summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJaka Kranjc2007-04-03 16:12:15 +0200
committerJaka Kranjc2007-04-03 16:12:15 +0200
commitea8c614723b28eba92ef86f70233556a73051583 (patch)
tree796bd4e707c40870eddfa06d5db2ffd3f77268f3
parentd8835beb7b99116f7f6079a92a326d5f7e148d64 (diff)
kdelibs - fix bug#13672
(cherry picked from commit b58278b3d8ce334c05ebc729396316f39392e79b) Conflicts: kde-core/kdelibs/HISTORY
-rw-r--r--kde-core/kdelibs/CVE-2007-1564-kdelibs-3.5.6.diff81
-rwxr-xr-xkde-core/kdelibs/DETAILS2
-rw-r--r--kde-core/kdelibs/HISTORY10
-rwxr-xr-xkde-core/kdelibs/PRE_BUILD1
4 files changed, 92 insertions, 2 deletions
diff --git a/kde-core/kdelibs/CVE-2007-1564-kdelibs-3.5.6.diff b/kde-core/kdelibs/CVE-2007-1564-kdelibs-3.5.6.diff
new file mode 100644
index 0000000000..b026d67a3d
--- /dev/null
+++ b/kde-core/kdelibs/CVE-2007-1564-kdelibs-3.5.6.diff
@@ -0,0 +1,81 @@
+--- khtml/ecma/kjs_html.cpp
++++ khtml/ecma/kjs_html.cpp
+@@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty
+ getDOMNode(exec, frameElement.contentDocument()) : Undefined();
+ case FrameContentWindow: {
+ KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart();
+- if (part)
+- return Value(Window::retrieveWindow(part));
+- else
++ if (part) {
++ Window *w = Window::retrieveWindow(part);
++ if (w)
++ return Value(w);
++ }
+ return Undefined();
+ }
+ case FrameFrameBorder: return String(frameElement.frameBorder());
+@@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty
+ getDOMNode(exec, iFrame.contentDocument()) : Undefined();
+ case IFrameContentWindow: {
+ KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart();
+- if (part)
+- return Value(Window::retrieveWindow(part));
+- else
++ if (part) {
++ Window *w = Window::retrieveWindow(part);
++ if (w)
++ return Value(w);
++ }
+ return Undefined();
+ }
+ case IFrameFrameBorder: return String(iFrame.frameBorder());
+--- kioslave/ftp/ftp.cc
++++ kioslave/ftp/ftp.cc
+@@ -58,6 +58,7 @@
+ #include <kmimemagic.h>
+ #include <kmimetype.h>
+ #include <ksockaddr.h>
++#include <ksocketaddress.h>
+ #include <kio/ioslave_defaults.h>
+ #include <kio/slaveconfig.h>
+ #include <kremoteencoding.h>
+@@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm
+ return true;
+ }
+
+-
+ /*
+ * ftpOpenPASVDataConnection - set up data connection, using PASV mode
+ *
+@@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection()
+ if (sa != NULL && sa->family() != PF_INET)
+ return ERR_INTERNAL; // no PASV for non-PF_INET connections
+
++ const KInetSocketAddress *sin = static_cast<const KInetSocketAddress*>(sa);
++
+ if (m_extControl & pasvUnknown)
+ return ERR_INTERNAL; // already tried and got "unknown command"
+
+@@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection()
+ }
+
+ // Make hostname and port number ...
+- QString host;
+- host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]);
+ int port = i[4] << 8 | i[5];
+
++ // we ignore the host part on purpose for two reasons
++ // a) it might be wrong anyway
++ // b) it would make us being suceptible to a port scanning attack
++
+ // now connect the data socket ...
+ m_data = new FtpSocket("PASV");
+- m_data->setAddress(host, port);
+- kdDebug(7102) << "Connecting to " << host << " on port " << port << endl;
++ m_data->setAddress(sin->nodeName(), port);
++
++ kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl;
+ return m_data->connectSocket(connectTimeout(), false);
+ }
+
diff --git a/kde-core/kdelibs/DETAILS b/kde-core/kdelibs/DETAILS
index 2fc3b834df..859f47aefe 100755
--- a/kde-core/kdelibs/DETAILS
+++ b/kde-core/kdelibs/DETAILS
@@ -8,7 +8,7 @@ SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION
SOURCE_URL[0]=$KDE_URL/stable/${VERSION//.0/}/src/$SOURCE
WEB_SITE=http://www.kde.org
ENTERED=20020912
- SECURITY_PATCH=2
+ SECURITY_PATCH=3
LICENSE[0]=GPL
KEYWORDS="kde"
SHORT="Base applications that form the core of KDE."
diff --git a/kde-core/kdelibs/HISTORY b/kde-core/kdelibs/HISTORY
index f5b558d6d4..6b3bc87cbd 100644
--- a/kde-core/kdelibs/HISTORY
+++ b/kde-core/kdelibs/HISTORY
@@ -1,4 +1,12 @@
-2007-03-08 Treeve Jelbert <treeve01@pi.be>
+2007-04-02 Treeve Jelbert <treeve@sourcemage.org>
+ * DETAILS: SECURITY_PATCH++
+ * CVE-2007-1564-kdelibs-3.5.6.diff: added
+ * PRE_BUILD: apply patch
+ security fix CVE-2007-1564
+ URL: http://www.kde.org/info/security/advisory-20070326-1.txt
+ fixes bug #13672
+
+2007-03-08 Treeve Jelbert <treeve@sourcemage.org>
* DETAILS: SECURITY_PATCH
* PRE_BUILD, post-3.5.6-kdelibs.diff:add
security fix CVE-2007-0537
diff --git a/kde-core/kdelibs/PRE_BUILD b/kde-core/kdelibs/PRE_BUILD
index 13e482626d..cab47ecd48 100755
--- a/kde-core/kdelibs/PRE_BUILD
+++ b/kde-core/kdelibs/PRE_BUILD
@@ -1,3 +1,4 @@
default_pre_build &&
cd $SOURCE_DIRECTORY &&
+patch -p0 < $SPELL_DIRECTORY/CVE-2007-1564-kdelibs-3.5.6.diff &&
patch -p0 < $SPELL_DIRECTORY/post-3.5.6-kdelibs.diff