commit kdelibs4 for openSUSE:11.2

24 Mar 2011

Hello community,

here is the log from the commit of package kdelibs4 for openSUSE:11.2
checked in at Thu Mar 24 18:34:42 CET 2011.



--------
--- old-versions/11.2/UPDATES/all/kdelibs4/kdelibs4.changes	2010-01-31 11:55:07.000000000 +0100
+++ 11.2/kdelibs4/kdelibs4.changes	2011-03-23 18:49:19.000000000 +0100
@@ -1,0 +2,6 @@
+Tue Mar 22 20:05:02 UTC 2011 - wstephenson@novell.com
+
+- Harden SSL verification against poisoned DNS attacks (bnc#669222)
+- Fix launching apps with kdeinit when in su session (bnc#622304)
+
+-------------------------------------------------------------------

calling whatdependson for 11.2-i586


New:
----
  551bfa12-ssl-wildcards.diff
  r1132903-kinit-xauth.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ kdelibs4.spec ++++++
--- /var/tmp/diff_new_pack.4EdMer/_old	2011-03-24 18:33:51.000000000 +0100
+++ /var/tmp/diff_new_pack.4EdMer/_new	2011-03-24 18:33:51.000000000 +0100
@@ -1,7 +1,7 @@
 #
-# spec file for package kdelibs4 (Version 4.3.5)
+# spec file for package kdelibs4
 #
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -43,7 +43,7 @@
 Summary:        KDE Base Libraries
 Url:            http://www.kde.org
 Version:        4.3.5
-Release:        0.<RELEASE1>
+Release:        0.<RELEASE3>
 Requires:       libstrigi0 >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`)
 Requires:       soprano >= %( echo `rpm -q --queryformat '%{VERSION}' libsoprano-devel`)
 Recommends:     strigi >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`)
@@ -74,6 +74,8 @@
 Patch21:        policykit-workaround.patch
 Patch22:        oom-protect-fix.diff
 Patch26:        kstyle-no-dynamic-cast-bnc529640.diff
+Patch27:        551bfa12-ssl-wildcards.diff
+Patch28:        r1132903-kinit-xauth.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if %suse_version > 1010
 %requires_ge    libqt4-x11
@@ -148,6 +150,8 @@
 %patch21 -p1
 %patch22
 %patch26
+%patch27 -p1
+%patch28 -p3
 #
 # define KDE version exactly
 #

++++++ 551bfa12-ssl-wildcards.diff ++++++

diff --git a/kio/kio/tcpslavebase.cpp b/kio/kio/tcpslavebase.cpp
index 84c9b82..8d66863 100644
--- a/kio/kio/tcpslavebase.cpp
+++ b/kio/kio/tcpslavebase.cpp
@@ -4,6 +4,7 @@
  * Copyright (C) 2001 Dawit Alemayehu <adawit@kde.org>
  * Copyright (C) 2007,2008 Andreas Hartmetz <ahartmetz@gmail.com>
  * Copyright (C) 2008 Roland Harnau <tau@gmx.eu>
+ * Copyright (C) 2010 Richard Moore <rich@kde.org>
  *
  * This file is part of the KDE project
  *
@@ -438,6 +439,49 @@ bool TCPSlaveBase::startSsl()
     return startTLSInternal(KTcpSocket::TlsV1) & ResultOk;
 }
 
+// Find out if a hostname matches an SSL certificate's Common Name (including wildcards)
+static bool isMatchingHostname(const QString &cnIn, const QString &hostnameIn)
+{
+    const QString cn = cnIn.toLower();
+    const QString hostname = hostnameIn.toLower();
+
+    const int wildcard = cn.indexOf(QLatin1Char('*'));
+
+    // Check this is a wildcard cert, if not then just compare the strings
+    if (wildcard < 0)
+        return cn == hostname;
+
+    const int firstCnDot = cn.indexOf(QLatin1Char('.'));
+    const int secondCnDot = cn.indexOf(QLatin1Char('.'), firstCnDot+1);
+
+    // Check at least 3 components
+    if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.length()))
+        return false;
+
+    // Check * is last character of 1st component (ie. there's a following .)
+    if (wildcard+1 != firstCnDot)
+        return false;
+
+    // Check only one star
+    if (cn.lastIndexOf(QLatin1Char('*')) != wildcard)
+        return false;
+
+    // Check characters preceding * (if any) match
+    if (wildcard && (hostname.leftRef(wildcard) != cn.leftRef(wildcard)))
+        return false;
+
+    // Check characters following first . match
+    if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot))
+        return false;
+
+    // Check if the hostname is an IP address, if so then wildcards are not allowed
+    QHostAddress addr(hostname);
+    if (!addr.isNull())
+        return false;
+
+    // Ok, I guess this was a wildcard CN and the hostname matches.
+    return true;
+}
 
 TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
 {
@@ -492,25 +536,34 @@ TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
     // domain<->certificate matching here.
     d->sslErrors = d->socket.sslErrors();
     QSslCertificate peerCert = d->socket.peerCertificateChain().first();
-    QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
-    domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
-    QRegExp domainMatcher(QString(), Qt::CaseInsensitive, QRegExp::Wildcard);
     QMutableListIterator<KSslError> it(d->sslErrors);
     while (it.hasNext()) {
         // As of 4.4.0 Qt does not assign a certificate to the QSslError it emits
         // *in the case of HostNameMismatch*. A HostNameMismatch, however, will always
         // be an error of the peer certificate so we just don't check the error's
         // certificate().
-        if (it.next().error() != KSslError::HostNameMismatch) {
-            continue;
+
+        // Remove all HostNameMismatch, we have to redo name checking later.
+        if (it.next().error() == KSslError::HostNameMismatch) {
+			it.remove();
         }
-        foreach (const QString &dp, domainPatterns) {
-            domainMatcher.setPattern(dp);
-            if (domainMatcher.exactMatch(d->host)) {
-                it.remove();
-            }
+    }
+    // Redo name checking here and (re-)insert HostNameMismatch to sslErrors if
+    // host name does not match any of the names in server certificate.
+    // QSslSocket may not report HostNameMismatch error, when server
+    // certificate was issued for the IP we are connecting to.
+    QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
+    domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
+    bool names_match = false;
+    foreach (const QString &dp, domainPatterns) {
+        if (isMatchingHostname(dp,d->host)) {
+            names_match = true;
+            break;
         }
     }
+    if (!names_match) {
+        d->sslErrors.insert(0, KSslError(KSslError::HostNameMismatch, peerCert));
+    }
 
     // The app side needs the metadata now for the SSL error dialog (if any) but
     // the same metadata will be needed later, too. When "later" arrives the slave
++++++ r1132903-kinit-xauth.diff ++++++
--- trunk/KDE/kdelibs/kinit/kinit.cpp	2010/05/31 17:23:24	1132902
+++ trunk/KDE/kdelibs/kinit/kinit.cpp	2010/05/31 17:23:36	1132903
@@ -64,6 +64,7 @@
 #include <klocale.h>
 #include <kdebug.h>
 #include <kde_file.h>
+#include <ksavefile.h>
 
 #ifdef Q_OS_LINUX
 #include <sys/prctl.h>
@@ -1574,6 +1575,42 @@
 {
     XSetIOErrorHandler(kdeinit_xio_errhandler);
     XSetErrorHandler(kdeinit_x_errhandler);
+/*
+    Handle the tricky case of running via kdesu/su/sudo/etc. There the usual case
+    is that kdesu (etc.) creates a file with xauth information, sets XAUTHORITY,
+    runs the command and removes the xauth file after the command finishes. However,
+    dbus and kdeinit daemon currently don't clean up properly and keeping running.
+    Which means that running a KDE app via kdesu the second time talks to kdeinit
+    with obsolete xauth information, which makes it unable to connect to X or launch
+    any X11 applications.
+    Even fixing the cleanup probably wouldn't be sufficient, since it'd be possible to
+    launch one kdesu session, another one, exit the first one and the app from the second
+    session would be using kdeinit from the first one.
+    So the trick here is to duplicate the xauth file to another file in KDE's tmp
+    location, make the file have a consistent name so that future sessions will use it
+    as well, point XAUTHORITY there and never remove the file (except for possible
+    tmp cleanup).
+*/
+    if( !qgetenv( "XAUTHORITY" ).isEmpty()) {
+        QByteArray display = qgetenv( DISPLAY );
+        int i;
+        if((i = display.lastIndexOf('.')) > display.lastIndexOf(':') && i >= 0)
+            display.truncate(i);
+        display.replace(':','_');
+#ifdef __APPLE__
+        display.replace('/','_');
+#endif
+        QString xauth = s_instance->dirs()->saveLocation( "tmp" ) + QLatin1String( "xauth-" )
+            + QString::number( getuid()) + QLatin1String( "-" ) + QString::fromLocal8Bit( display );
+        KSaveFile xauthfile( xauth );
+        QFile xauthfrom( QFile::decodeName( qgetenv( "XAUTHORITY" )));
+        if( !xauthfrom.open( QFile::ReadOnly ) || !xauthfile.open( QFile::WriteOnly )
+            || xauthfile.write( xauthfrom.readAll()) != xauthfrom.size() || !xauthfile.finalize()) {
+            xauthfile.abort();
+        } else {
+            setenv( "XAUTHORITY", QFile::encodeName( xauth ), true );
+        }
+    }
 }
 
 // Borrowed from kdebase/kaudio/kaudioserver.cpp


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org

    

root＠hilbert.suse.de

tags

participants (1)