From 79734ca9df11fb79bae20a5c49bb2c2d829a74fe Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Fri, 4 Sep 2009 12:48:11 +0000 Subject: [PATCH] fix for CVE-2009-2702 drop support fedora <10 --- kdelibs-3.5.10-CVE-2009-2702.patch | 62 ++++++++++++++++++++++++ kdelibs3.spec | 76 +++--------------------------- 2 files changed, 69 insertions(+), 69 deletions(-) create mode 100644 kdelibs-3.5.10-CVE-2009-2702.patch diff --git a/kdelibs-3.5.10-CVE-2009-2702.patch b/kdelibs-3.5.10-CVE-2009-2702.patch new file mode 100644 index 0000000..e6f06a7 --- /dev/null +++ b/kdelibs-3.5.10-CVE-2009-2702.patch @@ -0,0 +1,62 @@ +diff -pruN kdelibs-3.5.4.orig/kio/kssl/kopenssl.cc kdelibs-3.5.4/kio/kssl/kopenssl.cc +--- kdelibs-3.5.4.orig/kio/kssl/kopenssl.cc 2009-08-31 20:50:12.000000000 +0200 ++++ kdelibs-3.5.4/kio/kssl/kopenssl.cc 2009-08-31 21:46:47.000000000 +0200 +@@ -196,6 +196,7 @@ static int (*K_X509_NAME_add_entry_by_tx + static X509_NAME *(*K_X509_NAME_new)() = 0L; + static int (*K_X509_REQ_set_subject_name)(X509_REQ*,X509_NAME*) = 0L; + static unsigned char *(*K_ASN1_STRING_data)(ASN1_STRING*) = 0L; ++static int (*K_ASN1_STRING_length)(ASN1_STRING*) = 0L; + static STACK_OF(SSL_CIPHER) *(*K_SSL_get_ciphers)(const SSL *ssl) = 0L; + + #endif +@@ -498,6 +499,7 @@ KConfig *cfg; + K_X509_NAME_new = (X509_NAME *(*)()) _cryptoLib->symbol("X509_NAME_new"); + K_X509_REQ_set_subject_name = (int (*)(X509_REQ*,X509_NAME*)) _cryptoLib->symbol("X509_REQ_set_subject_name"); + K_ASN1_STRING_data = (unsigned char *(*)(ASN1_STRING*)) _cryptoLib->symbol("ASN1_STRING_data"); ++ K_ASN1_STRING_length = (int (*)(ASN1_STRING*)) _cryptoLib->symbol("ASN1_STRING_length"); + #endif + } + +@@ -1549,6 +1551,13 @@ unsigned char *KOpenSSLProxy::ASN1_STRIN + return 0L; + } + ++ ++int KOpenSSLProxy::ASN1_STRING_length(ASN1_STRING *x) { ++ if (K_ASN1_STRING_length) return (K_ASN1_STRING_length)(x); ++ return 0L; ++} ++ ++ + STACK_OF(SSL_CIPHER) *KOpenSSLProxy::SSL_get_ciphers(const SSL* ssl) { + if (K_SSL_get_ciphers) return (K_SSL_get_ciphers)(ssl); + return 0L; +diff -pruN kdelibs-3.5.4.orig/kio/kssl/kopenssl.h kdelibs-3.5.4/kio/kssl/kopenssl.h +--- kdelibs-3.5.4.orig/kio/kssl/kopenssl.h 2006-07-22 10:16:39.000000000 +0200 ++++ kdelibs-3.5.4/kio/kssl/kopenssl.h 2009-08-31 21:46:47.000000000 +0200 +@@ -622,6 +622,11 @@ public: + unsigned char *ASN1_STRING_data(ASN1_STRING *x); + + /* ++ * ASN1_STRING_length ++ */ ++ int ASN1_STRING_length(ASN1_STRING *x); ++ ++ /* + * + */ + int OBJ_obj2nid(ASN1_OBJECT *o); +diff -pruN kdelibs-3.5.4.orig/kio/kssl/ksslcertificate.cc kdelibs-3.5.4/kio/kssl/ksslcertificate.cc +--- kdelibs-3.5.4.orig/kio/kssl/ksslcertificate.cc 2006-01-19 18:06:12.000000000 +0100 ++++ kdelibs-3.5.4/kio/kssl/ksslcertificate.cc 2009-08-31 21:54:38.000000000 +0200 +@@ -1099,7 +1099,9 @@ QStringList KSSLCertificate::subjAltName + } + + QString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5); +- if (!s.isEmpty()) { ++ if (!s.isEmpty() && ++ /* skip subjectAltNames with embedded NULs */ ++ s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) { + rc += s; + } + } diff --git a/kdelibs3.spec b/kdelibs3.spec index 6aa9260..f954581 100644 --- a/kdelibs3.spec +++ b/kdelibs3.spec @@ -8,13 +8,7 @@ %define arts 1 %define arts_ev 8:1.5.10 - -%if 0%{?fedora} > 8 %define qt3 qt3 -%else -%define qt3_epoch 1: -%define qt3 qt -%endif %define qt3_version 3.3.8b %define qt3_ev %{?qt3_epoch}%{qt3_version} # unfortunately, this doesn't work for 3.3.8b which still identifies as 3.3.8 @@ -36,18 +30,11 @@ Summary: K Desktop Environment 3 - Libraries Version: 3.5.10 -Release: 14%{?dist} +Release: 15%{?dist} -%if 0%{?fedora} > 8 Name: kdelibs3 Obsoletes: kdelibs < 6:%{version}-%{release} Provides: kdelibs = 6:%{version}-%{release} -%else -Name: kdelibs -Epoch: 6 -Obsoletes: kdelibs3 < %{version}-%{release} -Provides: kdelibs3 = %{version}-%{release} -%endif License: LGPLv2 Url: http://www.kde.org/ @@ -108,6 +95,8 @@ Patch202: kdelibs-3.5.4-CVE-2009-1687.patch Patch203: kdelibs-3.5.4-CVE-2009-1690.patch # fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling Patch204: kdelibs-3.5.10-cve-2009-1698.patch +# fix CVE-2009-2702 - ssl incorrect verification of SSL certificate with NUL in subjectAltName +Patch205: kdelibs-3.5.10-CVE-2009-2702.patch #{?arts:Requires: arts >= %{arts_ev}} #Requires: %{qt3} >= %{qt3_ev} @@ -116,22 +105,18 @@ Requires: hicolor-icon-theme Requires: kde-settings >= 3.5 %endif Requires: kde-filesystem -%if "%{name}" != "kdelibs" Requires: kdelibs-common -%endif Requires: redhat-menus Requires: shadow-utils BuildRequires: sudo Requires(hint): sudo -%if 0%{?fedora} > 4 || 0%{?rhel} > 4 %define libkdnssd libkdnssd # omit for now, may contribute to http://bugzilla.redhat.com/441222 #Requires: %{libkdnssd} %define BuildRequires: xorg-x11-proto-devel libX11-devel %define _with_rgbfile --with-rgbfile=%{_datadir}/X11/rgb.txt Requires: iceauth -%endif Requires(pre): coreutils Requires(post): /sbin/ldconfig @@ -163,24 +148,16 @@ BuildRequires: libart_lgpl-devel BuildRequires: bzip2-devel BuildRequires: libtiff-devel BuildRequires: libacl-devel libattr-devel -%if 0%{?fedora} >= 9 BuildRequires: enchant-devel Requires: hunspell -%else -BuildRequires: aspell-devel -%endif BuildRequires: krb5-devel BuildRequires: openldap-devel BuildRequires: db4-devel BuildRequires: alsa-lib-devel BuildRequires: pkgconfig BuildRequires: glibc-kernheaders -%if 0%{?fedora} > 5 || 0%{?rhel} > 4 %define _with_libutempter 1 BuildRequires: libutempter-devel -%else -BuildRequires: utempter -%endif BuildRequires: findutils BuildRequires: jasper-devel BuildRequires: OpenEXR-devel @@ -211,13 +188,8 @@ kimgio (image manipulation). %package devel Group: Development/Libraries Summary: Header files and documentation for compiling KDE 3 applications. -%if "%{name}" == "kdelibs" -Obsoletes: kdelibs3-devel < %{version}-%{release} -Provides: kdelibs3-devel = %{version}-%{release} -%else Obsoletes: kdelibs-devel < 6:%{version}-%{release} Provides: kdelibs-devel = 6:%{version}-%{release} -%endif Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} Requires: %{qt3}-devel Requires: openssl-devel @@ -231,15 +203,9 @@ applications for KDE 3. Group: Development/Documentation Summary: KDE 3 API documentation. Requires: %{name} = %{?epoch:%{epoch}:}%{version} -%if "%{name}" == "kdelibs" -Provides: kdelibs3-apidocs = %{version}-%{release} -%else Obsoletes: kdelibs-apidocs < 6:%{version}-%{release} Provides: kdelibs-apidocs = 6:%{version}-%{release} -%endif -%if 0%{?fedora} > 9 BuildArch: noarch -%endif %description apidocs This package includes the KDE 3 API documentation in HTML @@ -266,16 +232,12 @@ format for easy browsing %patch43 -p1 -b .lang %patch45 -p1 -b .xdg-autostart %patch46 -p1 -b .kate-vhdl -%if 0%{?fedora} >= 9 %patch48 -p1 -b .kspell %patch49 -p1 -b .kspell2 %patch50 -p1 -b .no-ispell -%endif %patch51 -p1 -b .cupsserverbin %patch52 -p1 -b .KDE3 -%if "%{name}" != "kdelibs" %patch53 -p1 -b .drkonqi-kde4 -%endif %patch54 -p1 -b .flock-redefinition %patch55 -p1 -b .latex-syntax @@ -289,6 +251,7 @@ format for easy browsing %patch202 -p1 -b .cve-2009-1687 %patch203 -p1 -b .cve-2009-1690 %patch204 -p1 -b .cve-2009-1698 +%patch205 -p1 -b .cve-2009-2702 sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h @@ -331,11 +294,7 @@ export DO_NOT_COMPILE="libkscreensaver" --enable-sendfile \ --with-distribution="$(cat /etc/redhat-release 2>/dev/null)" \ --with-alsa \ -%if 0%{?fedora} >= 9 --without-aspell \ -%else - --with-aspell \ -%endif --without-hspell \ --disable-libfam \ --enable-dnotify \ @@ -384,13 +343,6 @@ popd install -p -m 644 -D %{SOURCE1} %{buildroot}%{_sysconfdir}/profile.d/kde.sh install -p -m 644 -D %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/kde.csh -%if "%{name}" == "kdelibs" -# menus -mkdir -p %{buildroot}%{_sysconfdir}/kde/xdg/menus -mv %{buildroot}%{_sysconfdir}/xdg/menus/applications.menu \ - %{buildroot}%{_sysconfdir}/xdg/menus/kde-applications.menu -%endif - # Use hicolor-icon-theme rpm/pkg instead (#178319) rm -rf $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/ @@ -426,7 +378,6 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" | xargs \ rm -f %{buildroot}%{_libdir}/libkdnssd.la %{?libkdnssd:rm -rf %{buildroot}{%{_libdir}/libkdnssd.*,%{_includedir}/kde/dnssd}} -%if "%{name}" != "kdelibs" # remove conflicts with kdelibs-4 rm -f %{buildroot}%{_bindir}/checkXML rm -f %{buildroot}%{_bindir}/ksvgtopng @@ -484,8 +435,6 @@ rm -f %{buildroot}%{_bindir}/preparetips # don't show kresources sed -i -e "s,^OnlyShowIn=KDE;,OnlyShowIn=KDE3;," %{buildroot}%{_datadir}/applications/kde/kresources.desktop -%endif - %if 0%{?include_crystalsvg} == 0 # remove all crystalsvg icons for now rm -rf %{buildroot}%{_datadir}/icons/crystalsvg/ @@ -600,15 +549,7 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %{_datadir}/servicetypes/* %ghost %{_datadir}/services/ksycoca %{_docdir}/HTML/en/kspell -%if "%{name}" == "kdelibs" -%{_sysconfdir}/xdg/menus/*.menu -%{_datadir}/autostart/* -# include also the conflicting file in kdelibs fedora < 9 -%{_docdir}/HTML/en/common -%{_datadir}/locale/all_languages -%else %{_docdir}/HTML/en/common/* -%endif %if 0%{?include_crystalsvg} %{_datadir}/icons/crystalsvg/ %endif @@ -616,12 +557,6 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %files devel %defattr(-,root,root,-) # include also the conflicting file in kdelibs-devel fedora < 9 -%if "%{name}" == "kdelibs" -%{_bindir}/checkXML -%{_bindir}/ksvgtopng -%{_bindir}/kunittestmodrunner -%{_bindir}/preparetips -%endif %{_bindir}/dcopidl* %{_bindir}/kconfig_compiler %{_bindir}/makekdewidgets @@ -640,6 +575,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %changelog +* Fri Sep 04 2009 Than Ngo - 3.5.10-15 +- fix for CVE-2009-2702 + * Thu Sep 03 2009 Rex Dieter - 3.5.10-14 - kde.(sh|csh): drop KDE_IS_PRELINKED (workaround bug #515539)