[kde-freebsd] Some security flaws that were recently fixed in KDE 4.3.3
Martin Wilke
miwi at FreeBSD.org
Mon Nov 2 11:15:15 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Nov 02, 2009 at 09:59:40AM +0300, Eygene Ryabinkin wrote:
> Gentlemen, good day.
>
> I was made aware of the oCERT advisory,
> http://www.ocert.org/advisories/ocert-2009-015.html
>
> that talks about 3 distinct security bugs for the KDE 4. Advisory
> has some details and links to the upstream fixes. Patch for
> kio_help is already integrated to the sources of kdelibs 4.3.1,
> but the other two mentioned patches apply to the current sources
> of FreeBSD KDE port.
>
> I was able just to test the applicability of the patches and Tinderbox
> builds on 7.x and 8.x. I am not the KDE user and I can't really
> validate that everything works as expected. So I can hand off to
> you a half-baked patch for the kdelibs4 and kdebase4-runtime and
> VuXML entry for the said vulnerabilities. If someone will be able
> to verify that the patches cause no harm to the KDE ports and
> everything works as expected, it will be greatly appreciated.
Thanks, I know about the security problems, I will take a look
tonight. Thanks
>
> Thanks!
> --
> Eygene
> _ ___ _.--. #
> \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
> / ' ` , __.--' # to read the on-line manual
> )/' _/ \ `-_, / # while single-stepping the kernel.
> `-'" `"\_ ,_.-;_.-\_ ', fsc/as #
> _.-'_./ {_.' ; / # -- FreeBSD Developers handbook
> {_.-``-' {_/ #
> From cc068dd02680ed4d007cb09711a4e48a9493d93b Mon Sep 17 00:00:00 2001
> From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
> Date: Fri, 30 Oct 2009 08:27:33 +0300
> Subject: [PATCH] KDE4: fixes for oCERT-2009-015
>
> The fix for kdelibs/kdoctools/kio_help.cpp is already in the KDE-4.3.1,
> so only first two patches mentioned in the advisory [1] should be
> incorporated into the ports.
>
> [1] http://www.ocert.org/advisories/ocert-2009-015.html
>
> Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
> ---
> x11/kdebase4-runtime/Makefile | 2 +-
> .../files/patch-ocert-2009-015-kioslave | 17 +++
> x11/kdelibs4/Makefile | 2 +-
> x11/kdelibs4/files/patch-ocert-2009-015-khtml | 118 ++++++++++++++++++++
> 4 files changed, 137 insertions(+), 2 deletions(-)
> create mode 100644 x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
> create mode 100644 x11/kdelibs4/files/patch-ocert-2009-015-khtml
>
> diff --git a/x11/kdebase4-runtime/Makefile b/x11/kdebase4-runtime/Makefile
> index 43515fc..d2394a6 100644
> --- a/x11/kdebase4-runtime/Makefile
> +++ b/x11/kdebase4-runtime/Makefile
> @@ -8,7 +8,7 @@
>
> PORTNAME= kdebase-runtime
> PORTVERSION= ${KDE4_VERSION}
> -PORTREVISION= 1
> +PORTREVISION= 2
> CATEGORIES= x11 kde
> MASTER_SITES= ${MASTER_SITE_KDE}
> MASTER_SITE_SUBDIR= ${KDE4_BRANCH}/${PORTVERSION}/src
> diff --git a/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave b/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
> new file mode 100644
> index 0000000..82c6c97
> --- /dev/null
> +++ b/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
> @@ -0,0 +1,17 @@
> +Obtained-From: http://websvn.kde.org/branches/KDE/4.3/kdebase/runtime/kioslave/info/info.cc?r1=1030579&r2=1030578&pathrev=1030579&view=patch
> +--- kioslave/info/info.cc 2009/10/02 15:51:26 1030578
> ++++ kioslave/info/info.cc 2009/10/02 15:53:30 1030579
> +@@ -89,6 +89,13 @@
> + return;
> + }
> +
> ++ // '<' in the path looks suspicious, someone is trying info:/dir/<script>alert('xss')</script>
> ++ if (url.path().contains('<'))
> ++ {
> ++ error(KIO::ERR_DOES_NOT_EXIST, url.url());
> ++ return;
> ++ }
> ++
> + mimeType("text/html");
> + // extract the path and node from url
> + decodeURL( url );
> diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
> index d4bea20..d7e4656 100644
> --- a/x11/kdelibs4/Makefile
> +++ b/x11/kdelibs4/Makefile
> @@ -8,7 +8,7 @@
>
> PORTNAME= kdelibs
> PORTVERSION= ${KDE4_VERSION}
> -PORTREVISION= 4
> +PORTREVISION= 5
> CATEGORIES= x11 kde ipv6
> MASTER_SITES= ${MASTER_SITE_KDE}
> MASTER_SITE_SUBDIR= ${KDE4_BRANCH}/${PORTVERSION}/src
> diff --git a/x11/kdelibs4/files/patch-ocert-2009-015-khtml b/x11/kdelibs4/files/patch-ocert-2009-015-khtml
> new file mode 100644
> index 0000000..52e6b36
> --- /dev/null
> +++ b/x11/kdelibs4/files/patch-ocert-2009-015-khtml
> @@ -0,0 +1,118 @@
> +Obtained-From: http://websvn.kde.org/branches/KDE/4.3/kdelibs/khtml/ecma/xmlhttprequest.cpp?r1=1035539&r2=1035538&pathrev=1035539&view=patch
> +--- khtml/ecma/xmlhttprequest.cpp 2009/10/15 10:13:41 1035538
> ++++ khtml/ecma/xmlhttprequest.cpp 2009/10/15 10:14:38 1035539
> +@@ -49,7 +49,7 @@
> +
> + using namespace KJS;
> + using namespace DOM;
> +-//
> ++//
> + ////////////////////// XMLHttpRequest Object ////////////////////////
> +
> + /* Source for XMLHttpRequestProtoTable.
> +@@ -269,7 +269,7 @@
> + static bool canSetRequestHeader(const QString& name)
> + {
> + static QSet<CaseInsensitiveString> forbiddenHeaders;
> +-
> ++
> + if (forbiddenHeaders.isEmpty()) {
> + static const char* hdrs[] = {
> + "accept-charset",
> +@@ -298,12 +298,12 @@
> + "transfer-encoding",
> + "unlock",
> + "upgrade",
> +- "via"
> ++ "via"
> + };
> + for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i)
> + forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i]));
> + }
> +-
> ++
> + return !forbiddenHeaders.contains(name);
> + }
> +
> +@@ -326,9 +326,9 @@
> +
> + XMLHttpRequest::~XMLHttpRequest()
> + {
> +- if (onLoadListener)
> ++ if (onLoadListener)
> + onLoadListener->deref();
> +- if (onReadyStateChangeListener)
> ++ if (onReadyStateChangeListener)
> + onReadyStateChangeListener->deref();
> + delete qObject;
> + qObject = 0;
> +@@ -412,17 +412,18 @@
> + return;
> + }
> +
> +- if (method == "post") {
> +- QString protocol = url.protocol().toLower();
> ++ const QString protocol = url.protocol().toLower();
> ++ // Abandon the request when the protocol is other than "http",
> ++ // instead of blindly doing a KIO::get on other protocols like file:/.
> ++ if (!protocol.startsWith(QLatin1String("http")) &&
> ++ !protocol.startsWith(QLatin1String("webdav")))
> ++ {
> ++ ec = DOMException::INVALID_ACCESS_ERR;
> ++ abort();
> ++ return;
> ++ }
> +
> +- // Abondon the request when the protocol is other than "http",
> +- // instead of blindly changing it to a "get" request.
> +- if (!protocol.startsWith(QLatin1String("http")) &&
> +- !protocol.startsWith(QLatin1String("webdav")))
> +- {
> +- abort();
> +- return;
> +- }
> ++ if (method == "post") {
> +
> + // FIXME: determine post encoding correctly by looking in headers
> + // for charset.
> +@@ -580,7 +581,7 @@
> + ec = DOMException::INVALID_STATE_ERR;
> + return jsString("");
> + }
> +-
> ++
> + // ### test error flag, return jsNull
> +
> + if (responseHeaders.isEmpty()) {
> +@@ -809,7 +810,7 @@
> + setDOMException(exec, ec);
> + return ret;
> + }
> +- case XMLHttpRequest::GetResponseHeader:
> ++ case XMLHttpRequest::GetResponseHeader:
> + {
> + if (args.size() < 1)
> + return throwError(exec, SyntaxError, "Not enough arguments");
> +@@ -852,11 +853,11 @@
> + DOM::NodeImpl* docNode = toNode(args[0]);
> + if (docNode && docNode->isDocumentNode()) {
> + DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode);
> +-
> ++
> + try {
> + body = doc->toString().string();
> + // FIXME: also need to set content type, including encoding!
> +-
> ++
> + } catch(DOM::DOMException&) {
> + return throwError(exec, GeneralError, "Exception serializing document");
> + }
> +@@ -866,7 +867,7 @@
> + }
> +
> + request->send(body, ec);
> +- setDOMException(exec, ec);
> ++ setDOMException(exec, ec);
> + return jsUndefined();
> + }
> + case XMLHttpRequest::SetRequestHeader:
> --
> 1.6.3.1
>
- --
+-----------------------+-------------------------------+
| PGP : 0xB1E6FCE9 | Jabber : miwi(at)BSDCrew.de |
| Skype : splash_111 | Mail : miwi(at)FreeBSD.org |
+-----------------------+-------------------------------+
| Mess with the Best, Die like the Rest! |
+-----------------------+-------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)
iEYEARECAAYFAkrusTIACgkQdLJIhLHm/Okt9ACgxW0V/GMhlMnN8/Ylnt3SZpGD
0IIAniPAXJLBhWkkgTa6zDa+Vkb+Jc2G
=m9OP
-----END PGP SIGNATURE-----
More information about the kde-freebsd
mailing list