security fix CVE-2014-5033

* Sun Feb 16 2014 Kevin Kofler <Kevin@tigcc.ticalc.org> - 6:4.11.5-2
- Plasma PackageKit integration: fix plasmapkg to not query Plasma for available
  script engines if component is not Plasma/*, but e.g. KWin/Script (#1065688)

0001-Add-an-API-currently-private-for-installing-missing-.patch

@@ -1,286 +0,0 @@
-diff -up kdelibs-4.7.80/plasma/CMakeLists.txt.libplasma-pk-0001 kdelibs-4.7.80/plasma/CMakeLists.txt
---- kdelibs-4.7.80/plasma/CMakeLists.txt.libplasma-pk-0001	2011-11-17 21:54:56.000000000 +0100
-+++ kdelibs-4.7.80/plasma/CMakeLists.txt	2011-11-18 13:16:23.243039344 +0100
-@@ -6,10 +6,15 @@ if(KDE_PLATFORM_FEATURE_BINARY_COMPATIBL
-     set(PLASMA_NO_KNEWSTUFF TRUE)
-     set(PLASMA_NO_SOLID TRUE)
-     set(PLASMA_NO_KIO TRUE)
-+    set(PLASMA_NO_PACKAGEKIT TRUE)
-     set(PLASMA_NO_KUTILS TRUE)
-     set(PLASMA_NO_GLOBAL_SHORTCUTS TRUE)
- endif(KDE_PLATFORM_FEATURE_BINARY_COMPATIBLE_FEATURE_REDUCTION)
- 
-+if(NOT Q_WS_X11)
-+    set(PLASMA_NO_PACKAGEKIT TRUE)
-+endif(NOT Q_WS_X11)
-+
- include_directories(${CMAKE_CURRENT_SOURCE_DIR}
-                     ${KDE4_KDECORE_INCLUDES}
-                     ${KDE4_KDEUI_INCLUDES}
-@@ -44,6 +49,11 @@ if(NOT PLASMA_NO_SOLID)
-     set(PLASMA_EXTRA_LIBS ${PLASMA_EXTRA_LIBS} ${KDE4_SOLID_LIBS})
- endif(NOT PLASMA_NO_SOLID)
- 
-+if(NOT PLASMA_NO_PACKAGEKIT)
-+    add_definitions(-DPLASMA_ENABLE_PACKAGEKIT_SUPPORT=1)
-+    set(PLASMA_EXTRA_LIBS ${PLASMA_EXTRA_LIBS} ${QT_QTDBUS_LIBRARY})
-+endif(NOT PLASMA_NO_PACKAGEKIT)
-+
- if (NOT PLASMA_NO_KUTILS)
-     include_directories(${CMAKE_SOURCE_DIR}/kutils)
-     set(PLASMA_EXTRA_LIBS ${PLASMA_EXTRA_LIBS} ${KDE4_KUTILS_LIBS})
-@@ -117,6 +127,7 @@ set(plasma_LIB_SRCS
-     private/animablegraphicswebview.cpp
-     private/applethandle.cpp
-     private/associatedapplicationmanager.cpp
-+    private/componentinstaller.cpp
-     private/datacontainer_p.cpp
-     private/dataenginebindings.cpp
-     private/dataengineconsumer.cpp
-diff -up kdelibs-4.7.80/plasma/dataenginemanager.cpp.libplasma-pk-0001 kdelibs-4.7.80/plasma/dataenginemanager.cpp
---- kdelibs-4.7.80/plasma/dataenginemanager.cpp.libplasma-pk-0001	2011-08-22 15:13:55.000000000 +0200
-+++ kdelibs-4.7.80/plasma/dataenginemanager.cpp	2011-11-18 12:48:37.513008572 +0100
-@@ -29,6 +29,7 @@
- 
- #include "datacontainer.h"
- #include "pluginloader.h"
-+#include "private/componentinstaller_p.h"
- #include "private/dataengine_p.h"
- #include "private/datacontainer_p.h"
- #include "scripting/scriptengine.h"
-@@ -130,6 +131,9 @@ Plasma::DataEngine *DataEngineManager::l
- 
-     DataEngine *engine = PluginLoader::pluginLoader()->loadDataEngine(name);
-     if (!engine) {
-+        // Try installing the engine. However, it's too late for this request.
-+        ComponentInstaller::self()->installMissingComponent("dataengine", name);
-+
-         return d->nullEngine();
-     }
- 
-diff -up kdelibs-4.7.80/plasma/private/componentinstaller.cpp.libplasma-pk-0001 kdelibs-4.7.80/plasma/private/componentinstaller.cpp
---- kdelibs-4.7.80/plasma/private/componentinstaller.cpp.libplasma-pk-0001	2011-11-18 12:48:37.513008572 +0100
-+++ kdelibs-4.7.80/plasma/private/componentinstaller.cpp	2011-11-18 12:48:37.513008572 +0100
-@@ -0,0 +1,103 @@
-+/*
-+ *   Copyright 2011 Kevin Kofler <kevin.kofler@chello.at>
-+ *
-+ *   This program is free software; you can redistribute it and/or modify
-+ *   it under the terms of the GNU Library General Public License as
-+ *   published by the Free Software Foundation; either version 2, or
-+ *   (at your option) any later version.
-+ *
-+ *   This program is distributed in the hope that it will be useful,
-+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ *   GNU General Public License for more details
-+ *
-+ *   You should have received a copy of the GNU Library General Public
-+ *   License along with this program; if not, write to the
-+ *   Free Software Foundation, Inc.,
-+ *   51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-+ */
-+
-+#include "private/componentinstaller_p.h"
-+
-+#include <kglobal.h>
-+
-+#ifdef PLASMA_ENABLE_PACKAGEKIT_SUPPORT
-+#include <QSet>
-+#include <QDBusInterface>
-+#include <QDBusPendingCall>
-+#include <QWidget>
-+#include <QLatin1String>
-+#include <QStringList>
-+#endif
-+
-+namespace Plasma
-+{
-+
-+class ComponentInstallerPrivate
-+{
-+    public:
-+#ifdef PLASMA_ENABLE_PACKAGEKIT_SUPPORT
-+        QSet<QString> alreadyPrompted;
-+#endif
-+};
-+
-+class ComponentInstallerSingleton
-+{
-+    public:
-+        ComponentInstaller self;
-+};
-+
-+K_GLOBAL_STATIC(ComponentInstallerSingleton, privateComponentInstallerSelf)
-+
-+ComponentInstaller *ComponentInstaller::self()
-+{
-+    return &privateComponentInstallerSelf->self;
-+}
-+
-+ComponentInstaller::ComponentInstaller()
-+    : d(new ComponentInstallerPrivate)
-+{
-+}
-+
-+ComponentInstaller::~ComponentInstaller()
-+{
-+    delete d;
-+}
-+
-+void ComponentInstaller::installMissingComponent(const QString &type,
-+                                                 const QString &name,
-+                                                 QWidget *parent, bool force)
-+{
-+#ifdef PLASMA_ENABLE_PACKAGEKIT_SUPPORT
-+    QString searchString = type + '-' + name;
-+
-+    if (!force) {
-+        if (d->alreadyPrompted.contains(searchString)) {
-+            return;
-+        }
-+    }
-+
-+    d->alreadyPrompted.insert(searchString);
-+
-+    QDBusInterface packageKit(QLatin1String("org.freedesktop.PackageKit"),
-+                              QLatin1String("/org/freedesktop/PackageKit"),
-+                              QLatin1String("org.freedesktop.PackageKit.Modify"));
-+    // We don't check packageKit.isValid() because the service is activated on
-+    // demand, so it will show up as "not valid".
-+    WId wid = 0;
-+    if (parent) {
-+        wid = parent->winId();
-+    }
-+    QStringList resources;
-+    resources.append(searchString);
-+    packageKit.asyncCall(QLatin1String("InstallResources"), (unsigned int) wid,
-+                         QLatin1String("plasma-service"), resources, QString());
-+#else
-+    Q_UNUSED(type);
-+    Q_UNUSED(name);
-+    Q_UNUSED(parent);
-+    Q_UNUSED(force);
-+#endif
-+}
-+
-+} // namespace Plasma
-diff -up kdelibs-4.7.80/plasma/private/componentinstaller_p.h.libplasma-pk-0001 kdelibs-4.7.80/plasma/private/componentinstaller_p.h
---- kdelibs-4.7.80/plasma/private/componentinstaller_p.h.libplasma-pk-0001	2011-11-18 12:48:37.514008574 +0100
-+++ kdelibs-4.7.80/plasma/private/componentinstaller_p.h	2011-11-18 12:48:37.514008574 +0100
-@@ -0,0 +1,94 @@
-+/*
-+ *   Copyright 2011 Kevin Kofler <kevin.kofler@chello.at>
-+ *
-+ *   This program is free software; you can redistribute it and/or modify
-+ *   it under the terms of the GNU Library General Public License as
-+ *   published by the Free Software Foundation; either version 2, or
-+ *   (at your option) any later version.
-+ *
-+ *   This program is distributed in the hope that it will be useful,
-+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ *   GNU General Public License for more details
-+ *
-+ *   You should have received a copy of the GNU Library General Public
-+ *   License along with this program; if not, write to the
-+ *   Free Software Foundation, Inc.,
-+ *   51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-+ */
-+
-+#ifndef PLASMA_COMPONENTINSTALLER_H
-+#define PLASMA_COMPONENTINSTALLER_H
-+
-+class QString;
-+class QWidget;
-+
-+namespace Plasma
-+{
-+
-+class ComponentInstallerPrivate;
-+
-+/**
-+ * @class ComponentInstaller plasma/private/componentinstaller_p.h
-+ *
-+ * @short This class provides a generic API for installation of components.
-+ *
-+ * @internal
-+ *
-+ * Plasma::ComponentInstaller allows searching for a missing data or script
-+ * engine by name, and allowing the user to install the missing service.
-+ * Currently, PackageKit is supported as the mechanism to install components,
-+ * but more mechanisms could be supported in the future through the same API.
-+ *
-+ * @since 4.8
-+ */
-+class ComponentInstaller
-+{
-+    public:
-+        /**
-+         * Singleton pattern accessor.
-+         */
-+        static ComponentInstaller *self();
-+
-+        /**
-+         * Installs a missing component asynchronously.
-+         *
-+         * By default, this method will cache requested components and not
-+         * prompt again for the same engine in the same session. The force
-+         * parameter can be used to disable this mechanism, e.g. when the user
-+         * just installed a new widget written in a scripting language, and so
-+         * is likely to want the script engine installed after all.
-+         *
-+         * In the case of on-demand installation, this will unfortunately not
-+         * allow the call which triggered the missing component lookup to
-+         * succeed, but we cannot afford to block all of Plasma until the
-+         * mechanism is done installing the service.
-+         *
-+         * This function does nothing if PackageKit integration was disabled at
-+         * compile time.
-+         *
-+         * @param type the type of the component, should be "scriptengine" or
-+         *             "dataengine"
-+         * @param name the name of the component
-+         * @param parent a parent widget, used to set the wid for PackageKit
-+         * @param force whether to always prompt, even if recently prompted
-+         */
-+        void installMissingComponent(const QString &type, const QString &name,
-+                                     QWidget *parent = 0, bool force = false);
-+
-+    private:
-+        /**
-+         * Default constructor. The singleton method self() is the
-+         * preferred access mechanism.
-+         */
-+        ComponentInstaller();
-+        ~ComponentInstaller();
-+
-+        ComponentInstallerPrivate *const d;
-+
-+        friend class ComponentInstallerSingleton;
-+};
-+
-+} // namespace Plasma
-+
-+#endif // multiple inclusion guard
-diff -up kdelibs-4.7.80/plasma/scripting/scriptengine.cpp.libplasma-pk-0001 kdelibs-4.7.80/plasma/scripting/scriptengine.cpp
---- kdelibs-4.7.80/plasma/scripting/scriptengine.cpp.libplasma-pk-0001	2011-09-26 11:41:11.000000000 +0200
-+++ kdelibs-4.7.80/plasma/scripting/scriptengine.cpp	2011-11-18 12:48:37.514008574 +0100
-@@ -27,6 +27,7 @@
- #include "applet.h"
- #include "dataengine.h"
- #include "package.h"
-+#include "private/componentinstaller_p.h"
- #include "scripting/appletscript.h"
- #include "scripting/dataenginescript.h"
- #include "scripting/runnerscript.h"
-@@ -196,6 +197,9 @@ ScriptEngine *loadEngine(const QString &
-                  << "! error reported: " << error;
-     }
- 
-+    // Try installing the engine. However, it's too late for this request.
-+    ComponentInstaller::self()->installMissingComponent("scriptengine", language);
-+
-     return 0;
- }
- 

0002-Trigger-installation-of-missing-components-when-inst.patch

@@ -13,7 +13,7 @@ diff -up kdelibs-4.8.90/plasma/package.cpp.libplasma-pk-0002 kdelibs-4.8.90/plas
  #include "private/package_p.h"
  #include "private/plasmoidservice_p.h"
  #include "private/service_p.h"
-@@ -580,6 +583,41 @@ bool Package::installPackage(const QStri
+@@ -580,6 +583,42 @@ bool Package::installPackage(const QStri
          // no need to remove the temp dir (which has been successfully moved if it's an archive)
          tempdir.setAutoRemove(false);
      }
@@ -35,7 +35,8 @@ diff -up kdelibs-4.8.90/plasma/package.cpp.libplasma-pk-0002 kdelibs-4.8.90/plas
 +        if (serviceTypes.contains("Plasma/Wallpaper")) {
 +            componentTypes |= WallpaperComponent;
 +        }
-+        if (!knownLanguages(componentTypes).contains(requiredScriptEngine)) {
++        if (componentTypes // ignore non-Plasma/* components (e.g. KWin/Script)
++            && !knownLanguages(componentTypes).contains(requiredScriptEngine)) {
 +            // install the missing script engine
 +            // force prompting because the user has just explicitly installed a widget
 +            ComponentInstaller::self()->installMissingComponent("scriptengine", requiredScriptEngine, 0, true);

0008-Don-t-require-a-job-to-handle-messageboxes.patch

@@ -0,0 +1,58 @@
+From bbae87dc1be3ae063796a582774bd5642cacdd5d Mon Sep 17 00:00:00 2001
+From: David Faure <faure@kde.org>
+Date: Wed, 18 Jun 2014 20:29:04 +0200
+Subject: [PATCH 08/12] Don't require a job to handle messageboxes.
+
+The POP3 ioslave doesn't have a job when it gets here.
+---
+ kio/kio/usernotificationhandler.cpp | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/kio/kio/usernotificationhandler.cpp b/kio/kio/usernotificationhandler.cpp
+index 10043cf..2b2e091 100644
+--- a/kio/kio/usernotificationhandler.cpp
++++ b/kio/kio/usernotificationhandler.cpp
+@@ -19,7 +19,7 @@
+ #include "usernotificationhandler_p.h"
+ 
+ #include "slave.h"
+-#include "job_p.h"
++#include "jobuidelegate.h"
+ 
+ #include <kdebug.h>
+ 
+@@ -76,19 +76,18 @@ void UserNotificationHandler::processRequest()
+ 
+         if (m_cachedResults.contains(key)) {
+             result = *(m_cachedResults[key]);
+-        } else if (r->slave->job()) {
+-            SimpleJobPrivate* jobPrivate = SimpleJobPrivate::get(r->slave->job());
+-            if (jobPrivate) {
+-                result = jobPrivate->requestMessageBox(r->type,
+-                                                      r->data.value(MSG_TEXT).toString(),
+-                                                      r->data.value(MSG_CAPTION).toString(),
+-                                                      r->data.value(MSG_YES_BUTTON_TEXT).toString(),
+-                                                      r->data.value(MSG_NO_BUTTON_TEXT).toString(),
+-                                                      r->data.value(MSG_YES_BUTTON_ICON).toString(),
+-                                                      r->data.value(MSG_NO_BUTTON_ICON).toString(),
+-                                                      r->data.value(MSG_DONT_ASK_AGAIN).toString(),
+-                                                      r->data.value(MSG_META_DATA).toMap());
+-            }
++        } else {
++            JobUiDelegate ui;
++            const JobUiDelegate::MessageBoxType type = static_cast<JobUiDelegate::MessageBoxType>(r->type);
++            result = ui.requestMessageBox(type,
++                                          r->data.value(MSG_TEXT).toString(),
++                                          r->data.value(MSG_CAPTION).toString(),
++                                          r->data.value(MSG_YES_BUTTON_TEXT).toString(),
++                                          r->data.value(MSG_NO_BUTTON_TEXT).toString(),
++                                          r->data.value(MSG_YES_BUTTON_ICON).toString(),
++                                          r->data.value(MSG_NO_BUTTON_ICON).toString(),
++                                          r->data.value(MSG_DONT_ASK_AGAIN).toString(),
++                                          r->data.value(MSG_META_DATA).toMap());
+             m_cachedResults.insert(key, new int(result));
+         }
+     } else {
+-- 
+1.8.3.1
+

kdelibs-4.11.5-CVE-2014-5033.patch

@@ -0,0 +1,36 @@
+diff -up kdelibs-4.11.5/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp.than kdelibs-4.11.5/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+--- kdelibs-4.11.5/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp.than	2014-09-23 11:19:47.000000000 +0200
++++ kdelibs-4.11.5/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp	2014-09-23 11:22:50.000000000 +0200
+@@ -144,7 +144,7 @@ void Polkit1Backend::setupAction(const Q
+ 
+ Action::AuthStatus Polkit1Backend::actionStatus(const QString &action)
+ {
+-    PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid());
++    PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID()));
+     PolkitQt1::Authority::Result r = PolkitQt1::Authority::instance()->checkAuthorizationSync(action, subject,
+                                                                                               PolkitQt1::Authority::None);
+     switch (r) {
+@@ -160,21 +160,12 @@ Action::AuthStatus Polkit1Backend::actio
+ 
+ QByteArray Polkit1Backend::callerID() const
+ {
+-    QByteArray a;
+-    QDataStream s(&a, QIODevice::WriteOnly);
+-    s << QCoreApplication::applicationPid();
+-
+-    return a;
++    return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+ 
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+-    QDataStream s(&callerID, QIODevice::ReadOnly);
+-    qint64 pid;
+-
+-    s >> pid;
+-
+-    PolkitQt1::UnixProcessSubject subject(pid);
++    PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+     PolkitQt1::Authority *authority = PolkitQt1::Authority::instance();
+ 
+     PolkitResultEventLoop e;

kdelibs.spec

@@ -39,7 +39,7 @@
 
 Summary: KDE Libraries
 Version: 4.11.5
-Release: 1%{?dist}
+Release: 5%{?dist}
 
 Name: kdelibs
 Epoch: 6
@@ -117,10 +117,6 @@ Patch20: kdelibs-4.10.0-cmake.patch
 Patch27: kdelibs-4.10.0-no_rpath.patch
 
 ## libplasma PackageKit integration
-# Add an API (currently private) for installing missing Plasma engines.
-# https://git.reviewboard.kde.org/r/102175/
-Patch40: 0001-Add-an-API-currently-private-for-installing-missing-.patch
-
 # Trigger installation of missing components when installing a package.
 # https://git.reviewboard.kde.org/r/102291/
 Patch41: 0002-Trigger-installation-of-missing-components-when-inst.patch
@@ -174,6 +170,8 @@ Patch092: return-application-icons-properly.patch
 Patch093: turn-the-packagekit-support-feature-off-by-default.patch
 
 ## security fix
+Patch158: 0008-Don-t-require-a-job-to-handle-messageboxes.patch
+Patch159: kdelibs-4.11.5-CVE-2014-5033.patch
 
 # rhel patches
 
@@ -189,6 +187,8 @@ Conflicts: kdelibs3 < 3.5.10-42
 BuildRequires: qt4-devel >= %{qt4_ver}
 %if 0%{?webkit}
 BuildRequires: pkgconfig(QtWebKit)
+Provides: kdelibs4-webkit = %{version}-%{release}
+%{?_isa:Provides: kdelibs4-webkit%{?_isa} = %{version}-%{release}}
 %endif
 %{?_qt4_version:Requires: qt4%{?_isa} >= %{_qt4_version}}
 Requires: xdg-utils
@@ -303,6 +303,8 @@ Requires: pkgconfig(shared-desktop-ontologies) pkgconfig(soprano)
 Requires: qt4-devel
 %if 0%{?webkit}
 Requires: pkgconfig(QtWebKit)
+Provides: kdelibs4-webkit-devel = %{version}-%{release}
+%{?_isa:Provides: kdelibs4-webkit-devel%{?_isa} = %{version}-%{release}}
 %endif
 %{?x_deps:Requires: %{x_deps}}
 
@@ -348,8 +350,6 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
 %patch27 -p1 -b .no_rpath
 
 # libplasma PackageKit integration
-## hrm, seems only 0001 is upstreamed so far, need to poke Kevin why that is.  -- rex
-#patch40 -p1 -b .libplasma-pk-0001
 %patch41 -p1 -b .libplasma-pk-0002
 %patch42 -p1 -b .libplasma-pk-0003
 
@@ -374,6 +374,8 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
 %patch093 -p1 -R -b .turn-the-packagekit-support-feature-off-by-default
 
 # security fixes
+%patch158 -p1 -b .0008
+%patch159 -p1 -b .CVE-2014-5033
 
 # rhel patches
 %if ! 0%{?webkit}
@@ -630,6 +632,19 @@ gtk-update-icon-cache %{_kde4_iconsdir}/hicolor &> /dev/null || :
 
 
 %changelog
+* Tue Sep 23 2014 Than Ngo <than@redhat.com> - 6:4.11.5-5
+- security fix CVE-2014-5033
+
+* Thu Jun 19 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.11.5-4
+- Provides: kdelibs4-webkit ...
+
+* Thu Jun 19 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.11.5-3
+- POP3 kiosloave silently accepted invalid SSL certificates (#1111022, #1111023, CVE-2014-3494)
+
+* Sun Feb 16 2014 Kevin Kofler <Kevin@tigcc.ticalc.org> - 6:4.11.5-2
+- Plasma PackageKit integration: fix plasmapkg to not query Plasma for available
+  script engines if component is not Plasma/*, but e.g. KWin/Script (#1065688)
+
 * Fri Jan 03 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.11.5-1
 - 4.11.5