Mailinglist Archive: opensuse-commit (1929 mails)

< Previous Next >
commit kdelibs4 for openSUSE:11.4

Hello community,

here is the log from the commit of package kdelibs4 for openSUSE:11.4
checked in at Mon Oct 10 12:38:48 CEST 2011.



--------
--- old-versions/11.4/UPDATES/all/kdelibs4/kdelibs4-apidocs.changes
2011-04-11 17:52:46.000000000 +0200
+++ 11.4/kdelibs4/kdelibs4-apidocs.changes 2011-10-05 22:42:12.000000000
+0200
@@ -1,0 +2,6 @@
+Wed Oct 5 20:40:15 UTC 2011 - wstephenson@xxxxxxxx
+
+- Add patches vs SSL CN display input validation flaw
+ (CVE-2011-3365)
+
+-------------------------------------------------------------------
--- old-versions/11.4/UPDATES/all/kdelibs4/kdelibs4.changes 2011-04-11
17:52:46.000000000 +0200
+++ 11.4/kdelibs4/kdelibs4.changes 2011-10-05 22:42:12.000000000 +0200
@@ -1,0 +2,6 @@
+Wed Oct 5 20:40:15 UTC 2011 - wstephenson@xxxxxxxx
+
+- Add patches vs SSL CN display input validation flaw
+ (CVE-2011-3365) (bnc#721974)
+
+-------------------------------------------------------------------

calling whatdependson for 11.4-i586


New:
----
90607b28-kio_http-cn-input-validation.diff
9ca2b26f-kssl-cn-input-validation.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ kdelibs4-apidocs.spec ++++++
--- /var/tmp/diff_new_pack.1MW8t4/_old 2011-10-10 12:38:17.000000000 +0200
+++ /var/tmp/diff_new_pack.1MW8t4/_new 2011-10-10 12:38:17.000000000 +0200
@@ -26,7 +26,7 @@
Summary: KDE 4 API documentation
Url: http://www.kde.org
Version: 4.6.0
-Release: 3.<RELEASE4>
+Release: 3.<RELEASE5>
Requires: kde4-filesystem
Source0: kdelibs-%version.tar.bz2
Source1: baselibs.conf

++++++ kdelibs4.spec ++++++
--- /var/tmp/diff_new_pack.1MW8t4/_old 2011-10-10 12:38:17.000000000 +0200
+++ /var/tmp/diff_new_pack.1MW8t4/_new 2011-10-10 12:38:17.000000000 +0200
@@ -44,7 +44,7 @@
Summary: KDE Base Libraries
Url: http://www.kde.org
Version: 4.6.0
-Release: 6.<RELEASE15>
+Release: 6.<RELEASE17>
Requires: soprano >= %( echo `rpm -q --queryformat '%{VERSION}'
libsoprano-devel`)
Recommends: strigi >= %( echo `rpm -q --queryformat '%{VERSION}'
strigi-devel`)
Requires: kdelibs4-core = %version
@@ -78,6 +78,8 @@
Patch28: no_kbookmark_write_error.diff
Patch29: 23621737-ssl-wildcards.diff
Patch30: d4098c3e-khtml-xss.diff
+Patch31: 9ca2b26f-kssl-cn-input-validation.diff
+Patch32: 90607b28-kio_http-cn-input-validation.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%requires_ge libqt4-x11
%if 0%{?opensuse_bs}
@@ -169,6 +171,8 @@
%patch28 -p1
%patch29 -p1
%patch30 -p1
+%patch31 -p1
+%patch32 -p1
#
# define KDE version exactly
#

++++++ 90607b28-kio_http-cn-input-validation.diff ++++++
commit 90607b28d21fefc43657ca08b889bdb174c31fab
Author: David Faure <faure@xxxxxxx>
Date: Wed Sep 28 17:26:47 2011 +0200

Use HTML escaping on texts that come from the website

Interestingly enough, this is yet another use case for moving Qt::escape
to QtCore, which I made a merge request for.
(cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87)

diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
index 33f4cb1..6447a02 100644
--- a/kioslave/http/http.cpp
+++ b/kioslave/http/http.cpp
@@ -99,6 +99,27 @@
//authentication handlers
#include "httpauthentication.cpp"

+// KDE5 TODO (QT5) : use QString::htmlEscape or whatever
https://qt.gitorious.org/qt/qtbase/merge_requests/56
+// ends up with.
+static QString htmlEscape(const QString &plain)
+{
+ QString rich;
+ rich.reserve(int(plain.length() * 1.1));
+ for (int i = 0; i < plain.length(); ++i) {
+ if (plain.at(i) == QLatin1Char('<'))
+ rich += QLatin1String("&lt;");
+ else if (plain.at(i) == QLatin1Char('>'))
+ rich += QLatin1String("&gt;");
+ else if (plain.at(i) == QLatin1Char('&'))
+ rich += QLatin1String("&amp;");
+ else if (plain.at(i) == QLatin1Char('"'))
+ rich += QLatin1String("&quot;");
+ else
+ rich += plain.at(i);
+ }
+ rich.squeeze();
+ return rich;
+}

// see filenameFromUrl(): a sha1 hash is 160 bits
static const int s_hashedUrlBits = 160; // this number should always be
divisible by eight
@@ -3410,7 +3431,7 @@ endParsing:
authinfo.url = reqUrl;
authinfo.keepPassword = true;
authinfo.comment = i18n("<b>%1</b> at
<b>%2</b>",
- authinfo.realmValue,
authinfo.url.host());
+
htmlEscape(authinfo.realmValue), authinfo.url.host());

if (!openPasswordDialog(authinfo, errorMsg)) {
if (sendErrorPageNotification()) {
@@ -5122,7 +5143,7 @@ void HTTPProtocol::proxyAuthenticationForSocket(const
QNetworkProxy &proxy, QAut
"to access any sites.");
info.keepPassword = true;
info.commentLabel = i18n("Proxy:");
- info.comment = i18n("<b>%1</b> at <b>%2</b>", info.realmValue,
m_request.proxyUrl.host());
+ info.comment = i18n("<b>%1</b> at <b>%2</b>",
htmlEscape(info.realmValue), m_request.proxyUrl.host());
const bool dataEntered = openPasswordDialog(info, i18n("Proxy
Authentication Failed."));
if (!dataEntered) {
kDebug(7103) << "looks like the user canceled proxy
authentication.";
++++++ 9ca2b26f-kssl-cn-input-validation.diff ++++++
commit 9ca2b26fc67c3f921e1943c1725fca623e395854
Author: David Faure <faure@xxxxxxx>
Date: Thu Jun 30 23:43:45 2011 +0200

Security fix: don't interpret html tags

Credits to Tim Brown for the find.
(cherry picked from commit bd70d4e589711fda9ab07738c46e37eee8376214)

diff --git a/kio/kssl/ksslcertificatebox.cpp b/kio/kssl/ksslcertificatebox.cpp
index 4ffc613..094787a 100644
--- a/kio/kssl/ksslcertificatebox.cpp
+++ b/kio/kssl/ksslcertificatebox.cpp
@@ -36,6 +36,10 @@ KSslCertificateBox::KSslCertificateBox(QWidget *parent)
d(new KSslCertificateBoxPrivate())
{
d->ui.setupUi(this);
+ // No fooling us with html tags
+ Q_FOREACH(QLabel* label, qFindChildren<QLabel *>(this)) {
+ label->setTextFormat(Qt::PlainText);
+ }
}



continue with "q"...



Remember to have fun...

--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages