rpms/kdebase/FC-6 post-3.5.7-kdebase-kdm.diff, NONE, 1.1 post-3.5.7-kdebase-konqueror-2.diff, NONE, 1.1 kdebase.spec, 1.249, 1.250
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Oct 2 13:50:42 UTC 2007
Author: than
Update of /cvs/dist/rpms/kdebase/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv3533
Modified Files:
kdebase.spec
Added Files:
post-3.5.7-kdebase-kdm.diff
post-3.5.7-kdebase-konqueror-2.diff
Log Message:
- CVE-2007-4224, CVE-2007-4225, CVE-2007-3820
- rh#299741, CVE-2007-4569
post-3.5.7-kdebase-kdm.diff:
session.c | 17 +++++++++--------
1 files changed, 9 insertions(+), 8 deletions(-)
--- NEW FILE post-3.5.7-kdebase-kdm.diff ---
--- kdm/backend/session.c
+++ kdm/bakcend/session.c
@@ -121,8 +121,9 @@
static void
DoAutoLogon( void )
{
- StrDup( &curuser, td->autoUser );
- StrDup( &curpass, td->autoPass );
+ ReStr( &curuser, td->autoUser );
+ ReStr( &curpass, td->autoPass );
+ ReStr( &curtype, "classic" );
cursource = PWSRC_AUTOLOGIN;
}
@@ -141,7 +142,9 @@
td->hstent->npass = 0;
newdmrc = td->hstent->nargs;
td->hstent->nargs = 0;
+ ReStr( &curtype, "classic" );
cursource = (td->hstent->rLogin == 1) ? PWSRC_RELOGIN : PWSRC_MANUAL;
+ return 1;
} else if (*td->autoUser && !td->autoDelay && (tdiff > 0 || td->autoAgain))
{
unsigned int lmask;
@@ -153,11 +156,9 @@
if (lmask & ShiftMask)
return 0;
DoAutoLogon();
- } else {
- cursource = PWSRC_MANUAL;
- return 0;
+ return 1;
}
- return 1;
+ return 0;
}
@@ -369,6 +370,7 @@
if (curtype) free( curtype );
curtype = GRecvStr();
Debug( " type %\"s\n", curtype );
+ cursource = PWSRC_MANUAL;
if (Verify( conv_interact, rootok )) {
Debug( " -> return success\n" );
GSendInt( V_OK );
@@ -378,7 +380,6 @@
case G_AutoLogin:
Debug( "G_AutoLogin\n" );
DoAutoLogon();
- StrDup( &curtype, "classic" );
if (Verify( conv_auto, FALSE )) {
Debug( " -> return success\n" );
GSendInt( V_OK );
@@ -565,7 +566,7 @@
tdiff = td->autoAgain ?
1 : time( 0 ) - td->hstent->lastExit - td->openDelay;
if (AutoLogon( tdiff )) {
- if (!StrDup( &curtype, "classic" ) || !Verify( conv_auto, FALSE ))
+ if (!Verify( conv_auto, FALSE ))
goto gcont;
if (greeter)
GSendInt( V_OK );
post-3.5.7-kdebase-konqueror-2.diff:
konq_combo.cc | 3 +++
konq_mainwindow.cc | 7 ++-----
konq_viewmgr.cc | 2 ++
3 files changed, 7 insertions(+), 5 deletions(-)
--- NEW FILE post-3.5.7-kdebase-konqueror-2.diff ---
--- konqueror/konq_combo.cc
+++ konqueror/konq_combo.cc
@@ -158,6 +158,9 @@ void KonqCombo::setURL( const QString& u
kapp->dcopClient()->send( "konqueror*", "KonquerorIface",
"addToCombo(QString,QCString)", data);
}
+ // important security consideration: always display the beginning
+ // of the url rather than its end to prevent spoofing attempts.
+ lineEdit()->setCursorPosition( 0 );
}
void KonqCombo::setTemporary( const QString& text )
--- konqueror/konq_mainwindow.cc
+++ konqueror/konq_mainwindow.cc
@@ -611,12 +611,11 @@ void KonqMainWindow::openURL( KonqView *
}
else // no known serviceType, use KonqRun
{
- if ( ( view && view == m_currentView ) ||
- ( !view && !req.newTab ) ) // startup with argument
+ if ( ( !view || view->url().isEmpty() ) && !req.newTab ) // startup with argument
{
// Show it for now in the location bar, but we'll need to store it in the view
// later on (can't do it yet since either view == 0 or updateHistoryEntry will be called).
- kdDebug(1202) << "setLocationBarURL : url = " << url << endl;
+ kdDebug(1202) << "setLocationBarURL (startup) : url = " << url << endl;
setLocationBarURL( url );
}
@@ -819,8 +818,6 @@ bool KonqMainWindow::openView( QString s
if ( childView )
{
enableAllActions( true );
-
- m_pViewManager->setActivePart( childView->part() );
m_currentView = childView;
}
}
--- konqueror/konq_viewmgr.cc
+++ konqueror/konq_viewmgr.cc
@@ -1395,6 +1395,8 @@ void KonqViewManager::slotActivePartChan
void KonqViewManager::emitActivePartChanged()
{
+ // prevent unnecessary multiple calls to slotPartActivated:
+ m_activePartChangedTimer->stop();
m_pMainWindow->slotPartActivated( activePart() );
}
Index: kdebase.spec
===================================================================
RCS file: /cvs/dist/rpms/kdebase/FC-6/kdebase.spec,v
retrieving revision 1.249
retrieving revision 1.250
diff -u -r1.249 -r1.250
--- kdebase.spec 2 Jul 2007 13:11:04 -0000 1.249
+++ kdebase.spec 2 Oct 2007 13:50:40 -0000 1.250
@@ -18,7 +18,7 @@
Summary: K Desktop Environment - core files
Name: kdebase
Version: 3.5.7
-Release: 0.2%{?dist}
+Release: 1%{?dist}
Epoch: 6
Url: http://www.kde.org
Group: User Interface/Desktops
@@ -60,6 +60,12 @@
Patch26: kdebase-3.5.5-suspend.patch
Patch27: kdebase-3.5.7-bz#244906.patch
+# security fixes
+# CVE-2007-4224, CVE-2007-4225, CVE-2007-3820, Konqueror address bar spoofing
+Patch500: post-3.5.7-kdebase-konqueror-2.diff
+# CVE-2007-4569, kdm password-less login vulnerability
+Patch501: post-3.5.7-kdebase-kdm.diff
+
Provides: %{name} = %{epoch}:%{version}-%{release}.%{_arch}
Requires(post): /sbin/ldconfig
@@ -179,6 +185,10 @@
%patch26 -p1 -b .suspend
%patch27 -p1 -b .bz#244906
+# security fixes
+%patch500 -p0 -b .CVE-2007-4224-CVE-2007-4225-CVE-2007-3820
+%patch501 -p0 -b .CVE-2007-4569
+
%if %{rhel}
rm -rf kdeprint/kdeprintfax
perl -pi -e "s,kdeprintfax,," kdeprint/Makefile.am
@@ -552,6 +562,10 @@
%exclude %{_libdir}/libkdeinit_*.so
%changelog
+* Tue Oct 02 2007 Than Ngo <than at redhat.com> - 6:3.5.7-1.fc6
+- CVE-2007-4224, CVE-2007-4225, CVE-2007-3820
+- rh#299741, CVE-2007-4569
+
* Mon Jul 02 2007 Than Ngo <than at redhat.com> - 6:3.5.7-0.fc6.2
- fix #244906
More information about the fedora-cvs-commits
mailing list