rpms/kdelibs/FC-3-embargo post-3.3.2-kdelibs-dcopidlng.patch, NONE, 1.1 post-3.3.2-kdelibs-idn-2.patch, NONE, 1.1 kdelibs.spec, 1.75, 1.76 kdelibs-3.3.1-dcopidlng-CAN-2005-0365.patch, 1.1, NONE

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Mar 23 10:52:22 UTC 2005 

Update of /cvs/dist/rpms/kdelibs/FC-3-embargo
In directory cvs.devel.redhat.com:/tmp/cvs-serv17363

Modified Files:
	kdelibs.spec 
Added Files:
	post-3.3.2-kdelibs-dcopidlng.patch 
	post-3.3.2-kdelibs-idn-2.patch 
Removed Files:
	kdelibs-3.3.1-dcopidlng-CAN-2005-0365.patch 
Log Message:
applied patch to fix konqueror international domain name spoofing,
CAN-2005-0237, #147405


post-3.3.2-kdelibs-dcopidlng.patch:
 dcopidlng |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

--- NEW FILE post-3.3.2-kdelibs-dcopidlng.patch ---
Index: dcopidlng
===================================================================
RCS file: /home/kde/kdelibs/dcop/dcopidlng/dcopidlng,v
retrieving revision 1.6
retrieving revision 1.8
diff -u -p -r1.6 -r1.8
--- dcop/dcopidlng/dcopidlng	20 Feb 2004 08:55:10 -0000	1.6
+++ dcop/dcopidlng/dcopidlng	21 Jan 2005 21:37:01 -0000	1.8
@@ -1,13 +1,15 @@
 #!/bin/sh
+
+trap "rm -f dcopidlng.stderr.$$" 0 1 2 15
+
 if test -z "$KDECONFIG"; then
     KDECONFIG=kde-config
 fi
 LIBDIR="`$KDECONFIG --install data --expandvars`/dcopidlng"
-perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2>/tmp/dcopidlng.stderr.$$
+perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> dcopidlng.stderr.$$
 RET=$?
 if [ $RET -ne 0 ]
 then
-   cat /tmp/dcopidlng.stderr.$$ >&2
+   cat dcopidlng.stderr.$$ >&2
 fi
-rm /tmp/dcopidlng.stderr.$$
 exit $RET

post-3.3.2-kdelibs-idn-2.patch:
 kdecore/network/kresolver.cpp |   27 ++++++++++++++++++++++++++-
 kdecore/network/kresolver.h   |    2 ++
 kio/kssl/ksslpeerinfo.cc      |    7 +++++++
 3 files changed, 35 insertions(+), 1 deletion(-)

--- NEW FILE post-3.3.2-kdelibs-idn-2.patch ---
Index: kresolver.cpp
===================================================================
RCS file: /home/kde/kdelibs/kdecore/network/kresolver.cpp,v
retrieving revision 1.32.2.8
retrieving revision 1.32.2.11
diff -u -p -r1.32.2.8 -r1.32.2.11
--- kdecore/network/kresolver.cpp	13 Jan 2005 19:10:37 -0000	1.32.2.8
+++ kdecore/network/kresolver.cpp	16 Mar 2005 04:03:06 -0000	1.32.2.11
@@ -32,6 +32,7 @@
 #include <time.h>
 #include <arpa/inet.h>
 #include <netinet/in.h>
+#include <stdlib.h>
 
 // Qt includes
 #include <qapplication.h>
@@ -277,6 +278,9 @@ void KResolverResults::virtual_hook( int
 ///////////////////////
 // class KResolver
 
+QStringList *KResolver::idnDomains = 0;
+
+
 // default constructor
 KResolver::KResolver(QObject *parent, const char *name)
   : QObject(parent, name), d(new KResolverPrivate(this))
@@ -864,10 +868,21 @@ QStrList KResolver::serviceName(int port
 static QStringList splitLabels(const QString& unicodeDomain);
 static QCString ToASCII(const QString& label);
 static QString ToUnicode(const QString& label);
-  
+
+static QStringList *KResolver_initIdnDomains()
+{
+  const char *kde_use_idn = getenv("KDE_USE_IDN");
+  if (!kde_use_idn)
+     kde_use_idn = "at:ch:cn:de:dk:kr:jp:li:no:se:tw";
+  return new QStringList(QStringList::split(':', QString::fromLatin1(kde_use_idn).lower()));
+}
+
 // implement the ToAscii function, as described by IDN documents
 QCString KResolver::domainToAscii(const QString& unicodeDomain)
 {
+  if (!idnDomains)
+    idnDomains = KResolver_initIdnDomains();
+
   QCString retval;
   // RFC 3490, section 4 describes the operation:
   // 1) this is a query, so don't allow unassigned
@@ -876,6 +891,10 @@ QCString KResolver::domainToAscii(const 
   // separators.
   QStringList input = splitLabels(unicodeDomain);
 
+  // Do we allow IDN names for this TLD?
+  if (input.count() && !idnDomains->contains(input[input.count()-1].lower()))
+    return unicodeDomain.lower().latin1(); // No IDN allowed for this TLD
+
   // 3) decide whether to enforce the STD3 rules for chars < 0x7F
   // we don't enforce
 
@@ -907,6 +926,8 @@ QString KResolver::domainToUnicode(const
 {
   if (asciiDomain.isEmpty())
     return asciiDomain;
+  if (!idnDomains)
+    idnDomains = KResolver_initIdnDomains();
 
   QString retval;
 
@@ -918,6 +939,10 @@ QString KResolver::domainToUnicode(const
   // separators.
   QStringList input = splitLabels(asciiDomain);
 
+  // Do we allow IDN names for this TLD?
+  if (input.count() && !idnDomains->contains(input[input.count()-1].lower()))
+    return asciiDomain.lower(); // No TLDs allowed
+
   // 3) decide whether to enforce the STD3 rules for chars < 0x7F
   // we don't enforce
 
Index: kresolver.h
===================================================================
RCS file: /home/kde/kdelibs/kdecore/network/kresolver.h,v
retrieving revision 1.21
retrieving revision 1.21.2.1
diff -b -p -u -r1.21 -r1.21.2.1
--- kdecore/network/kresolver.h	11 Jul 2004 18:46:00 -0000	1.21
+++ kdecore/network/kresolver.h	3 Mar 2005 12:35:36 -0000	1.21.2.1
@@ -926,6 +926,8 @@ private:
   KResolverPrivate* d;
   friend class KResolverResults;
   friend class ::KNetwork::Internal::KResolverManager;
+  
+  static QStringList *idnDomains;
 };
 
 }				// namespace KNetwork
Index: kio/kssl/ksslpeerinfo.cc
===================================================================
RCS file: /home/kde/kdelibs/kio/kssl/ksslpeerinfo.cc,v
retrieving revision 1.44
retrieving revision 1.44.6.2
diff -u -p -r1.44 -r1.44.6.2
--- kio/kssl/ksslpeerinfo.cc	29 May 2003 16:50:21 -0000	1.44
+++ kio/kssl/ksslpeerinfo.cc	4 Mar 2005 12:16:17 -0000	1.44.6.2
@@ -30,6 +30,9 @@
 #include <ksockaddr.h>
 #include <kextsock.h>
 #include <netsupp.h>
+#ifndef Q_WS_WIN //TODO kresolver not ported
+#include "network/kresolver.h"
+#endif
 
 #include "ksslx509map.h"
 
@@ -59,7 +62,11 @@ void KSSLPeerInfo::setPeerHost(QString r
 	while(d->peerHost.endsWith("."))
 		d->peerHost.truncate(d->peerHost.length()-1);
 
+#ifdef Q_WS_WIN //TODO kresolver not ported
 	d->peerHost = d->peerHost.lower();
+#else	
+	d->peerHost = QString::fromLatin1(KNetwork::KResolver::domainToAscii(d->peerHost));
+#endif	
 }
 
 bool KSSLPeerInfo::certMatchesAddress() {


Index: kdelibs.spec
===================================================================
RCS file: /cvs/dist/rpms/kdelibs/FC-3-embargo/kdelibs.spec,v
retrieving revision 1.75
retrieving revision 1.76
diff -u -r1.75 -r1.76
--- kdelibs.spec	2 Mar 2005 21:18:09 -0000	1.75
+++ kdelibs.spec	23 Mar 2005 10:52:20 -0000	1.76
@@ -3,8 +3,8 @@
 %define debug 0
 %define final 0
 
-%define qt_version 3.3.3
-%define arts_version 1.3.0
+%define qt_version 1:3.3.3
+%define arts_version 8:1.3.0
 %define kde_major_version 3
 
 %define libtool 1
@@ -16,7 +16,7 @@
 %define arts 1
 
 Version: 3.3.1
-Release: 2.8.FC3
+Release: 2.9.FC3
 Summary: K Desktop Environment - Libraries
 Name: kdelibs
 Url: http://www.kde.org/
@@ -55,18 +55,21 @@
 # Patch202: KDE Security Advisory: Konqueror Window Injection Vulnerability
 Patch202: post-3.3.2-kdelibs-htmlframes2.patch
 
-# Source3: KDE Security Advisory: Konqueror Java Vulnerability
+# KDE Security Advisory: Konqueror Java Vulnerability CAN-2004-1145
 Patch203: kdelibs-3.3.1-java.patch
 
 # FTP command injection vulnerability, CAN-2004-1165
 Patch204: post-3.3.2-kdelibs-kioslave.patch
 
 # Patch205: CAN-2005-0365 dcopidlng insecure temporary file usage
-Patch205: kdelibs-3.3.1-dcopidlng-CAN-2005-0365.patch
+Patch205: post-3.3.2-kdelibs-dcopidlng.patch
 
 # CAN-2005-0396, Local DCOP denial of service vulnerability
 Patch206: post-3.3.2-kdelibs-dcop.patch
 
+# CAN-2005-0237, Konqueror International Domain Name Spoofing
+Patch207: post-3.3.2-kdelibs-idn-2.patch
+
 %if %{arts}
 Requires: arts >= 8:%{arts_version}
 %endif
@@ -196,10 +199,11 @@
 %patch201 -p0 -b .smb
 popd
 %patch202 -p0 -b .html2
-%patch203 -p1 -b .java
+%patch203 -p1 -b .CAN-2004-1145
 %patch204 -p0 -b .CAN-2004-1165
-%patch205 -p1 -b .CAN-2005-0365
+%patch205 -p0 -b .CAN-2005-0365
 %patch206 -p0 -b .CAN-2005-0396
+%patch207 -p0 -b .CAN-2005-0237
 
 # add redhat into KDE_VERSION_STRING
 %if %{redhatify}
@@ -423,6 +427,10 @@
 %doc %{_docdir}/HTML/en/kdelibs*
 
 %changelog
+* Wed Mar 23 2005 Than Ngo <than at redhat.com> 6:3.3.1-2.9.FC3
+- Applied patch to fix konqueror international domain name spoofing,
+  CAN-2005-0237, #147405
+
 * Wed Mar 02 2005 Than Ngo <than at redhat.com> 6:3.3.1-2.8.FC3
 - Applied patch to fix DCOP DoS, CAN-2005-0396, #150092
   thanks KDE security team


--- kdelibs-3.3.1-dcopidlng-CAN-2005-0365.patch DELETED ---

More information about the fedora-cvs-commits mailing list