca687050b2c9789724df2cf9955d7ad7dd2c060 Mon Sep 17 00:00:00 2001 +From: Richard Moore <rich@kde.org> +Date: Mon, 19 Nov 2012 20:48:39 +0000 +Subject: [PATCH] Make the rules for redirects a bit stricter. + +Change-Id: I7a3cec664aa028202de3d3bda9f499e4deb2998d +--- + src/declarative/qml/qdeclarativexmlhttprequest.cpp | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/declarative/qml/qdeclarativexmlhttprequest.cpp b/src/declarative/qml/qdeclarativexmlhttprequest.cpp +index 5378a15..3de89a5 100644 +--- a/src/declarative/qml/qdeclarativexmlhttprequest.cpp ++++ b/src/declarative/qml/qdeclarativexmlhttprequest.cpp +@@ -1272,9 +1272,11 @@ void QDeclarativeXMLHttpRequest::finished() + QVariant redirect = m_network->attribute(QNetworkRequest::RedirectionTargetAttribute); + if (redirect.isValid()) { + QUrl url = m_network->url().resolved(redirect.toUrl()); +- destroyNetwork(); +- requestFromUrl(url); +- return; ++ if (url.scheme().toLower() != QLatin1String("file")) { ++ destroyNetwork(); ++ requestFromUrl(url); ++ return; ++ } + } + } + +-- +1.7.10.4 + diff --git a/debian/patches/series b/debian/patches/series index d37d71b..f259b96 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,6 +7,7 @@ Fix-cursor-truncate-to-include-line-position.patch disable-SSL-compression-by-default.patch fix_jit_crash_on_x86_64.patch add_missing_map_noreserve.patch +make_rules_for_redirect_stricter.patch # qt-copy patches 0195-compositing-properties.diff |