backport fix for CVE-2017-6410 from kdelibs 4 (itself backported from KF5)
* Sat Mar 04 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-84 - backport fix for CVE-2017-6410 from kdelibs 4 (itself backported from KF5)
This commit is contained in:
parent
80fb1652f0
commit
ab3d736ba9
24
kdelibs-3.5.10-CVE-2017-6410.patch
Normal file
24
kdelibs-3.5.10-CVE-2017-6410.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
diff -ur kdelibs-3.5.10/kio/misc/kpac/script.cpp kdelibs-3.5.10-CVE-2017-6410/kio/misc/kpac/script.cpp
|
||||||
|
--- kdelibs-3.5.10/kio/misc/kpac/script.cpp 2008-02-13 10:41:06.000000000 +0100
|
||||||
|
+++ kdelibs-3.5.10-CVE-2017-6410/kio/misc/kpac/script.cpp 2017-03-04 18:42:29.638992390 +0100
|
||||||
|
@@ -446,10 +446,18 @@
|
||||||
|
if (!findObj.isValid() || !findObj.implementsCall())
|
||||||
|
throw Error( "No such function FindProxyForURL" );
|
||||||
|
|
||||||
|
+ KURL cleanUrl = url;
|
||||||
|
+ cleanUrl.setPass(QString());
|
||||||
|
+ cleanUrl.setUser(QString());
|
||||||
|
+ if (cleanUrl.protocol().lower() == "https") {
|
||||||
|
+ cleanUrl.setPath(QString());
|
||||||
|
+ cleanUrl.setQuery(QString());
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
Object thisObj;
|
||||||
|
List args;
|
||||||
|
- args.append(String(url.url()));
|
||||||
|
- args.append(String(url.host()));
|
||||||
|
+ args.append(String(cleanUrl.url()));
|
||||||
|
+ args.append(String(cleanUrl.host()));
|
||||||
|
Value retval = findObj.call( exec, thisObj, args );
|
||||||
|
|
||||||
|
if ( exec->hadException() ) {
|
@ -18,7 +18,7 @@
|
|||||||
Summary: KDE 3 Libraries
|
Summary: KDE 3 Libraries
|
||||||
Name: kdelibs3
|
Name: kdelibs3
|
||||||
Version: 3.5.10
|
Version: 3.5.10
|
||||||
Release: 83%{?dist}
|
Release: 84%{?dist}
|
||||||
|
|
||||||
License: LGPLv2
|
License: LGPLv2
|
||||||
Url: http://www.kde.org/
|
Url: http://www.kde.org/
|
||||||
@ -124,6 +124,10 @@ Patch210: kdelibs-3.5.10-CVE-2015-7543.patch
|
|||||||
# CVE-2016-6232 - directory traversal vulnerability in KArchive
|
# CVE-2016-6232 - directory traversal vulnerability in KArchive
|
||||||
# patch from Trinity (Slávek Banko), based on KF5 fix (Andreas Cord-Landwehr)
|
# patch from Trinity (Slávek Banko), based on KF5 fix (Andreas Cord-Landwehr)
|
||||||
Patch211: kdelibs-3.5.10-CVE-2016-6232.patch
|
Patch211: kdelibs-3.5.10-CVE-2016-6232.patch
|
||||||
|
# CVE-2017-6410 - info leak when accessing https when using a malicious PAC file
|
||||||
|
# backport upstream fix (by Albert Astals Cid) from kdelibs 4:
|
||||||
|
# http://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559
|
||||||
|
Patch212: kdelibs-3.5.10-CVE-2017-6410.patch
|
||||||
|
|
||||||
## fixes to common KDE 3 autotools machinery
|
## fixes to common KDE 3 autotools machinery
|
||||||
# tweak autoconfigury so that it builds with autoconf 2.64 or 2.65
|
# tweak autoconfigury so that it builds with autoconf 2.64 or 2.65
|
||||||
@ -311,6 +315,7 @@ This package includes tools kgrantpty and kpac_dhcp_helper.
|
|||||||
%patch209 -p1 -b .CVE-2013-2074
|
%patch209 -p1 -b .CVE-2013-2074
|
||||||
%patch210 -p1 -b .CVE-2015-7543
|
%patch210 -p1 -b .CVE-2015-7543
|
||||||
%patch211 -p1 -b .CVE-2016-6232
|
%patch211 -p1 -b .CVE-2016-6232
|
||||||
|
%patch212 -p1 -b .CVE-2017-6410
|
||||||
|
|
||||||
%patch300 -p1 -b .acinclude
|
%patch300 -p1 -b .acinclude
|
||||||
%patch301 -p1 -b .automake-version
|
%patch301 -p1 -b .automake-version
|
||||||
@ -638,6 +643,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
|
|||||||
%attr(4755,root,root) %{_bindir}/kpac_dhcp_helper
|
%attr(4755,root,root) %{_bindir}/kpac_dhcp_helper
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Mar 04 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-84
|
||||||
|
- backport fix for CVE-2017-6410 from kdelibs 4 (itself backported from KF5)
|
||||||
|
|
||||||
* Mon Feb 27 2017 Than Ngo <than@redhat.com> - 3.5.10-83
|
* Mon Feb 27 2017 Than Ngo <than@redhat.com> - 3.5.10-83
|
||||||
- devel requires compat-openssl10-devel, fix kdebase3 FTBS
|
- devel requires compat-openssl10-devel, fix kdebase3 FTBS
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user