rev 7138 - in trunk/packages/kdelibs/debian: . patches

Ana Beatriz Guerrero López ana at alioth.debian.org
Thu Aug 30 05:24:16 UTC 2007 

Author: ana
Date: 2007-08-30 05:24:15 +0000 (Thu, 30 Aug 2007)
New Revision: 7138

Added:
   trunk/packages/kdelibs/debian/patches/55_several-CVE-kdelibs-kdecore.diff
Modified:
   trunk/packages/kdelibs/debian/changelog
Log:
  * Add patch 55_several-CVE-kdelibs-kdecore.diff to make Konqueror address
    bar more robust against addressbar spoofing.
    Related CVEs: CVE-2007-4224, CVE-2007-4225, CVE-2007-3820.
http://www.kde.org/info/security/advisory-20070816-1.txt



Modified: trunk/packages/kdelibs/debian/changelog
===================================================================
--- trunk/packages/kdelibs/debian/changelog	2007-08-30 04:39:43 UTC (rev 7137)
+++ trunk/packages/kdelibs/debian/changelog	2007-08-30 05:24:15 UTC (rev 7138)
@@ -6,8 +6,14 @@
     unneeded Conflict in kdelibs4-dev against kdelibs4c2a introduced in -6.
     (Closes: #439515, #439779)
 
- -- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>  Tue, 28 Aug 2007 21:27:28 +0200
+  +++ Changes by Ana Beatriz Guerrero Lopez:
 
+  * Add patch 55_several-CVE-kdelibs-kdecore.diff to make Konqueror address
+    bar more robust against addressbar spoofing.
+    Related CVEs: CVE-2007-4224, CVE-2007-4225, CVE-2007-3820.
+
+ -- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>  Thu, 30 Aug 2007 07:18:06 +0200
+
 kdelibs (4:3.5.7.dfsg.1-6) unstable; urgency=low
 
   * Move back kstartupconfig to kdelibs4c2a. (Closes: #439411)

Added: trunk/packages/kdelibs/debian/patches/55_several-CVE-kdelibs-kdecore.diff
===================================================================
--- trunk/packages/kdelibs/debian/patches/55_several-CVE-kdelibs-kdecore.diff	                        (rev 0)
+++ trunk/packages/kdelibs/debian/patches/55_several-CVE-kdelibs-kdecore.diff	2007-08-30 05:24:15 UTC (rev 7138)
@@ -0,0 +1,55 @@
+--- kdelibs/kdecore/tests/kurltest.cpp
++++ kdelibs/kdecore/tests/kurltest.cpp
+@@ -288,6 +288,16 @@ int main(int argc, char *argv[])
+   check("KURL::prettyURL()", url15582.prettyURL(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%in%url.html");
+   check("KURL::url()", url15582.url(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%25in%25url.html");
+ 
++  KURL whitespaceInUser("http://www.google.com%20%20%20%20%20@foobar.com/");
++  check("KURL::prettyURL()", whitespaceInUser.prettyURL(), "http://www.google.com%20%20%20%20%20@foobar.com/");
++
++  KURL whitespaceInPath("http://www.google.com/foo%20bar/");
++  check("KURL::prettyURL()", whitespaceInPath.prettyURL(), "http://www.google.com/foo bar/");
++
++   KURL whitespaceInPath2("http://www.google.com/foo%20%20%20%20%20%20%20bar/");
++  check("KURL::prettyURL()", whitespaceInPath2.prettyURL(),
++          "http://www.google.com/foo%20%20%20%20%20%20 bar/");
++
+   KURL carsten;
+   carsten.setPath("/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18");
+   check("KURL::path()", carsten.path(), "/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18");
+@@ -594,6 +604,15 @@ int main(int argc, char *argv[])
+   check("http: URL with empty path string path", waba1.path(),
+         "");
+ 
++  waba1 = "http://www.meinestadt.de&url_plain=http";
++  check("http: URL with empty path string", waba1.host(),
++         "www.meinestadt.de&url_plain=http");
++  check("http: URL with empty path string", waba1.htmlURL(),
++         "http://www.meinestadt.de&amp;url_plain=http");
++ 
++  check("http: URL with empty path string", waba1.path(),
++         "");
++
+   waba1 = "http://a:389#b=c";
+   check( "http: URL with port, ref, and empty path; url", waba1.url(), "http://a:389#b=c" );
+   check( "http: URL with port, ref, and empty path; host", waba1.host(), "a" );
+--- kdelibs/kdecore/kurl.cpp
++++ kdelibs/kdecore/kurl.cpp
+@@ -183,7 +183,7 @@ static QString lazy_encode( const QStrin
+         (character == '?') || // Start of query delimiter
+         ((character == '@') && encodeAt) || // Username delimiter
+         (character == '#') || // Start of reference delimiter
+-        ((character == 32) && (i+1 == old_length))) // A trailing space
++        ((character == 32) && (i+1 == old_length || segment[i+1] == ' '))) // A trailing space
+     {
+       new_segment[ new_length++ ] = '%';
+ 
+@@ -1540,7 +1540,7 @@ QString KURL::prettyURL( int _trailing )
+     u += "//";
+     if ( hasUser() )
+     {
+-      u += lazy_encode(m_strUser);
++      u += encode(m_strUser, 0, 0);
+       // Don't show password!
+       u += "@";
+     }

More information about the pkg-kde-commits mailing list