[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/kdelibs/FC-6 post-3.5.7-kdelibs-kdecore.diff, NONE, 1.1 kdelibs.spec, 1.208, 1.209



Author: than

Update of /cvs/dist/rpms/kdelibs/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv5623

Modified Files:
	kdelibs.spec 
Added Files:
	post-3.5.7-kdelibs-kdecore.diff 
Log Message:
CVE-2007-4224, CVE-2007-3820 konqueror address bar spoofing


post-3.5.7-kdelibs-kdecore.diff:
 kurl.cpp           |    4 ++--
 tests/kurltest.cpp |   19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

--- NEW FILE post-3.5.7-kdelibs-kdecore.diff ---
------------------------------------------------------------------------
r700053 | mueller | 2007-08-14 18:37:30 +0200 (Tue, 14 Aug 2007) | 2 lines

be more robust against addressbar spoofing (CVE-2007-4225)

------------------------------------------------------------------------
--- kdecore/tests/kurltest.cpp
+++ kdecore/tests/kurltest.cpp
@@ -288,6 +288,16 @@ int main(int argc, char *argv[])
   check("KURL::prettyURL()", url15582.prettyURL(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%in%url.html";);
   check("KURL::url()", url15582.url(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%25in%25url.html";);
 
+  KURL whitespaceInUser("http://www google com%20%20%20%20%20 foobar com/");
+  check("KURL::prettyURL()", whitespaceInUser.prettyURL(), "http://www google com%20%20%20%20%20 foobar com/");
+
+  KURL whitespaceInPath("http://www.google.com/foo%20bar/";);
+  check("KURL::prettyURL()", whitespaceInPath.prettyURL(), "http://www.google.com/foo bar/");
+
+   KURL whitespaceInPath2("http://www.google.com/foo%20%20%20%20%20%20%20bar/";);
+  check("KURL::prettyURL()", whitespaceInPath2.prettyURL(),
+          "http://www.google.com/foo%20%20%20%20%20%20 bar/");
+
   KURL carsten;
   carsten.setPath("/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18");
   check("KURL::path()", carsten.path(), "/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18");
@@ -594,6 +604,15 @@ int main(int argc, char *argv[])
   check("http: URL with empty path string path", waba1.path(),
         "");
 
+  waba1 = "http://www.meinestadt.de&url_plain=http";;
+  check("http: URL with empty path string", waba1.host(),
+         "www.meinestadt.de&url_plain=http");
+  check("http: URL with empty path string", waba1.htmlURL(),
+         "http://www.meinestadt.de&url_plain=http";);
+ 
+  check("http: URL with empty path string", waba1.path(),
+         "");
+
   waba1 = "http://a:389#b=c";;
   check( "http: URL with port, ref, and empty path; url", waba1.url(), "http://a:389#b=c"; );
   check( "http: URL with port, ref, and empty path; host", waba1.host(), "a" );
--- kdecore/kurl.cpp
+++ kdecore/kurl.cpp
@@ -183,7 +183,7 @@ static QString lazy_encode( const QStrin
         (character == '?') || // Start of query delimiter
         ((character == '@') && encodeAt) || // Username delimiter
         (character == '#') || // Start of reference delimiter
-        ((character == 32) && (i+1 == old_length))) // A trailing space
+        ((character == 32) && (i+1 == old_length || segment[i+1] == ' '))) // A trailing space
     {
       new_segment[ new_length++ ] = '%';
 
@@ -1540,7 +1540,7 @@ QString KURL::prettyURL( int _trailing )
     u += "//";
     if ( hasUser() )
     {
-      u += lazy_encode(m_strUser);
+      u += encode(m_strUser, 0, 0);
       // Don't show password!
       u += "@";
     }


Index: kdelibs.spec
===================================================================
RCS file: /cvs/dist/rpms/kdelibs/FC-6/kdelibs.spec,v
retrieving revision 1.208
retrieving revision 1.209
diff -u -r1.208 -r1.209
--- kdelibs.spec	6 Jun 2007 14:21:34 -0000	1.208
+++ kdelibs.spec	2 Oct 2007 14:34:24 -0000	1.209
@@ -17,7 +17,7 @@
 %define arts 1
 
 Version: 3.5.7
-Release: 0.1%{?dist}
+Release: 1%{?dist}
 Summary: K Desktop Environment - Libraries
 Name: kdelibs
 Url: http://www.kde.org/
@@ -50,7 +50,11 @@
 Patch43: kdelibs-3.5.6-lang.patch
 
 # upstream patches
-Patch505: kdelibs-3.5.7-kde#146105.patch
+Patch100: kdelibs-3.5.7-kde#146105.patch
+
+# security patches
+# CVE-2007-4224, CVE-2007-3820 konqueror address bar spoofing
+Patch500: post-3.5.7-kdelibs-kdecore.diff
 
 Requires: arts >= %{arts_epoch}:%{arts_version}
 Requires: qt >= %{qt_epoch}:%{qt_version}
@@ -179,7 +183,11 @@
 %patch43 -p1 -b .lang
 
 # upstream patches
-%patch505 -p0 -b .kde#146105
+%patch100 -p0 -b .kde#146105
+
+# security patches
+%patch500 -p0 -b .CVE-2007-4224-CVE-2007-3820
+
 
 perl -pi -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h
 
@@ -396,6 +404,9 @@
 %doc %{_docdir}/HTML/en/kdelibs*
 
 %changelog
+* Tue Oct 02 2007 Than Ngo <than redhat com> - 6:3.5.7-1.fc6
+- CVE-2007-4224, CVE-2007-3820 konqueror address bar spoofing
+
 * Tue Jun 05 2007 Than Ngo <than redhat com> - 6:3.5.7-0.1.fc6
 - 3.5.7
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]