Resolves: bz#743074, CVE-2011-3365, input validation failure in KSSL
This commit is contained in:
parent
e753913e8e
commit
21065e34b6
|
@ -0,0 +1,111 @@
|
|||
--- kdelibs-3.5.10/kio/kssl/ksslinfodlg.cc 2007-05-14 09:52:36.000000000 +0200
|
||||
+++ kdelibs-3.5.10/kio/kssl/ksslinfodlg.cc 2011-10-07 20:38:30.000000000 +0200
|
||||
@@ -253,6 +253,14 @@
|
||||
layout->addWidget(new QLabel(i18n("%1 bits used of a %2 bit cipher").arg(usedbits).arg(bits), this), 10, 1);
|
||||
d->m_layout->addMultiCell(layout, 2, 2, 0, 2);
|
||||
|
||||
+ ipl->setTextFormat(Qt::PlainText);
|
||||
+ urlLabel->setTextFormat(Qt::PlainText);
|
||||
+ d->_serialNum->setTextFormat(Qt::PlainText);
|
||||
+ d->_csl->setTextFormat(Qt::PlainText);
|
||||
+ d->_validFrom->setTextFormat(Qt::PlainText);
|
||||
+ d->_validUntil->setTextFormat(Qt::PlainText);
|
||||
+ d->_digest->setTextFormat(Qt::PlainText);
|
||||
+
|
||||
displayCert(cert);
|
||||
}
|
||||
|
||||
@@ -400,32 +408,32 @@
|
||||
if (!(tmp = cert.getValue("O")).isEmpty()) {
|
||||
label = new QLabel(i18n("Organization:"), _frame);
|
||||
label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
|
||||
- new QLabel(tmp, _frame);
|
||||
+ (new QLabel(tmp, _frame))->setTextFormat(Qt::PlainText);
|
||||
}
|
||||
if (!(tmp = cert.getValue("OU")).isEmpty()) {
|
||||
label = new QLabel(i18n("Organizational unit:"), _frame);
|
||||
label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
|
||||
- new QLabel(tmp, _frame);
|
||||
+ (new QLabel(tmp, _frame))->setTextFormat(Qt::PlainText);
|
||||
}
|
||||
if (!(tmp = cert.getValue("L")).isEmpty()) {
|
||||
label = new QLabel(i18n("Locality:"), _frame);
|
||||
label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
|
||||
- new QLabel(tmp, _frame);
|
||||
+ (new QLabel(tmp, _frame))->setTextFormat(Qt::PlainText);
|
||||
}
|
||||
if (!(tmp = cert.getValue("ST")).isEmpty()) {
|
||||
label = new QLabel(i18n("Federal State","State:"), _frame);
|
||||
label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
|
||||
- new QLabel(tmp, _frame);
|
||||
+ (new QLabel(tmp, _frame))->setTextFormat(Qt::PlainText);
|
||||
}
|
||||
if (!(tmp = cert.getValue("C")).isEmpty()) {
|
||||
label = new QLabel(i18n("Country:"), _frame);
|
||||
label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
|
||||
- new QLabel(tmp, _frame);
|
||||
+ (new QLabel(tmp, _frame))->setTextFormat(Qt::PlainText);
|
||||
}
|
||||
if (!(tmp = cert.getValue("CN")).isEmpty()) {
|
||||
label = new QLabel(i18n("Common name:"), _frame);
|
||||
label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
|
||||
- new QLabel(tmp, _frame);
|
||||
+ (new QLabel(tmp, _frame))->setTextFormat(Qt::PlainText);
|
||||
}
|
||||
if (!(tmp = cert.getValue("Email")).isEmpty()) {
|
||||
label = new QLabel(i18n("Email:"), _frame);
|
||||
@@ -435,6 +443,7 @@
|
||||
connect(mail, SIGNAL(leftClickedURL(const QString &)), mailCatcher, SLOT(mailClicked(const QString &)));
|
||||
} else {
|
||||
label = new QLabel(tmp, _frame);
|
||||
+ label->setTextFormat(Qt::PlainText);
|
||||
}
|
||||
}
|
||||
if (label && viewport()) {
|
||||
--- kdelibs-3.5.10/kioslave/http/http.cc 2008-02-13 10:41:06.000000000 +0100
|
||||
+++ kdelibs-3.5.10-kio_http-qlabel/kioslave/http/http.cc 2011-10-07 21:09:39.000000000 +0200
|
||||
@@ -183,6 +183,26 @@
|
||||
return sanitizedHeaders.stripWhiteSpace();
|
||||
}
|
||||
|
||||
+static QString htmlEscape(const QString &plain)
|
||||
+{
|
||||
+ QString rich;
|
||||
+ rich.reserve(uint(plain.length() * 1.1));
|
||||
+ for (uint i = 0; i < plain.length(); ++i) {
|
||||
+ if (plain.at(i) == '<')
|
||||
+ rich += "<";
|
||||
+ else if (plain.at(i) == '>')
|
||||
+ rich += ">";
|
||||
+ else if (plain.at(i) == '&')
|
||||
+ rich += "&";
|
||||
+ else if (plain.at(i) == '"')
|
||||
+ rich += """;
|
||||
+ else
|
||||
+ rich += plain.at(i);
|
||||
+ }
|
||||
+ rich.squeeze();
|
||||
+ return rich;
|
||||
+}
|
||||
+
|
||||
|
||||
#define NO_SIZE ((KIO::filesize_t) -1)
|
||||
|
||||
@@ -5173,7 +5193,7 @@
|
||||
info.verifyPath = false;
|
||||
info.digestInfo = m_strAuthorization;
|
||||
info.commentLabel = i18n( "Site:" );
|
||||
- info.comment = i18n("<b>%1</b> at <b>%2</b>").arg( m_strRealm ).arg( m_request.hostname );
|
||||
+ info.comment = i18n("<b>%1</b> at <b>%2</b>").arg( htmlEscape(m_strRealm) ).arg( m_request.hostname );
|
||||
}
|
||||
}
|
||||
else if ( m_responseCode == 407 )
|
||||
@@ -5190,7 +5210,7 @@
|
||||
info.verifyPath = false;
|
||||
info.digestInfo = m_strProxyAuthorization;
|
||||
info.commentLabel = i18n( "Proxy:" );
|
||||
- info.comment = i18n("<b>%1</b> at <b>%2</b>").arg( m_strProxyRealm ).arg( m_proxyURL.host() );
|
||||
+ info.comment = i18n("<b>%1</b> at <b>%2</b>").arg( htmlEscape(m_strProxyRealm) ).arg( m_proxyURL.host() );
|
||||
}
|
||||
}
|
||||
}
|
|
@ -28,7 +28,7 @@
|
|||
Summary: KDE 3 Libraries
|
||||
Name: kdelibs3
|
||||
Version: 3.5.10
|
||||
Release: 30%{?dist}
|
||||
Release: 31%{?dist}
|
||||
|
||||
License: LGPLv2
|
||||
Url: http://www.kde.org/
|
||||
|
@ -107,6 +107,8 @@ Patch205: kdelibs-3.5.10-CVE-2009-2702.patch
|
|||
Patch206: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
|
||||
# CVE-2009-3736, libltdl may load and execute code from a library in the current directory
|
||||
Patch207: libltdl-CVE-2009-3736.patch
|
||||
# CVE-2011-3365, input validation failure in KSSL
|
||||
Patch208: kdelibs-3.5.x-CVE-2011-3365.patch
|
||||
|
||||
Requires: hicolor-icon-theme
|
||||
%if %{kde_settings}
|
||||
|
@ -263,6 +265,7 @@ format for easy browsing
|
|||
%patch205 -p1 -b .cve-2009-2702
|
||||
%patch206 -p0 -b .oCERT-2009-015-xmlhttprequest
|
||||
%patch207 -p1 -b .CVE-2009-3736
|
||||
%patch208 -p1 -b .CVE-2011-3365
|
||||
|
||||
sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h
|
||||
|
||||
|
@ -586,6 +589,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Oct 13 2011 Than Ngo <than@redhat.com> - 3.5.10-31
|
||||
- Resolves: bz#743074, CVE-2011-3365, input validation failure in KSSL
|
||||
|
||||
* Fri Jun 17 2011 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-30
|
||||
- fix FTBFS (cups-util.c must include stdio.h, #714133)
|
||||
|
||||
|
|
Loading…
Reference in New Issue