From 340421a01052d013a14979d8bd4b485b68c1c0b2 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Fri, 26 Aug 2011 21:43:42 +0200 Subject: [PATCH 1/5] drop kdelibs-4.3.1-drkonq.patch which is merged in upstream --- kdelibs-4.3.1-drkonq.patch | 12 ------------ kdelibs.spec | 33 ++++++++++++++++++++++----------- 2 files changed, 22 insertions(+), 23 deletions(-) delete mode 100644 kdelibs-4.3.1-drkonq.patch diff --git a/kdelibs-4.3.1-drkonq.patch b/kdelibs-4.3.1-drkonq.patch deleted file mode 100644 index 060a4da..0000000 --- a/kdelibs-4.3.1-drkonq.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up kdelibs-4.3.1/kdeui/util/kcrash.cpp.orig kdelibs-4.3.1/kdeui/util/kcrash.cpp ---- kdelibs-4.3.1/kdeui/util/kcrash.cpp.orig 2009-09-21 17:42:19.000000000 +0200 -+++ kdelibs-4.3.1/kdeui/util/kcrash.cpp 2009-09-21 17:43:44.000000000 +0200 -@@ -67,7 +67,7 @@ static char *s_autoRestartCommand = 0; - static char *s_appPath = 0; - static char *s_drkonqiPath = 0; - static KCrash::CrashFlags s_flags = 0; --static bool s_launchDrKonqi = true; -+static bool s_launchDrKonqi = false; - - namespace KCrash - { diff --git a/kdelibs.spec b/kdelibs.spec index 8049520..0583298 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -14,9 +14,14 @@ %define halectomy 1 +%global dbusmenu_qt_version %(pkg-config --modversion dbusmenu-qt 2>/dev/null || echo %{dbusmenu_qt_ver}) +%global phonon_version %(pkg-config --modversion phonon 2>/dev/null || echo %{phonon_ver} +%global soprano_version %(pkg-config --modversion soprano 2>/dev/null || echo %{soprano_ver}) +%global strigi_version %(pkg-config --modversion libstreams 2>/dev/null || echo %{strigi_ver}) + Summary: KDE Libraries Version: 4.6.5 -Release: 2%{?dist} +Release: 3%{?dist} Name: kdelibs Epoch: 6 @@ -36,7 +41,6 @@ BuildRequires: kde-filesystem >= 4-23 BuildRequires: docbook-dtds BuildRequires: docbook-style-xsl >= %{docbook_style_xsl_ver} Requires: ca-certificates -%global dbusmenu_qt_version %(pkg-config --modversion dbusmenu-qt 2>/dev/null || echo %{dbusmenu_qt_ver}) Requires: dbusmenu-qt%{?_isa} >= %{dbusmenu_qt_version} Requires: docbook-dtds Requires: docbook-style-xsl >= %{docbook_style_xsl_ver} @@ -50,38 +54,42 @@ Requires: hunspell # beware of possible bootstrapping problems -- Rex # reverted %%{version} => 4.6.2 due to some (hopefully temporary) regressions seen in 4.6.3 -- Rex Requires: oxygen-icon-theme >= 4.6.2 -%global phonon_version %(pkg-config --modversion phonon 2>/dev/null || echo %{phonon_ver}) Requires: phonon%{?_isa} >= %{phonon_version} Requires: shared-desktop-ontologies >= 0.4 Requires: shared-mime-info -%global soprano_version %(pkg-config --modversion soprano 2>/dev/null || echo %{soprano_ver}) Requires: soprano%{?_isa} >= %{soprano_version} -%global strigi_version %(pkg-config --modversion libstreams 2>/dev/null || echo %{strigi_ver}) Requires: strigi-libs%{?_isa} >= %{strigi_version} # make kdelibs-devel parallel-installable with kdelibs3-devel Patch0: kdelibs-4.5.80-parallel_devel.patch + # fix kde#149705 Patch2: kdelibs-4.2.85-kde149705.patch + # install all .css files and Doxyfile.global in kdelibs-common to build # kdepimlibs-apidocs against Patch8: kdelibs-4.3.90-install_all_css.patch + # add Fedora/V-R to KHTML UA string Patch9: kdelibs-4.5.80-branding.patch + # don't cache kdeglobals paths because they change after profile directories # are loaded from kde4rc Patch10: kdelibs-4.1.72-no-cache-kdeglobals-paths.patch + # adds the Administration menu from redhat-menus which equals System + Settings # This prevents the stuff getting listed twice, under both System and Settings. Patch12: kdelibs-4.1.0-xdg-menu.patch + # patch KStandardDirs to use %{_libexecdir}/kde4 instead of %{_libdir}/kde4/libexec Patch14: kdelibs-4.5.80-libexecdir.patch + # kstandarddirs changes: search /etc/kde, find %{_kde4_libexecdir} Patch18: kdelibs-4.5.80-kstandarddirs.patch -# COMMENT ME PLEASE + +# set build type Patch20: kdelibs-4.1.70-cmake.patch -# disable drkonqi by default, RHEL prefers/wants abrt -Patch24: kdelibs-4.3.1-drkonq.patch + # die rpath die, since we're using standard paths, we can avoid # this extra hassle (even though cmake is *supposed* to not add standard # paths (like /usr/lib64) already! With this, we can drop @@ -93,9 +101,11 @@ Patch27: kdelibs-4.5.80-no_rpath.patch # reverting to our past gnupg2-only setup. # TODO: try to use either gpg or gpg2, whichever is available Patch50: kdelibs-4.5.1-knewstuff_gpg2.patch + # https://bugs.kde.org/show_bug.cgi?id=269045 # https://git.reviewboard.kde.org/r/101231/ Patch51: kdelibs-4.6.2-uri_mimetypes.patch + # Fix for KHTML form completion regression (kde#277457) from bugs.kde.org # attachment (patch by Andrea Iacovitti) # https://bugs.kde.org/show_bug.cgi?id=277457#c2 @@ -104,6 +114,7 @@ Patch52: kdelibs-4.6.5-khtml-kde#277457.patch ## 4.6 upstream # fix docbook-style-xsl borkage Patch101: kdelibs-4.6.4-kdoctools_docbook.patch + # http://bugzilla.redhat.com/667787 # http://bugs.kde.org/261180 Patch102: kdelibs-4.6.4-kstatusnotifieritemdbus_leak.patch @@ -278,9 +289,6 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage %patch14 -p1 -b .libexecdir %patch18 -p1 -b .kstandarddirs %patch20 -p1 -b .xxcmake -%if 0%{?rhel} > 5 -%patch24 -p1 -b .drkonq -%endif %patch27 -p1 -b .no_rpath # upstreamable patches @@ -546,6 +554,9 @@ rm -rf %{buildroot} %changelog +* Fri Aug 26 2011 Than Ngo - 4.6.5-3 +- drop kdelibs-4.3.1-drkonq.patch which is merged in upstream + * Mon Jul 25 2011 Kevin Kofler 4.6.5-2 - fix KHTML form completion regression (kde#277457, patch by Andrea Iacovitti) From b4b6073c3d12959ab6124779259b09472ca66ac3 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Fri, 26 Aug 2011 22:19:38 +0200 Subject: [PATCH 2/5] fix typo --- kdelibs.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kdelibs.spec b/kdelibs.spec index 0583298..148007c 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -15,7 +15,7 @@ %define halectomy 1 %global dbusmenu_qt_version %(pkg-config --modversion dbusmenu-qt 2>/dev/null || echo %{dbusmenu_qt_ver}) -%global phonon_version %(pkg-config --modversion phonon 2>/dev/null || echo %{phonon_ver} +%global phonon_version %(pkg-config --modversion phonon 2>/dev/null || echo %{phonon_ver}) %global soprano_version %(pkg-config --modversion soprano 2>/dev/null || echo %{soprano_ver}) %global strigi_version %(pkg-config --modversion libstreams 2>/dev/null || echo %{strigi_ver}) From 1979fdc467cd652bbe69b854953b69201bd2c62f Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Tue, 30 Aug 2011 11:05:18 +0200 Subject: [PATCH 3/5] clean fedora conditional --- kdelibs.spec | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/kdelibs.spec b/kdelibs.spec index 148007c..80f0cb5 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -7,7 +7,6 @@ %define qt4_ver 4.7.0 %define soprano_ver 2.6.0 %define strigi_ver 0.7.2 -# to build/include apidocs or not %define apidocs 1 # to build/include QCH apidocs or not (currently broken) #define apidocs_qch 1 @@ -21,7 +20,7 @@ Summary: KDE Libraries Version: 4.6.5 -Release: 3%{?dist} +Release: 4%{?dist} Name: kdelibs Epoch: 6 @@ -343,7 +342,7 @@ mv %{buildroot}%{_kde4_sysconfdir}/xdg/menus/applications.menu \ # create/own stuff # see http://bugzilla.redhat.com/483318 mkdir -p %{buildroot}%{_kde4_libdir}/kconf_update_bin -%if 0%{?fedora} < 15 +%if 0%{?fedora} && 0%{?fedora} < 15 # moved to kde-filesystem f15+ mkdir -p %{buildroot}%{_kde4_libdir}/kde4/plugins/{gui_platform,styles} %endif @@ -554,6 +553,9 @@ rm -rf %{buildroot} %changelog +* Tue Aug 30 2011 Than Ngo - 4.6.5-4 +- clean fedora conditional + * Fri Aug 26 2011 Than Ngo - 4.6.5-3 - drop kdelibs-4.3.1-drkonq.patch which is merged in upstream From b847bb7dcc630bb9307e7d4a73e0eb6ec7f23944 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Sat, 8 Oct 2011 19:49:26 -0500 Subject: [PATCH 4/5] Provides: kate-part --- kdelibs.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kdelibs.spec b/kdelibs.spec index 80f0cb5..9645bd5 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -20,7 +20,7 @@ Summary: KDE Libraries Version: 4.6.5 -Release: 4%{?dist} +Release: 5%{?dist} Name: kdelibs Epoch: 6 @@ -196,6 +196,8 @@ BuildRequires: graphviz BuildRequires: qt4-doc %endif +Provides: kate-part = %{version}-%{release} +%{?_isa:Provides: kate-part%{?_isa} = %{version}-%{release}} Provides: kross(javascript) = %{version}-%{release} Provides: kross(qtscript) = %{version}-%{release} @@ -553,6 +555,9 @@ rm -rf %{buildroot} %changelog +* Sat Oct 08 2011 Rex Dieter 4.6.5-5 +- Provides: kate-part + * Tue Aug 30 2011 Than Ngo - 4.6.5-4 - clean fedora conditional From 6ab5508030a77dfee2417a563cb9fbd8a13599cf Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Tue, 11 Oct 2011 10:50:46 -0500 Subject: [PATCH 5/5] CVE-2011-3365 kdelibs: input validation failure in KSSL (#743056) --- kdelibs-4.6.5-CVE-2011-3365-kio.patch | 61 ++++++++++++++++++++++++++ kdelibs-4.6.5-CVE-2011-3365-kssl.patch | 25 +++++++++++ kdelibs.spec | 10 ++++- 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 kdelibs-4.6.5-CVE-2011-3365-kio.patch create mode 100644 kdelibs-4.6.5-CVE-2011-3365-kssl.patch diff --git a/kdelibs-4.6.5-CVE-2011-3365-kio.patch b/kdelibs-4.6.5-CVE-2011-3365-kio.patch new file mode 100644 index 0000000..be8548a --- /dev/null +++ b/kdelibs-4.6.5-CVE-2011-3365-kio.patch @@ -0,0 +1,61 @@ +t 90607b28d21fefc43657ca08b889bdb174c31fab +Author: David Faure +Date: Wed Sep 28 17:26:47 2011 +0200 + + Use HTML escaping on texts that come from the website + + Interestingly enough, this is yet another use case for moving Qt::escape + to QtCore, which I made a merge request for. + (cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87) + +diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp +index 33f4cb1..6447a02 100644 +--- a/kioslave/http/http.cpp ++++ b/kioslave/http/http.cpp +@@ -99,6 +99,27 @@ + //authentication handlers + #include "httpauthentication.cpp" + ++// KDE5 TODO (QT5) : use QString::htmlEscape or whatever https://qt.gitorious.org/qt/qtbase/merge_requests/56 ++// ends up with. ++static QString htmlEscape(const QString &plain) ++{ ++ QString rich; ++ rich.reserve(int(plain.length() * 1.1)); ++ for (int i = 0; i < plain.length(); ++i) { ++ if (plain.at(i) == QLatin1Char('<')) ++ rich += QLatin1String("<"); ++ else if (plain.at(i) == QLatin1Char('>')) ++ rich += QLatin1String(">"); ++ else if (plain.at(i) == QLatin1Char('&')) ++ rich += QLatin1String("&"); ++ else if (plain.at(i) == QLatin1Char('"')) ++ rich += QLatin1String("""); ++ else ++ rich += plain.at(i); ++ } ++ rich.squeeze(); ++ return rich; ++} + + // see filenameFromUrl(): a sha1 hash is 160 bits + static const int s_hashedUrlBits = 160; // this number should always be divisible by eight +@@ -3410,7 +3431,7 @@ endParsing: + authinfo.url = reqUrl; + authinfo.keepPassword = true; + authinfo.comment = i18n("%1 at %2", +- authinfo.realmValue, authinfo.url.host()); ++ htmlEscape(authinfo.realmValue), authinfo.url.host()); + + if (!openPasswordDialog(authinfo, errorMsg)) { + if (sendErrorPageNotification()) { +@@ -5122,7 +5143,7 @@ void HTTPProtocol::proxyAuthenticationForSocket(const QNetworkProxy &proxy, QAut + "to access any sites."); + info.keepPassword = true; + info.commentLabel = i18n("Proxy:"); +- info.comment = i18n("%1 at %2", info.realmValue, m_request.proxyUrl.host()); ++ info.comment = i18n("%1 at %2", htmlEscape(info.realmValue), m_request.proxyUrl.host()); + const bool dataEntered = openPasswordDialog(info, i18n("Proxy Authentication Failed.")); + if (!dataEntered) { + kDebug(7103) << "looks like the user canceled proxy authentication."; + diff --git a/kdelibs-4.6.5-CVE-2011-3365-kssl.patch b/kdelibs-4.6.5-CVE-2011-3365-kssl.patch new file mode 100644 index 0000000..94e2769 --- /dev/null +++ b/kdelibs-4.6.5-CVE-2011-3365-kssl.patch @@ -0,0 +1,25 @@ +commit 9ca2b26fc67c3f921e1943c1725fca623e395854 +Author: David Faure +Date: Thu Jun 30 23:43:45 2011 +0200 + + Security fix: don't interpret html tags + + Credits to Tim Brown for the find. + (cherry picked from commit bd70d4e589711fda9ab07738c46e37eee8376214) + +diff --git a/kio/kssl/ksslcertificatebox.cpp b/kio/kssl/ksslcertificatebox.cpp +index 4ffc613..094787a 100644 +--- a/kio/kssl/ksslcertificatebox.cpp ++++ b/kio/kssl/ksslcertificatebox.cpp +@@ -36,6 +36,10 @@ KSslCertificateBox::KSslCertificateBox(QWidget *parent) + d(new KSslCertificateBoxPrivate()) + { + d->ui.setupUi(this); ++ // No fooling us with html tags ++ Q_FOREACH(QLabel* label, qFindChildren(this)) { ++ label->setTextFormat(Qt::PlainText); ++ } + } + + + diff --git a/kdelibs.spec b/kdelibs.spec index 9645bd5..48df3a4 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -20,7 +20,7 @@ Summary: KDE Libraries Version: 4.6.5 -Release: 5%{?dist} +Release: 6%{?dist} Name: kdelibs Epoch: 6 @@ -121,6 +121,9 @@ Patch102: kdelibs-4.6.4-kstatusnotifieritemdbus_leak.patch ## security fix # Not Upstreamed? why not ? -- Rex Patch200: kdelibs-4.3.1-CVE-2009-2702.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=743056 +Patch201: kdelibs-4.6.5-CVE-2011-3365-kio.patch +Patch202: kdelibs-4.6.5-CVE-2011-3365-kssl.patch ## Fedora specific patches # make forcefully hal-free build @@ -303,6 +306,8 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage # security fix %patch200 -p1 -b .CVE-2009-2702 +%patch201 -p1 -b .CVE-2011-3365-kio +%patch202 -p1 -b .CVE-2011-3365-kssl # Fedora patches %if 0%{?halectomy} @@ -555,6 +560,9 @@ rm -rf %{buildroot} %changelog +* Tue Oct 11 2011 Rex Dieter 4.6.5-6 +- CVE-2011-3365 kdelibs: input validation failure in KSSL (#743056) + * Sat Oct 08 2011 Rex Dieter 4.6.5-5 - Provides: kate-part