fix CVE-2013-2074 (passwords in HTTP URLs in error messages, #962001)

* Sat May 18 2013 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-53
- fix CVE-2013-2074 (passwords in HTTP URLs in error messages, #962001)

kdelibs-3.5.10-CVE-2013-2074.patch

@@ -0,0 +1,166 @@
+diff -ur kdelibs-3.5.10/kioslave/http/http.cc kdelibs-3.5.10-CVE-2013-2074/kioslave/http/http.cc
+--- kdelibs-3.5.10/kioslave/http/http.cc	2008-02-13 10:41:06.000000000 +0100
++++ kdelibs-3.5.10-CVE-2013-2074/kioslave/http/http.cc	2013-05-14 17:54:42.000000000 +0200
+@@ -288,7 +288,7 @@
+     m_bUseProxy = m_proxyURL.isValid();
+ 
+     kdDebug(7113) << "(" << m_pid << ") Using proxy: " << m_bUseProxy <<
+-                                              " URL: " << m_proxyURL.url() <<
++                                              " URL: " << m_proxyURL.prettyURL() <<
+                                             " Realm: " << m_strProxyRealm << endl;
+   }
+ 
+@@ -458,7 +458,7 @@
+ 
+ bool HTTPProtocol::checkRequestURL( const KURL& u )
+ {
+-  kdDebug (7113) << "(" << m_pid << ") HTTPProtocol::checkRequestURL:  " << u.url() << endl;
++  kdDebug (7113) << "(" << m_pid << ") HTTPProtocol::checkRequestURL:  " << u.prettyURL() << endl;
+ 
+   m_request.url = u;
+ 
+@@ -640,7 +640,7 @@
+ 
+ void HTTPProtocol::listDir( const KURL& url )
+ {
+-  kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::listDir " << url.url()
++  kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::listDir " << url.prettyURL()
+                 << endl;
+ 
+   if ( !checkRequestURL( url ) )
+@@ -807,7 +807,7 @@
+ 
+ void HTTPProtocol::davGeneric( const KURL& url, KIO::HTTP_METHOD method )
+ {
+-  kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::davGeneric " << url.url()
++  kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::davGeneric " << url.prettyURL()
+                 << endl;
+ 
+   if ( !checkRequestURL( url ) )
+@@ -1206,7 +1206,7 @@
+ 
+ void HTTPProtocol::mkdir( const KURL& url, int )
+ {
+-  kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::mkdir " << url.url()
++  kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::mkdir " << url.prettyURL()
+                 << endl;
+ 
+   if ( !checkRequestURL( url ) )
+@@ -1228,7 +1228,7 @@
+ 
+ void HTTPProtocol::get( const KURL& url )
+ {
+-  kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::get " << url.url()
++  kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::get " << url.prettyURL()
+                 << endl;
+ 
+   if ( !checkRequestURL( url ) )
+@@ -1543,8 +1543,10 @@
+     callError = true;
+   }
+ 
++  // Huh? This looks like inverted logic to me (it doesn't make sense to me as
++  // written), but I'm only fixing the CVE now. -- Kevin Kofler
+   if ( !url.isNull() )
+-    url = m_request.url.url();
++    url = m_request.url.prettyURL();
+ 
+   QString action, errorString;
+   KIO::Error kError;
+@@ -1840,7 +1842,7 @@
+      if ( !checkRequestURL( url ) )
+         continue;
+ 
+-     kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::multi_get " << url.url() << endl;
++     kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::multi_get " << url.prettyURL() << endl;
+ 
+      m_request.method = HTTP_GET;
+      m_request.path = url.path();
+@@ -2212,12 +2214,12 @@
+ 
+      if (bCacheOnly)
+      {
+-        error( ERR_DOES_NOT_EXIST, m_request.url.url() );
++        error( ERR_DOES_NOT_EXIST, m_request.url.prettyURL() );
+         return false;
+      }
+      if (bOffline)
+      {
+-        error( ERR_COULD_NOT_CONNECT, m_request.url.url() );
++        error( ERR_COULD_NOT_CONNECT, m_request.url.prettyURL() );
+         return false;
+      }
+   }
+@@ -2891,7 +2893,7 @@
+               errorPage();
+            else
+            {
+-              error(ERR_INTERNAL_SERVER, m_request.url.url());
++              error(ERR_INTERNAL_SERVER, m_request.url.prettyURL());
+               return false;
+            }
+         }
+@@ -2931,7 +2933,7 @@
+           errorPage();
+         else
+         {
+-          error(ERR_DOES_NOT_EXIST, m_request.url.url());
++          error(ERR_DOES_NOT_EXIST, m_request.url.prettyURL());
+           return false;
+         }
+         m_request.bCachedWrite = false; // Don't put in cache
+@@ -3584,7 +3586,7 @@
+     KURL u(m_request.url, locationStr);
+     if(!u.isValid())
+     {
+-      error(ERR_MALFORMED_URL, u.url());
++      error(ERR_MALFORMED_URL, u.prettyURL());
+       return false;
+     }
+     if ((u.protocol() != "http") && (u.protocol() != "https") &&
+@@ -3592,7 +3594,7 @@
+        (u.protocol() != "webdavs"))
+     {
+       redirection(u);
+-      error(ERR_ACCESS_DENIED, u.url());
++      error(ERR_ACCESS_DENIED, u.prettyURL());
+       return false;
+     }
+ 
+@@ -3613,10 +3615,10 @@
+        sendMetaData();
+     }
+ 
+-    kdDebug(7113) << "(" << m_pid << ") request.url: " << m_request.url.url()
++    kdDebug(7113) << "(" << m_pid << ") request.url: " << m_request.url.prettyURL()
+                   << endl << "LocationStr: " << locationStr.data() << endl;
+ 
+-    kdDebug(7113) << "(" << m_pid << ") Requesting redirection to: " << u.url()
++    kdDebug(7113) << "(" << m_pid << ") Requesting redirection to: " << u.prettyURL()
+                   << endl;
+ 
+     // If we're redirected to a http:// url, remember that we're doing webdav...
+@@ -3832,7 +3834,7 @@
+         if (!m_request.fcache)
+         {
+           m_request.bCachedWrite = false; // Error creating cache entry.
+-          kdDebug(7113) << "(" << m_pid << ") Error creating cache entry for " << m_request.url.url()<<"!\n";
++          kdDebug(7113) << "(" << m_pid << ") Error creating cache entry for " << m_request.url.prettyURL()<<"!\n";
+         }
+         m_request.expireDate = expireDate;
+         m_maxCacheSize = config()->readNumEntry("MaxCacheSize", DEFAULT_MAX_CACHE_SIZE) / 2;
+@@ -3840,11 +3842,11 @@
+   }
+ 
+   if (m_request.bCachedWrite && !m_strMimeType.isEmpty())
+-    kdDebug(7113) << "(" << m_pid << ") Cache, adding \"" << m_request.url.url() << "\"" << endl;
++    kdDebug(7113) << "(" << m_pid << ") Cache, adding \"" << m_request.url.prettyURL() << "\"" << endl;
+   else if (m_request.bCachedWrite && m_strMimeType.isEmpty())
+-    kdDebug(7113) << "(" << m_pid << ") Cache, pending \"" << m_request.url.url() << "\"" << endl;
++    kdDebug(7113) << "(" << m_pid << ") Cache, pending \"" << m_request.url.prettyURL() << "\"" << endl;
+   else
+-    kdDebug(7113) << "(" << m_pid << ") Cache, not adding \"" << m_request.url.url() << "\"" << endl;
++    kdDebug(7113) << "(" << m_pid << ") Cache, not adding \"" << m_request.url.prettyURL() << "\"" << endl;
+   return true;
+ }
+ 

kdelibs3.spec

@@ -15,7 +15,7 @@
 Summary: KDE 3 Libraries
 Name:    kdelibs3
 Version: 3.5.10
-Release: 52%{?dist}
+Release: 53%{?dist}
 
 License: LGPLv2
 Url: http://www.kde.org/
@@ -101,6 +101,8 @@ Patch206: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
 Patch207: libltdl-CVE-2009-3736.patch
 # CVE-2011-3365, input validation failure in KSSL
 Patch208: kdelibs-3.5.x-CVE-2011-3365.patch
+# CVE-2013-2074, prints passwords contained in HTTP URLs in error messages
+Patch209: kdelibs-3.5.10-CVE-2013-2074.patch
 
 ## fixes to common KDE 3 autotools machinery
 # tweak autoconfigury so that it builds with autoconf 2.64 or 2.65
@@ -261,6 +263,7 @@ format for easy browsing
 %patch206 -p0 -b .oCERT-2009-015-xmlhttprequest
 %patch207 -p1 -b .CVE-2009-3736
 %patch208 -p1 -b .CVE-2011-3365
+%patch209 -p1 -b .CVE-2013-2074
 
 %patch300 -p1 -b .acinclude
 %patch301 -p1 -b .automake-version
@@ -573,6 +576,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
 
 
 %changelog
+* Sat May 18 2013 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-53
+- fix CVE-2013-2074 (passwords in HTTP URLs in error messages, #962001)
+
 * Mon Apr 01 2013 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-52
 - use automake --force-missing to get aarch64 support (#925029/#925627)
 - also use automake --copy (the default is symlinking)