From 6ab5508030a77dfee2417a563cb9fbd8a13599cf Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@fedoraproject.org>
Date: Tue, 11 Oct 2011 10:50:46 -0500
Subject: [PATCH] CVE-2011-3365 kdelibs: input validation failure in KSSL
 (#743056)

---
 kdelibs-4.6.5-CVE-2011-3365-kio.patch  | 61 ++++++++++++++++++++++++++
 kdelibs-4.6.5-CVE-2011-3365-kssl.patch | 25 +++++++++++
 kdelibs.spec                           | 10 ++++-
 3 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 kdelibs-4.6.5-CVE-2011-3365-kio.patch
 create mode 100644 kdelibs-4.6.5-CVE-2011-3365-kssl.patch

diff --git a/kdelibs-4.6.5-CVE-2011-3365-kio.patch b/kdelibs-4.6.5-CVE-2011-3365-kio.patch
new file mode 100644
index 0000000..be8548a
--- /dev/null
+++ b/kdelibs-4.6.5-CVE-2011-3365-kio.patch
@@ -0,0 +1,61 @@
+t 90607b28d21fefc43657ca08b889bdb174c31fab
+Author: David Faure <faure@kde.org>
+Date:   Wed Sep 28 17:26:47 2011 +0200
+
+    Use HTML escaping on texts that come from the website
+    
+    Interestingly enough, this is yet another use case for moving Qt::escape
+    to QtCore, which I made a merge request for.
+    (cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87)
+
+diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
+index 33f4cb1..6447a02 100644
+--- a/kioslave/http/http.cpp
++++ b/kioslave/http/http.cpp
+@@ -99,6 +99,27 @@
+ //authentication handlers
+ #include "httpauthentication.cpp"
+ 
++// KDE5 TODO (QT5) : use QString::htmlEscape or whatever https://qt.gitorious.org/qt/qtbase/merge_requests/56
++// ends up with.
++static QString htmlEscape(const QString &plain)
++{
++    QString rich;
++    rich.reserve(int(plain.length() * 1.1));
++        for (int i = 0; i < plain.length(); ++i) {
++        if (plain.at(i) == QLatin1Char('<'))
++            rich += QLatin1String("&lt;");
++        else if (plain.at(i) == QLatin1Char('>'))
++            rich += QLatin1String("&gt;");
++        else if (plain.at(i) == QLatin1Char('&'))
++            rich += QLatin1String("&amp;");
++        else if (plain.at(i) == QLatin1Char('"'))
++            rich += QLatin1String("&quot;");
++        else
++            rich += plain.at(i);
++    }
++    rich.squeeze();
++    return rich;
++}
+ 
+ // see filenameFromUrl(): a sha1 hash is 160 bits
+ static const int s_hashedUrlBits = 160;   // this number should always be divisible by eight
+@@ -3410,7 +3431,7 @@ endParsing:
+                                 authinfo.url = reqUrl;
+                                 authinfo.keepPassword = true;
+                                 authinfo.comment = i18n("<b>%1</b> at <b>%2</b>",
+-                                                        authinfo.realmValue, authinfo.url.host());
++                                                        htmlEscape(authinfo.realmValue), authinfo.url.host());
+ 
+                                 if (!openPasswordDialog(authinfo, errorMsg)) {
+                                     if (sendErrorPageNotification()) {
+@@ -5122,7 +5143,7 @@ void HTTPProtocol::proxyAuthenticationForSocket(const QNetworkProxy &proxy, QAut
+                            "to access any sites.");
+         info.keepPassword = true;
+         info.commentLabel = i18n("Proxy:");
+-        info.comment = i18n("<b>%1</b> at <b>%2</b>", info.realmValue, m_request.proxyUrl.host());
++        info.comment = i18n("<b>%1</b> at <b>%2</b>", htmlEscape(info.realmValue), m_request.proxyUrl.host());
+         const bool dataEntered = openPasswordDialog(info, i18n("Proxy Authentication Failed."));
+         if (!dataEntered) {
+             kDebug(7103) << "looks like the user canceled proxy authentication.";
+
diff --git a/kdelibs-4.6.5-CVE-2011-3365-kssl.patch b/kdelibs-4.6.5-CVE-2011-3365-kssl.patch
new file mode 100644
index 0000000..94e2769
--- /dev/null
+++ b/kdelibs-4.6.5-CVE-2011-3365-kssl.patch
@@ -0,0 +1,25 @@
+commit 9ca2b26fc67c3f921e1943c1725fca623e395854
+Author: David Faure <faure@kde.org>
+Date:   Thu Jun 30 23:43:45 2011 +0200
+
+    Security fix: don't interpret html tags
+    
+    Credits to Tim Brown for the find.
+    (cherry picked from commit bd70d4e589711fda9ab07738c46e37eee8376214)
+
+diff --git a/kio/kssl/ksslcertificatebox.cpp b/kio/kssl/ksslcertificatebox.cpp
+index 4ffc613..094787a 100644
+--- a/kio/kssl/ksslcertificatebox.cpp
++++ b/kio/kssl/ksslcertificatebox.cpp
+@@ -36,6 +36,10 @@ KSslCertificateBox::KSslCertificateBox(QWidget *parent)
+    d(new KSslCertificateBoxPrivate())
+ {
+     d->ui.setupUi(this);
++    // No fooling us with html tags
++    Q_FOREACH(QLabel* label, qFindChildren<QLabel *>(this)) {
++        label->setTextFormat(Qt::PlainText);
++    }
+ }
+ 
+ 
+
diff --git a/kdelibs.spec b/kdelibs.spec
index 9645bd5..48df3a4 100644
--- a/kdelibs.spec
+++ b/kdelibs.spec
@@ -20,7 +20,7 @@
 
 Summary: KDE Libraries
 Version: 4.6.5
-Release: 5%{?dist}
+Release: 6%{?dist}
 
 Name: kdelibs
 Epoch: 6
@@ -121,6 +121,9 @@ Patch102: kdelibs-4.6.4-kstatusnotifieritemdbus_leak.patch
 ## security fix
 # Not Upstreamed? why not ? -- Rex
 Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=743056
+Patch201: kdelibs-4.6.5-CVE-2011-3365-kio.patch
+Patch202: kdelibs-4.6.5-CVE-2011-3365-kssl.patch
 
 ## Fedora specific patches
 # make forcefully hal-free build
@@ -303,6 +306,8 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
 
 # security fix
 %patch200 -p1 -b .CVE-2009-2702
+%patch201 -p1 -b .CVE-2011-3365-kio
+%patch202 -p1 -b .CVE-2011-3365-kssl
 
 # Fedora patches
 %if 0%{?halectomy}
@@ -555,6 +560,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Tue Oct 11 2011 Rex Dieter <rdieter@fedoraproject.org> 4.6.5-6
+- CVE-2011-3365 kdelibs: input validation failure in KSSL (#743056)
+
 * Sat Oct 08 2011 Rex Dieter <rdieter@fedoraproject.org> 4.6.5-5
 - Provides: kate-part