From 56b3144529687a11961d7b412d93a8ef6b51de4b Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Thu, 22 Sep 2011 11:35:19 -0500 Subject: [PATCH 1/6] pkgconfig-style deps --- kdelibs.spec | 64 ++++++++++++++++++++++++++++------------------------ 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/kdelibs.spec b/kdelibs.spec index a5b2ba2..b89f770 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -20,7 +20,7 @@ Summary: KDE Libraries Version: 4.7.1 -Release: 1%{?dist} +Release: 3%{?dist} Name: kdelibs Epoch: 6 @@ -144,51 +144,51 @@ Conflicts: kile < 2.1-0.9 Conflicts: rkward < 0.5.4 BuildRequires: qt4-devel >= %{qt4_ver} -BuildRequires: qt4-webkit-devel +BuildRequires: pkgconfig(QtWebKit) %{?_qt4_version:Requires: qt4%{?_isa} >= %{_qt4_version}} Requires: xdg-utils Requires: redhat-menus Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig -BuildRequires: alsa-lib-devel -BuildRequires: attica-devel >= %{attica_ver} BuildRequires: automoc4 >= 0.9.88 -BuildRequires: avahi-devel BuildRequires: bison flex BuildRequires: bzip2-devel BuildRequires: cmake >= 2.6.4 BuildRequires: cups-devel cups -BuildRequires: enchant-devel -BuildRequires: gamin-devel BuildRequires: gettext-devel BuildRequires: giflib-devel BuildRequires: grantlee-devel BuildRequires: herqq-devel -BuildRequires: jasper-devel BuildRequires: krb5-devel BuildRequires: libacl-devel libattr-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel -BuildRequires: libtiff-devel -BuildRequires: libxslt-devel libxml2-devel -BuildRequires: libudev-devel BuildRequires: libutempter-devel -BuildRequires: OpenEXR-devel -BuildRequires: openssl-devel -BuildRequires: pcre-devel -BuildRequires: phonon-devel >= %{phonon_ver} -BuildRequires: polkit-qt-devel >= 0.98.1 -BuildRequires: qca2-devel -BuildRequires: shared-desktop-ontologies-devel >= %{shared_desktop_ontologies_ver} +BuildRequires: pkgconfig(alsa) +BuildRequires: pkgconfig(avahi-core) +BuildRequires: pkgconfig(dbusmenu-qt) +BuildRequires: pkgconfig(enchant) +BuildRequires: pkgconfig(gamin) +BuildRequires: pkgconfig(jasper) +BuildRequires: pkgconfig(libattica) >= %{attica_ver} +BuildRequires: pkgconfig(liblzma) +BuildRequires: pkgconfig(libpcre) +BuildRequires: pkgconfig(libstreams) >= %{strigi_ver} +BuildRequires: pkgconfig(libudev) +BuildRequires: pkgconfig(libxslt) pkgconfig(libxml-2.0) +BuildRequires: pkgconfig(OpenEXR) +BuildRequires: pkgconfig(openssl) +BuildRequires: pkgconfig(phonon) >= %{phonon_ver} +BuildRequires: pkgconfig(polkit-qt-1) +BuildRequires: pkgconfig(qca2) +BuildRequires: pkgconfig(shared-desktop-ontologies) >= %{shared_desktop_ontologies_ver} +BuildRequires: pkgconfig(soprano) >= %{soprano_ver} BuildRequires: shared-mime-info -BuildRequires: soprano-devel >= %{soprano_ver} -BuildRequires: strigi-devel >= %{strigi_ver} -BuildRequires: xz-devel BuildRequires: zlib-devel -BuildRequires: dbusmenu-qt-devel # extra X deps (seemingly needed and/or checked-for by most kde4 buildscripts) -%define x_deps libSM-devel libXcomposite-devel libXdamage-devel libxkbfile-devel libXpm-devel libXScrnSaver-devel libXtst-devel libXv-devel libXxf86misc-devel +#define x_deps libSM-devel libXcomposite-devel libXdamage-devel libxkbfile-devel libXpm-devel libXScrnSaver-devel libXtst-devel libXv-devel libXxf86misc-devel +%define x_deps pkgconfig(sm) pkgconfig(xcomposite) pkgconfig(xdamage) pkgconfig(xkbfile) pkgconfig(xpm) pkgconfig(xscrnsaver) pkgconfig(xtst) pkgconfig(xv) pkgconfig(xxf86misc) %{?x_deps:BuildRequires: %{x_deps}} Requires: udisks upower @@ -237,19 +237,20 @@ Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} Obsoletes: kdelibs4-devel < %{version}-%{release} Provides: kdelibs4-devel = %{version}-%{release} %{?_isa:Provides: kdelibs4-devel%{?_isa} = %{version}-%{release}} -Requires: attica-devel >= %{attica_ver} +Requires: pkgconfig(attica) >= %{attica_ver} Requires: automoc4 >= 0.9.88 Requires: cmake >= 2.6.4 -Requires: openssl-devel -Requires: phonon-devel +Requires: pkgconfig(openssl) +Requires: pkgconfig(phonon) Provides: nepomuk-devel = %{version}-%{release} # considered part of nepomuk-devel -Requires: shared-desktop-ontologies-devel soprano-devel +Requires: pkgconfig(shared-desktop-ontologies) pkgconfig(soprano) Requires: qt4-devel -Requires: qt4-webkit-devel +Requires: pkgconfig(QtWebKit) # do we really still need all these below? -- Rex -Requires: strigi-devel -Requires: bzip2-devel gamin-devel libacl-devel +Requires: pkgconfig(libstreams) +Requires: pkgconfig(gamin) +Requires: bzip2-devel libacl-devel %{?x_deps:Requires: %{x_deps}} %description devel @@ -561,6 +562,9 @@ rm -rf %{buildroot} %changelog +* Thu Sep 22 2011 Rex Dieter 4.7.1-3 +- pkgconfig-style deps + * Fri Sep 02 2011 Than Ngo - 4.7.1-1 - 4.7.1 From 20d5931c2d64b2c928ba40b1c67c7a592d78cb08 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Thu, 22 Sep 2011 11:56:41 -0500 Subject: [PATCH 2/6] - move kde4_appsdir/kdewidgets to main pkg (pairs with kdewidgets designer plugin) --- kdelibs.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kdelibs.spec b/kdelibs.spec index b89f770..d8cf154 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -462,6 +462,7 @@ rm -rf %{buildroot} %{_kde4_appsdir}/kcharselect/ %{_kde4_appsdir}/kcm_componentchooser/ %{_kde4_appsdir}/kconf_update/ +%{_kde4_appsdir}/kdewidgets/ %{_kde4_appsdir}/khtml/ %{_kde4_appsdir}/kjava/ %{_kde4_appsdir}/knewstuff/ @@ -544,7 +545,6 @@ rm -rf %{buildroot} %endif %{_kde4_bindir}/kde4-doxygen.sh %{_kde4_appsdir}/cmake/ -%{_kde4_appsdir}/kdewidgets/ %{_kde4_includedir}/* %{_kde4_libdir}/kde4/devel/ @@ -564,6 +564,7 @@ rm -rf %{buildroot} %changelog * Thu Sep 22 2011 Rex Dieter 4.7.1-3 - pkgconfig-style deps +- move kde4_appsdir/kdewidgets to main pkg (pairs with kdewidgets designer plugin) * Fri Sep 02 2011 Than Ngo - 4.7.1-1 - 4.7.1 From 66a25543f545e576321ab843418815368e41373d Mon Sep 17 00:00:00 2001 From: Kevin Kofler Date: Wed, 28 Sep 2011 01:51:17 +0200 Subject: [PATCH 3/6] * Tue Sep 27 2011 Kevin Kofler 4.7.1-4 - updated Plasma data engine dependency extraction patch: - added support for declarativeappletscript QML code - plasma-dataengine-depextractor command-line tool: - make sure we pass an absolute path to KDesktopFile - autodetect the API/language used, drop --api command-line argument --- ...tic-scanning-of-source-code-for-requ.patch | 57 ++++++++++++------- kdelibs.spec | 9 ++- 2 files changed, 43 insertions(+), 23 deletions(-) diff --git a/0003-Implement-automatic-scanning-of-source-code-for-requ.patch b/0003-Implement-automatic-scanning-of-source-code-for-requ.patch index 250e5ea..dc155f7 100644 --- a/0003-Implement-automatic-scanning-of-source-code-for-requ.patch +++ b/0003-Implement-automatic-scanning-of-source-code-for-requ.patch @@ -1,5 +1,5 @@ -From 1ce984bda1bb6a06f237240069a9f3a554cbbf37 Mon Sep 17 00:00:00 2001 -Message-Id: <1ce984bda1bb6a06f237240069a9f3a554cbbf37.1313890335.git.kevin.kofler@chello.at> +From 89e4767148110a5566e463a03b3ed594276b7da0 Mon Sep 17 00:00:00 2001 +Message-Id: <89e4767148110a5566e463a03b3ed594276b7da0.1317166378.git.kevin.kofler@chello.at> From: Kevin Kofler Date: Wed, 17 Aug 2011 04:54:37 +0200 Subject: [PATCH] Implement automatic scanning of source code for required @@ -20,11 +20,11 @@ fill in X-Plasma-RequiredDataEngines manually. (Please note that the list is expected to be comma-separated.) --- plasma/CMakeLists.txt | 15 ++++ - plasma/depextractor/depextractor.cpp | 115 +++++++++++++++++++++++++++++++++ + plasma/depextractor/depextractor.cpp | 125 +++++++++++++++++++++++++++++++++ plasma/package.cpp | 11 +++ - plasma/private/componentinstaller.cpp | 68 +++++++++++++++++++ - plasma/private/componentinstaller_p.h | 17 +++++- - 5 files changed, 225 insertions(+), 1 deletions(-) + plasma/private/componentinstaller.cpp | 71 +++++++++++++++++++ + plasma/private/componentinstaller_p.h | 17 ++++- + 5 files changed, 238 insertions(+), 1 deletions(-) diff --git a/plasma/CMakeLists.txt b/plasma/CMakeLists.txt index f929967..9a760ef 100644 @@ -58,10 +58,10 @@ index f929967..9a760ef 100644 +endif(NOT PLASMA_NO_PACKAGEKIT) diff --git a/plasma/depextractor/depextractor.cpp b/plasma/depextractor/depextractor.cpp new file mode 100644 -index 0000000..221b88b +index 0000000..c489de7 --- /dev/null +++ b/plasma/depextractor/depextractor.cpp -@@ -0,0 +1,115 @@ +@@ -0,0 +1,125 @@ +/* Plasma Data Engine dependency extractor + Copyright (C) 2011 Kevin Kofler + @@ -92,6 +92,21 @@ index 0000000..221b88b + +#include "private/componentinstaller_p.h" + ++static QString scriptingApi(const QString &desktopFile) ++{ ++ KDesktopFile desktop(desktopFile); ++ KConfigGroup desktopGroup = desktop.desktopGroup(); ++ if (desktopGroup.readEntry("X-KDE-ServiceTypes", QStringList()) ++ .contains("Plasma/ScriptEngine") ++ || desktopGroup.readEntry("ServiceTypes", QStringList()) ++ .contains("Plasma/ScriptEngine")) { ++ /* Script engines are always written in C++. Their X-Plasma-API is the ++ API they export, not the language they're written in. */ ++ return QString(); ++ } ++ return desktopGroup.readEntry("X-Plasma-API", QString()); ++} ++ +static void writeDataEngineDependencies(const QStringList &deps, + const QString &desktopFile) +{ @@ -105,16 +120,13 @@ index 0000000..221b88b +{ + KAboutData aboutData("plasma-dataengine-depextractor", QByteArray(), + ki18n("Plasma Data Engine dependency extractor"), -+ "1", ++ "2", + ki18n("Plasma Data Engine dependency extractor")); + aboutData.addAuthor(ki18n("Kevin Kofler"), ki18n("Author"), + "kevin.kofler@chello.at"); + + KCmdLineArgs::init(argc, argv, &aboutData); + KCmdLineOptions options; -+ options.add("a") -+ .add("api ", -+ ki18n("Sets the name of the scripting API/language")); + options.add("+[path]", + ki18n("Source path (default: .)")); + options.add("+[file]", @@ -129,10 +141,7 @@ index 0000000..221b88b + + int exitCode = 0; + -+ QString api, path, desktopFile; -+ if (args->isSet("api")) { -+ api = args->getOption("api"); -+ } ++ QString path, desktopFile; + int argCount = args->count(); + switch (argCount) { + case 0: @@ -159,12 +168,13 @@ index 0000000..221b88b + + if (!exitCode) { + if (QFileInfo(desktopFile).isRelative()) -+ desktopFile = QDir(path).filePath(desktopFile); ++ desktopFile = QDir(path).absoluteFilePath(desktopFile); + + if (QFileInfo(desktopFile).exists()) { + writeDataEngineDependencies(Plasma::ComponentInstaller::self() -+ ->extractDataEngineDependencies(path, -+ api), ++ ->extractDataEngineDependencies( ++ path, ++ scriptingApi(desktopFile)), + desktopFile); + } else { + QTextStream err(stderr, QIODevice::WriteOnly | QIODevice::Text); @@ -200,7 +210,7 @@ index 0a45c87..131f204 100644 QStringList knownDataEngines = DataEngineManager::self()->listAllEngines(meta.application()); foreach (const QString &requiredDataEngine, requiredDataEngines) { diff --git a/plasma/private/componentinstaller.cpp b/plasma/private/componentinstaller.cpp -index 870667f..2c8c2dd 100644 +index 870667f..087d1c6 100644 --- a/plasma/private/componentinstaller.cpp +++ b/plasma/private/componentinstaller.cpp @@ -28,6 +28,10 @@ @@ -228,7 +238,7 @@ index 870667f..2c8c2dd 100644 QStringList resources; resources.append(searchString); packageKit.asyncCall(QLatin1String("InstallResources"), (unsigned int) wid, -@@ -100,4 +108,64 @@ void ComponentInstaller::installMissingComponent(const QString &type, +@@ -100,4 +108,67 @@ void ComponentInstaller::installMissingComponent(const QString &type, #endif } @@ -251,6 +261,9 @@ index 870667f..2c8c2dd 100644 + nameFilters.append("*.hxx"); + nameFilters.append("*.hh"); + nameFilters.append("*.H"); ++ } else if (api == "declarativeappletscript") { ++ nameFilters.append("*.qml"); ++ searchRegExp = QRegExp("(?:^\\s*engine:\\s*|dataEngine *\\( *)\"([^\"]+)\""); + } else if (api == "javascript") { + nameFilters.append("*.js"); + } else if (api == "python") { @@ -329,5 +342,5 @@ index f85cbb6..d0d9c75 100644 /** * Default constructor. The singleton method self() is the -- -1.7.4.4 +1.7.6.2 diff --git a/kdelibs.spec b/kdelibs.spec index d8cf154..e20828f 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -20,7 +20,7 @@ Summary: KDE Libraries Version: 4.7.1 -Release: 3%{?dist} +Release: 4%{?dist} Name: kdelibs Epoch: 6 @@ -562,6 +562,13 @@ rm -rf %{buildroot} %changelog +* Tue Sep 27 2011 Kevin Kofler 4.7.1-4 +- updated Plasma data engine dependency extraction patch: + - added support for declarativeappletscript QML code + - plasma-dataengine-depextractor command-line tool: + - make sure we pass an absolute path to KDesktopFile + - autodetect the API/language used, drop --api command-line argument + * Thu Sep 22 2011 Rex Dieter 4.7.1-3 - pkgconfig-style deps - move kde4_appsdir/kdewidgets to main pkg (pairs with kdewidgets designer plugin) From d50b994714fc9d5b9814cbbf6e476903e39413d2 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Wed, 28 Sep 2011 14:54:40 -0500 Subject: [PATCH 4/6] devel: s/pkgconfig(attica)/pkgconfig(libattica)/ --- kdelibs.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kdelibs.spec b/kdelibs.spec index e20828f..0bcaee6 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -20,7 +20,7 @@ Summary: KDE Libraries Version: 4.7.1 -Release: 4%{?dist} +Release: 5%{?dist} Name: kdelibs Epoch: 6 @@ -233,16 +233,16 @@ Summary: Header files for compiling KDE 4 applications Obsoletes: webkitkde-devel < 0.0.6 %endif Provides: plasma-devel = %{version}-%{release} +Provides: nepomuk-devel = %{version}-%{release} Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} Obsoletes: kdelibs4-devel < %{version}-%{release} Provides: kdelibs4-devel = %{version}-%{release} %{?_isa:Provides: kdelibs4-devel%{?_isa} = %{version}-%{release}} -Requires: pkgconfig(attica) >= %{attica_ver} Requires: automoc4 >= 0.9.88 Requires: cmake >= 2.6.4 +Requires: pkgconfig(libattica) >= %{attica_ver} Requires: pkgconfig(openssl) Requires: pkgconfig(phonon) -Provides: nepomuk-devel = %{version}-%{release} # considered part of nepomuk-devel Requires: pkgconfig(shared-desktop-ontologies) pkgconfig(soprano) Requires: qt4-devel @@ -562,6 +562,9 @@ rm -rf %{buildroot} %changelog +* Wed Sep 28 2011 Rex Dieter 4.7.1-5 +- -devel: s/pkgconfig(attica)/pkgconfig(libattica)/ + * Tue Sep 27 2011 Kevin Kofler 4.7.1-4 - updated Plasma data engine dependency extraction patch: - added support for declarativeappletscript QML code From 1683ac4f78f00210bcdcc69e9c2f409a7bae062b Mon Sep 17 00:00:00 2001 From: Lukas Tinkl Date: Tue, 4 Oct 2011 17:41:35 +0200 Subject: [PATCH 5/6] Resolves #743056 - CVE-2011-3365 kdelibs: input validation failure in KSSL --- kdelibs-4.7.1-CVE-2011-3365.patch | 84 +++++++++++++++++++++++++++++++ kdelibs.spec | 11 +++- 2 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 kdelibs-4.7.1-CVE-2011-3365.patch diff --git a/kdelibs-4.7.1-CVE-2011-3365.patch b/kdelibs-4.7.1-CVE-2011-3365.patch new file mode 100644 index 0000000..f01d6f1 --- /dev/null +++ b/kdelibs-4.7.1-CVE-2011-3365.patch @@ -0,0 +1,84 @@ +commit 9ca2b26fc67c3f921e1943c1725fca623e395854 +Author: David Faure +Date: Thu Jun 30 23:43:45 2011 +0200 + + Security fix: don't interpret html tags + + Credits to Tim Brown for the find. + (cherry picked from commit bd70d4e589711fda9ab07738c46e37eee8376214) + +diff --git a/kio/kssl/ksslcertificatebox.cpp b/kio/kssl/ksslcertificatebox.cpp +index 4ffc613..094787a 100644 +--- a/kio/kssl/ksslcertificatebox.cpp ++++ b/kio/kssl/ksslcertificatebox.cpp +@@ -36,6 +36,10 @@ KSslCertificateBox::KSslCertificateBox(QWidget *parent) + d(new KSslCertificateBoxPrivate()) + { + d->ui.setupUi(this); ++ // No fooling us with html tags ++ Q_FOREACH(QLabel* label, qFindChildren(this)) { ++ label->setTextFormat(Qt::PlainText); ++ } + } + + +commit 90607b28d21fefc43657ca08b889bdb174c31fab +Author: David Faure +Date: Wed Sep 28 17:26:47 2011 +0200 + + Use HTML escaping on texts that come from the website + + Interestingly enough, this is yet another use case for moving Qt::escape + to QtCore, which I made a merge request for. + (cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87) + +diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp +index 33f4cb1..6447a02 100644 +--- a/kioslave/http/http.cpp ++++ b/kioslave/http/http.cpp +@@ -99,6 +99,27 @@ + //authentication handlers + #include "httpauthentication.cpp" + ++// KDE5 TODO (QT5) : use QString::htmlEscape or whatever https://qt.gitorious.org/qt/qtbase/merge_requests/56 ++// ends up with. ++static QString htmlEscape(const QString &plain) ++{ ++ QString rich; ++ rich.reserve(int(plain.length() * 1.1)); ++ for (int i = 0; i < plain.length(); ++i) { ++ if (plain.at(i) == QLatin1Char('<')) ++ rich += QLatin1String("<"); ++ else if (plain.at(i) == QLatin1Char('>')) ++ rich += QLatin1String(">"); ++ else if (plain.at(i) == QLatin1Char('&')) ++ rich += QLatin1String("&"); ++ else if (plain.at(i) == QLatin1Char('"')) ++ rich += QLatin1String("""); ++ else ++ rich += plain.at(i); ++ } ++ rich.squeeze(); ++ return rich; ++} + + // see filenameFromUrl(): a sha1 hash is 160 bits + static const int s_hashedUrlBits = 160; // this number should always be divisible by eight +@@ -3410,7 +3431,7 @@ endParsing: + authinfo.url = reqUrl; + authinfo.keepPassword = true; + authinfo.comment = i18n("%1 at %2", +- authinfo.realmValue, authinfo.url.host()); ++ htmlEscape(authinfo.realmValue), authinfo.url.host()); + + if (!openPasswordDialog(authinfo, errorMsg)) { + if (sendErrorPageNotification()) { +@@ -5122,7 +5143,7 @@ void HTTPProtocol::proxyAuthenticationForSocket(const QNetworkProxy &proxy, QAut + "to access any sites."); + info.keepPassword = true; + info.commentLabel = i18n("Proxy:"); +- info.comment = i18n("%1 at %2", info.realmValue, m_request.proxyUrl.host()); ++ info.comment = i18n("%1 at %2", htmlEscape(info.realmValue), m_request.proxyUrl.host()); + const bool dataEntered = openPasswordDialog(info, i18n("Proxy Authentication Failed.")); + if (!dataEntered) { + kDebug(7103) << "looks like the user canceled proxy authentication."; diff --git a/kdelibs.spec b/kdelibs.spec index 0bcaee6..83e5a2b 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -20,7 +20,7 @@ Summary: KDE Libraries Version: 4.7.1 -Release: 5%{?dist} +Release: 6%{?dist} Name: kdelibs Epoch: 6 @@ -127,6 +127,9 @@ Patch51: kdelibs-4.6.2-uri_mimetypes.patch # Not Upstreamed? why not ? -- Rex Patch200: kdelibs-4.3.1-CVE-2009-2702.patch +# kdelibs KSSL/kio_http vulnerability +Patch201: kdelibs-4.7.1-CVE-2011-3365.patch + ## Fedora specific patches # make forcefully hal-free build Patch300: kdelibs-4.6.80-halectomy.patch @@ -314,8 +317,9 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage # upstream patches -# security fix +# security fixes %patch200 -p1 -b .CVE-2009-2702 +%patch201 -p1 -b .CVE-2011-3365 # Fedora patches %patch300 -p1 -b .halectomy @@ -562,6 +566,9 @@ rm -rf %{buildroot} %changelog +* Tue Oct 04 2011 Lukas Tinkl - 4.7.1-6 +- Resolves #743056 - CVE-2011-3365 kdelibs: input validation failure in KSSL + * Wed Sep 28 2011 Rex Dieter 4.7.1-5 - -devel: s/pkgconfig(attica)/pkgconfig(libattica)/ From ca3920c5b09db7e51003b0f89db612654f32f7db Mon Sep 17 00:00:00 2001 From: Lukas Tinkl Date: Tue, 4 Oct 2011 18:07:19 +0200 Subject: [PATCH 6/6] adjust patch to apply cleanly --- kdelibs-4.7.1-CVE-2011-3365.patch | 45 +++++++++---------------------- 1 file changed, 12 insertions(+), 33 deletions(-) diff --git a/kdelibs-4.7.1-CVE-2011-3365.patch b/kdelibs-4.7.1-CVE-2011-3365.patch index f01d6f1..3506dee 100644 --- a/kdelibs-4.7.1-CVE-2011-3365.patch +++ b/kdelibs-4.7.1-CVE-2011-3365.patch @@ -1,17 +1,7 @@ -commit 9ca2b26fc67c3f921e1943c1725fca623e395854 -Author: David Faure -Date: Thu Jun 30 23:43:45 2011 +0200 - - Security fix: don't interpret html tags - - Credits to Tim Brown for the find. - (cherry picked from commit bd70d4e589711fda9ab07738c46e37eee8376214) - -diff --git a/kio/kssl/ksslcertificatebox.cpp b/kio/kssl/ksslcertificatebox.cpp -index 4ffc613..094787a 100644 ---- a/kio/kssl/ksslcertificatebox.cpp -+++ b/kio/kssl/ksslcertificatebox.cpp -@@ -36,6 +36,10 @@ KSslCertificateBox::KSslCertificateBox(QWidget *parent) +diff -ur kdelibs-orig/kio/kssl/ksslcertificatebox.cpp kdelibs-4.7.1/kio/kssl/ksslcertificatebox.cpp +--- kdelibs-orig/kio/kssl/ksslcertificatebox.cpp 2011-05-20 22:24:54.000000000 +0200 ++++ kdelibs-4.7.1/kio/kssl/ksslcertificatebox.cpp 2011-10-04 18:05:51.542741747 +0200 +@@ -36,6 +36,10 @@ d(new KSslCertificateBoxPrivate()) { d->ui.setupUi(this); @@ -22,23 +12,12 @@ index 4ffc613..094787a 100644 } -commit 90607b28d21fefc43657ca08b889bdb174c31fab -Author: David Faure -Date: Wed Sep 28 17:26:47 2011 +0200 - - Use HTML escaping on texts that come from the website - - Interestingly enough, this is yet another use case for moving Qt::escape - to QtCore, which I made a merge request for. - (cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87) - -diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp -index 33f4cb1..6447a02 100644 ---- a/kioslave/http/http.cpp -+++ b/kioslave/http/http.cpp -@@ -99,6 +99,27 @@ - //authentication handlers - #include "httpauthentication.cpp" +diff -ur kdelibs-orig/kioslave/http/http.cpp kdelibs-4.7.1/kioslave/http/http.cpp +--- kdelibs-orig/kioslave/http/http.cpp 2011-08-22 15:22:03.000000000 +0200 ++++ kdelibs-4.7.1/kioslave/http/http.cpp 2011-10-04 18:05:51.544741717 +0200 +@@ -86,6 +86,27 @@ + //string parsing helpers and HeaderTokenizer implementation + #include "parsinghelpers.cpp" +// KDE5 TODO (QT5) : use QString::htmlEscape or whatever https://qt.gitorious.org/qt/qtbase/merge_requests/56 +// ends up with. @@ -64,7 +43,7 @@ index 33f4cb1..6447a02 100644 // see filenameFromUrl(): a sha1 hash is 160 bits static const int s_hashedUrlBits = 160; // this number should always be divisible by eight -@@ -3410,7 +3431,7 @@ endParsing: +@@ -3431,7 +3452,7 @@ authinfo.url = reqUrl; authinfo.keepPassword = true; authinfo.comment = i18n("%1 at %2", @@ -73,7 +52,7 @@ index 33f4cb1..6447a02 100644 if (!openPasswordDialog(authinfo, errorMsg)) { if (sendErrorPageNotification()) { -@@ -5122,7 +5143,7 @@ void HTTPProtocol::proxyAuthenticationForSocket(const QNetworkProxy &proxy, QAut +@@ -5262,7 +5283,7 @@ "to access any sites."); info.keepPassword = true; info.commentLabel = i18n("Proxy:");