rpms/kdelibs/FC-3-embargo post-3.3.2-kdelibs-dcopidlng.patch, NONE, 1.1 post-3.3.2-kdelibs-idn-2.patch, NONE, 1.1 kdelibs.spec, 1.75, 1.76 kdelibs-3.3.1-dcopidlng-CAN-2005-0365.patch, 1.1, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Mar 23 10:52:22 UTC 2005
Update of /cvs/dist/rpms/kdelibs/FC-3-embargo
In directory cvs.devel.redhat.com:/tmp/cvs-serv17363
Modified Files:
kdelibs.spec
Added Files:
post-3.3.2-kdelibs-dcopidlng.patch
post-3.3.2-kdelibs-idn-2.patch
Removed Files:
kdelibs-3.3.1-dcopidlng-CAN-2005-0365.patch
Log Message:
applied patch to fix konqueror international domain name spoofing,
CAN-2005-0237, #147405
post-3.3.2-kdelibs-dcopidlng.patch:
dcopidlng | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
--- NEW FILE post-3.3.2-kdelibs-dcopidlng.patch ---
Index: dcopidlng
===================================================================
RCS file: /home/kde/kdelibs/dcop/dcopidlng/dcopidlng,v
retrieving revision 1.6
retrieving revision 1.8
diff -u -p -r1.6 -r1.8
--- dcop/dcopidlng/dcopidlng 20 Feb 2004 08:55:10 -0000 1.6
+++ dcop/dcopidlng/dcopidlng 21 Jan 2005 21:37:01 -0000 1.8
@@ -1,13 +1,15 @@
#!/bin/sh
+
+trap "rm -f dcopidlng.stderr.$$" 0 1 2 15
+
if test -z "$KDECONFIG"; then
KDECONFIG=kde-config
fi
LIBDIR="`$KDECONFIG --install data --expandvars`/dcopidlng"
-perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2>/tmp/dcopidlng.stderr.$$
+perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> dcopidlng.stderr.$$
RET=$?
if [ $RET -ne 0 ]
then
- cat /tmp/dcopidlng.stderr.$$ >&2
+ cat dcopidlng.stderr.$$ >&2
fi
-rm /tmp/dcopidlng.stderr.$$
exit $RET
post-3.3.2-kdelibs-idn-2.patch:
kdecore/network/kresolver.cpp | 27 ++++++++++++++++++++++++++-
kdecore/network/kresolver.h | 2 ++
kio/kssl/ksslpeerinfo.cc | 7 +++++++
3 files changed, 35 insertions(+), 1 deletion(-)
--- NEW FILE post-3.3.2-kdelibs-idn-2.patch ---
Index: kresolver.cpp
===================================================================
RCS file: /home/kde/kdelibs/kdecore/network/kresolver.cpp,v
retrieving revision 1.32.2.8
retrieving revision 1.32.2.11
diff -u -p -r1.32.2.8 -r1.32.2.11
--- kdecore/network/kresolver.cpp 13 Jan 2005 19:10:37 -0000 1.32.2.8
+++ kdecore/network/kresolver.cpp 16 Mar 2005 04:03:06 -0000 1.32.2.11
@@ -32,6 +32,7 @@
#include <time.h>
#include <arpa/inet.h>
#include <netinet/in.h>
+#include <stdlib.h>
// Qt includes
#include <qapplication.h>
@@ -277,6 +278,9 @@ void KResolverResults::virtual_hook( int
///////////////////////
// class KResolver
+QStringList *KResolver::idnDomains = 0;
+
+
// default constructor
KResolver::KResolver(QObject *parent, const char *name)
: QObject(parent, name), d(new KResolverPrivate(this))
@@ -864,10 +868,21 @@ QStrList KResolver::serviceName(int port
static QStringList splitLabels(const QString& unicodeDomain);
static QCString ToASCII(const QString& label);
static QString ToUnicode(const QString& label);
-
+
+static QStringList *KResolver_initIdnDomains()
+{
+ const char *kde_use_idn = getenv("KDE_USE_IDN");
+ if (!kde_use_idn)
+ kde_use_idn = "at:ch:cn:de:dk:kr:jp:li:no:se:tw";
+ return new QStringList(QStringList::split(':', QString::fromLatin1(kde_use_idn).lower()));
+}
+
// implement the ToAscii function, as described by IDN documents
QCString KResolver::domainToAscii(const QString& unicodeDomain)
{
+ if (!idnDomains)
+ idnDomains = KResolver_initIdnDomains();
+
QCString retval;
// RFC 3490, section 4 describes the operation:
// 1) this is a query, so don't allow unassigned
@@ -876,6 +891,10 @@ QCString KResolver::domainToAscii(const
// separators.
QStringList input = splitLabels(unicodeDomain);
+ // Do we allow IDN names for this TLD?
+ if (input.count() && !idnDomains->contains(input[input.count()-1].lower()))
+ return unicodeDomain.lower().latin1(); // No IDN allowed for this TLD
+
// 3) decide whether to enforce the STD3 rules for chars < 0x7F
// we don't enforce
@@ -907,6 +926,8 @@ QString KResolver::domainToUnicode(const
{
if (asciiDomain.isEmpty())
return asciiDomain;
+ if (!idnDomains)
+ idnDomains = KResolver_initIdnDomains();
QString retval;
@@ -918,6 +939,10 @@ QString KResolver::domainToUnicode(const
// separators.
QStringList input = splitLabels(asciiDomain);
+ // Do we allow IDN names for this TLD?
+ if (input.count() && !idnDomains->contains(input[input.count()-1].lower()))
+ return asciiDomain.lower(); // No TLDs allowed
+
// 3) decide whether to enforce the STD3 rules for chars < 0x7F
// we don't enforce
Index: kresolver.h
===================================================================
RCS file: /home/kde/kdelibs/kdecore/network/kresolver.h,v
retrieving revision 1.21
retrieving revision 1.21.2.1
diff -b -p -u -r1.21 -r1.21.2.1
--- kdecore/network/kresolver.h 11 Jul 2004 18:46:00 -0000 1.21
+++ kdecore/network/kresolver.h 3 Mar 2005 12:35:36 -0000 1.21.2.1
@@ -926,6 +926,8 @@ private:
KResolverPrivate* d;
friend class KResolverResults;
friend class ::KNetwork::Internal::KResolverManager;
+
+ static QStringList *idnDomains;
};
} // namespace KNetwork
Index: kio/kssl/ksslpeerinfo.cc
===================================================================
RCS file: /home/kde/kdelibs/kio/kssl/ksslpeerinfo.cc,v
retrieving revision 1.44
retrieving revision 1.44.6.2
diff -u -p -r1.44 -r1.44.6.2
--- kio/kssl/ksslpeerinfo.cc 29 May 2003 16:50:21 -0000 1.44
+++ kio/kssl/ksslpeerinfo.cc 4 Mar 2005 12:16:17 -0000 1.44.6.2
@@ -30,6 +30,9 @@
#include <ksockaddr.h>
#include <kextsock.h>
#include <netsupp.h>
+#ifndef Q_WS_WIN //TODO kresolver not ported
+#include "network/kresolver.h"
+#endif
#include "ksslx509map.h"
@@ -59,7 +62,11 @@ void KSSLPeerInfo::setPeerHost(QString r
while(d->peerHost.endsWith("."))
d->peerHost.truncate(d->peerHost.length()-1);
+#ifdef Q_WS_WIN //TODO kresolver not ported
d->peerHost = d->peerHost.lower();
+#else
+ d->peerHost = QString::fromLatin1(KNetwork::KResolver::domainToAscii(d->peerHost));
+#endif
}
bool KSSLPeerInfo::certMatchesAddress() {
Index: kdelibs.spec
===================================================================
RCS file: /cvs/dist/rpms/kdelibs/FC-3-embargo/kdelibs.spec,v
retrieving revision 1.75
retrieving revision 1.76
diff -u -r1.75 -r1.76
--- kdelibs.spec 2 Mar 2005 21:18:09 -0000 1.75
+++ kdelibs.spec 23 Mar 2005 10:52:20 -0000 1.76
@@ -3,8 +3,8 @@
%define debug 0
%define final 0
-%define qt_version 3.3.3
-%define arts_version 1.3.0
+%define qt_version 1:3.3.3
+%define arts_version 8:1.3.0
%define kde_major_version 3
%define libtool 1
@@ -16,7 +16,7 @@
%define arts 1
Version: 3.3.1
-Release: 2.8.FC3
+Release: 2.9.FC3
Summary: K Desktop Environment - Libraries
Name: kdelibs
Url: http://www.kde.org/
@@ -55,18 +55,21 @@
# Patch202: KDE Security Advisory: Konqueror Window Injection Vulnerability
Patch202: post-3.3.2-kdelibs-htmlframes2.patch
-# Source3: KDE Security Advisory: Konqueror Java Vulnerability
+# KDE Security Advisory: Konqueror Java Vulnerability CAN-2004-1145
Patch203: kdelibs-3.3.1-java.patch
# FTP command injection vulnerability, CAN-2004-1165
Patch204: post-3.3.2-kdelibs-kioslave.patch
# Patch205: CAN-2005-0365 dcopidlng insecure temporary file usage
-Patch205: kdelibs-3.3.1-dcopidlng-CAN-2005-0365.patch
+Patch205: post-3.3.2-kdelibs-dcopidlng.patch
# CAN-2005-0396, Local DCOP denial of service vulnerability
Patch206: post-3.3.2-kdelibs-dcop.patch
+# CAN-2005-0237, Konqueror International Domain Name Spoofing
+Patch207: post-3.3.2-kdelibs-idn-2.patch
+
%if %{arts}
Requires: arts >= 8:%{arts_version}
%endif
@@ -196,10 +199,11 @@
%patch201 -p0 -b .smb
popd
%patch202 -p0 -b .html2
-%patch203 -p1 -b .java
+%patch203 -p1 -b .CAN-2004-1145
%patch204 -p0 -b .CAN-2004-1165
-%patch205 -p1 -b .CAN-2005-0365
+%patch205 -p0 -b .CAN-2005-0365
%patch206 -p0 -b .CAN-2005-0396
+%patch207 -p0 -b .CAN-2005-0237
# add redhat into KDE_VERSION_STRING
%if %{redhatify}
@@ -423,6 +427,10 @@
%doc %{_docdir}/HTML/en/kdelibs*
%changelog
+* Wed Mar 23 2005 Than Ngo <than at redhat.com> 6:3.3.1-2.9.FC3
+- Applied patch to fix konqueror international domain name spoofing,
+ CAN-2005-0237, #147405
+
* Wed Mar 02 2005 Than Ngo <than at redhat.com> 6:3.3.1-2.8.FC3
- Applied patch to fix DCOP DoS, CAN-2005-0396, #150092
thanks KDE security team
--- kdelibs-3.3.1-dcopidlng-CAN-2005-0365.patch DELETED ---
More information about the fedora-cvs-commits
mailing list