From a202c166f0198435b7a9367e95196bbea3dff067 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Thu, 19 Jun 2014 08:42:59 -0500 Subject: [PATCH] POP3 kiosloave silently accepted invalid SSL certificates (#1111022, #1111023, CVE-2014-3494) --- ...require-a-job-to-handle-messageboxes.patch | 58 +++++++++++++++++++ kdelibs.spec | 7 ++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 0008-Don-t-require-a-job-to-handle-messageboxes.patch diff --git a/0008-Don-t-require-a-job-to-handle-messageboxes.patch b/0008-Don-t-require-a-job-to-handle-messageboxes.patch new file mode 100644 index 0000000..7cad922 --- /dev/null +++ b/0008-Don-t-require-a-job-to-handle-messageboxes.patch @@ -0,0 +1,58 @@ +From bbae87dc1be3ae063796a582774bd5642cacdd5d Mon Sep 17 00:00:00 2001 +From: David Faure +Date: Wed, 18 Jun 2014 20:29:04 +0200 +Subject: [PATCH 08/12] Don't require a job to handle messageboxes. + +The POP3 ioslave doesn't have a job when it gets here. +--- + kio/kio/usernotificationhandler.cpp | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +diff --git a/kio/kio/usernotificationhandler.cpp b/kio/kio/usernotificationhandler.cpp +index 10043cf..2b2e091 100644 +--- a/kio/kio/usernotificationhandler.cpp ++++ b/kio/kio/usernotificationhandler.cpp +@@ -19,7 +19,7 @@ + #include "usernotificationhandler_p.h" + + #include "slave.h" +-#include "job_p.h" ++#include "jobuidelegate.h" + + #include + +@@ -76,19 +76,18 @@ void UserNotificationHandler::processRequest() + + if (m_cachedResults.contains(key)) { + result = *(m_cachedResults[key]); +- } else if (r->slave->job()) { +- SimpleJobPrivate* jobPrivate = SimpleJobPrivate::get(r->slave->job()); +- if (jobPrivate) { +- result = jobPrivate->requestMessageBox(r->type, +- r->data.value(MSG_TEXT).toString(), +- r->data.value(MSG_CAPTION).toString(), +- r->data.value(MSG_YES_BUTTON_TEXT).toString(), +- r->data.value(MSG_NO_BUTTON_TEXT).toString(), +- r->data.value(MSG_YES_BUTTON_ICON).toString(), +- r->data.value(MSG_NO_BUTTON_ICON).toString(), +- r->data.value(MSG_DONT_ASK_AGAIN).toString(), +- r->data.value(MSG_META_DATA).toMap()); +- } ++ } else { ++ JobUiDelegate ui; ++ const JobUiDelegate::MessageBoxType type = static_cast(r->type); ++ result = ui.requestMessageBox(type, ++ r->data.value(MSG_TEXT).toString(), ++ r->data.value(MSG_CAPTION).toString(), ++ r->data.value(MSG_YES_BUTTON_TEXT).toString(), ++ r->data.value(MSG_NO_BUTTON_TEXT).toString(), ++ r->data.value(MSG_YES_BUTTON_ICON).toString(), ++ r->data.value(MSG_NO_BUTTON_ICON).toString(), ++ r->data.value(MSG_DONT_ASK_AGAIN).toString(), ++ r->data.value(MSG_META_DATA).toMap()); + m_cachedResults.insert(key, new int(result)); + } + } else { +-- +1.8.3.1 + diff --git a/kdelibs.spec b/kdelibs.spec index f01a8b2..b00a71e 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -39,7 +39,7 @@ Summary: KDE Libraries Version: 4.12.5 -Release: 2%{?dist} +Release: 3%{?dist} Name: kdelibs Epoch: 6 @@ -170,6 +170,7 @@ Patch092: return-application-icons-properly.patch Patch093: turn-the-packagekit-support-feature-off-by-default.patch ## security fix +Patch158: 0008-Don-t-require-a-job-to-handle-messageboxes.patch # rhel patches @@ -368,6 +369,7 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage %patch093 -p1 -R -b .turn-the-packagekit-support-feature-off-by-default # security fixes +%patch158 -p1 -b .0008 # rhel patches %if ! 0%{?webkit} @@ -624,6 +626,9 @@ gtk-update-icon-cache %{_kde4_iconsdir}/hicolor &> /dev/null || : %changelog +* Thu Jun 19 2014 Rex Dieter 4.12.5-3 +- POP3 kiosloave silently accepted invalid SSL certificates (#1111022, #1111023, CVE-2014-3494) + * Tue Apr 29 2014 Rex Dieter 4.12.5-2 - respin