backport fix for CVE-2017-6410 from kdelibs 4 (itself backported from KF5)
* Sat Mar 04 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-84 - backport fix for CVE-2017-6410 from kdelibs 4 (itself backported from KF5)
This commit is contained in:
parent
80fb1652f0
commit
ab3d736ba9
|
@ -0,0 +1,24 @@
|
|||
diff -ur kdelibs-3.5.10/kio/misc/kpac/script.cpp kdelibs-3.5.10-CVE-2017-6410/kio/misc/kpac/script.cpp
|
||||
--- kdelibs-3.5.10/kio/misc/kpac/script.cpp 2008-02-13 10:41:06.000000000 +0100
|
||||
+++ kdelibs-3.5.10-CVE-2017-6410/kio/misc/kpac/script.cpp 2017-03-04 18:42:29.638992390 +0100
|
||||
@@ -446,10 +446,18 @@
|
||||
if (!findObj.isValid() || !findObj.implementsCall())
|
||||
throw Error( "No such function FindProxyForURL" );
|
||||
|
||||
+ KURL cleanUrl = url;
|
||||
+ cleanUrl.setPass(QString());
|
||||
+ cleanUrl.setUser(QString());
|
||||
+ if (cleanUrl.protocol().lower() == "https") {
|
||||
+ cleanUrl.setPath(QString());
|
||||
+ cleanUrl.setQuery(QString());
|
||||
+ }
|
||||
+
|
||||
Object thisObj;
|
||||
List args;
|
||||
- args.append(String(url.url()));
|
||||
- args.append(String(url.host()));
|
||||
+ args.append(String(cleanUrl.url()));
|
||||
+ args.append(String(cleanUrl.host()));
|
||||
Value retval = findObj.call( exec, thisObj, args );
|
||||
|
||||
if ( exec->hadException() ) {
|
|
@ -18,7 +18,7 @@
|
|||
Summary: KDE 3 Libraries
|
||||
Name: kdelibs3
|
||||
Version: 3.5.10
|
||||
Release: 83%{?dist}
|
||||
Release: 84%{?dist}
|
||||
|
||||
License: LGPLv2
|
||||
Url: http://www.kde.org/
|
||||
|
@ -124,6 +124,10 @@ Patch210: kdelibs-3.5.10-CVE-2015-7543.patch
|
|||
# CVE-2016-6232 - directory traversal vulnerability in KArchive
|
||||
# patch from Trinity (Slávek Banko), based on KF5 fix (Andreas Cord-Landwehr)
|
||||
Patch211: kdelibs-3.5.10-CVE-2016-6232.patch
|
||||
# CVE-2017-6410 - info leak when accessing https when using a malicious PAC file
|
||||
# backport upstream fix (by Albert Astals Cid) from kdelibs 4:
|
||||
# http://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559
|
||||
Patch212: kdelibs-3.5.10-CVE-2017-6410.patch
|
||||
|
||||
## fixes to common KDE 3 autotools machinery
|
||||
# tweak autoconfigury so that it builds with autoconf 2.64 or 2.65
|
||||
|
@ -311,6 +315,7 @@ This package includes tools kgrantpty and kpac_dhcp_helper.
|
|||
%patch209 -p1 -b .CVE-2013-2074
|
||||
%patch210 -p1 -b .CVE-2015-7543
|
||||
%patch211 -p1 -b .CVE-2016-6232
|
||||
%patch212 -p1 -b .CVE-2017-6410
|
||||
|
||||
%patch300 -p1 -b .acinclude
|
||||
%patch301 -p1 -b .automake-version
|
||||
|
@ -638,6 +643,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
|
|||
%attr(4755,root,root) %{_bindir}/kpac_dhcp_helper
|
||||
|
||||
%changelog
|
||||
* Sat Mar 04 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-84
|
||||
- backport fix for CVE-2017-6410 from kdelibs 4 (itself backported from KF5)
|
||||
|
||||
* Mon Feb 27 2017 Than Ngo <than@redhat.com> - 3.5.10-83
|
||||
- devel requires compat-openssl10-devel, fix kdebase3 FTBS
|
||||
|
||||
|
|
Loading…
Reference in New Issue