rev 5776 - in branches/etch/packages/kdelibs/debian: . patches

Ana Beatriz Guerrero López ana at alioth.debian.org
Mon Mar 26 18:12:50 CET 2007 

Author: ana
Date: 2007-03-26 17:12:49 +0000 (Mon, 26 Mar 2007)
New Revision: 5776

Added:
   branches/etch/packages/kdelibs/debian/patches/46_CVE-2007-1564-kdelibs-3.5.6.diff
Modified:
   branches/etch/packages/kdelibs/debian/changelog
Log:
kdelibs 4:3.5.5a.dfsg.1-7 security fix for CVE-2007-1564



Modified: branches/etch/packages/kdelibs/debian/changelog
===================================================================
--- branches/etch/packages/kdelibs/debian/changelog	2007-03-24 23:00:09 UTC (rev 5775)
+++ branches/etch/packages/kdelibs/debian/changelog	2007-03-26 17:12:49 UTC (rev 5776)
@@ -1,3 +1,11 @@
+kdelibs (4:3.5.5a.dfsg.1-7) unstable; urgency=high
+
+  * Add patch 46_CVE-2007-1564-kdelibs-3.5.6.diff: untrusted sites that allow 
+    Javascript injection could cause Konqueror or other web browsers based on 
+    KHTML to perform port scanning.  CVE-2007-1564.
+
+ -- Ana Beatriz Guerrero Lopez <ana at debian.org>  Mon, 26 Mar 2007 18:57:14 +0100
+
 kdelibs (4:3.5.5a.dfsg.1-6) unstable; urgency=high
 
   +++ Changes by Ana Beatriz Guerrero Lopez:

Added: branches/etch/packages/kdelibs/debian/patches/46_CVE-2007-1564-kdelibs-3.5.6.diff
===================================================================
--- branches/etch/packages/kdelibs/debian/patches/46_CVE-2007-1564-kdelibs-3.5.6.diff	2007-03-24 23:00:09 UTC (rev 5775)
+++ branches/etch/packages/kdelibs/debian/patches/46_CVE-2007-1564-kdelibs-3.5.6.diff	2007-03-26 17:12:49 UTC (rev 5776)
@@ -0,0 +1,81 @@
+--- khtml/ecma/kjs_html.cpp
++++ khtml/ecma/kjs_html.cpp
+@@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty
+ 				      getDOMNode(exec, frameElement.contentDocument()) : Undefined();
+     case FrameContentWindow:   {
+         KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart();
+-        if (part)
+-            return Value(Window::retrieveWindow(part));
+-        else
++        if (part) {
++          Window *w = Window::retrieveWindow(part);
++          if (w)
++            return Value(w);
++        }
+             return Undefined();
+     }
+     case FrameFrameBorder:     return String(frameElement.frameBorder());
+@@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty
+ 				       getDOMNode(exec, iFrame.contentDocument()) : Undefined();
+     case IFrameContentWindow:       {
+         KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart();
+-        if (part)
+-            return Value(Window::retrieveWindow(part));
+-        else
++        if (part) {
++          Window *w = Window::retrieveWindow(part);
++          if (w)
++            return Value(w);
++        }
+             return Undefined();
+     }
+     case IFrameFrameBorder:     return String(iFrame.frameBorder());
+--- kioslave/ftp/ftp.cc
++++ kioslave/ftp/ftp.cc
+@@ -58,6 +58,7 @@
+ #include <kmimemagic.h>
+ #include <kmimetype.h>
+ #include <ksockaddr.h>
++#include <ksocketaddress.h>
+ #include <kio/ioslave_defaults.h>
+ #include <kio/slaveconfig.h>
+ #include <kremoteencoding.h>
+@@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm
+   return true;
+ }
+ 
+-
+ /*
+  * ftpOpenPASVDataConnection - set up data connection, using PASV mode
+  *
+@@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection()
+   if (sa != NULL && sa->family() != PF_INET)
+     return ERR_INTERNAL;       // no PASV for non-PF_INET connections
+ 
++  const KInetSocketAddress *sin = static_cast<const KInetSocketAddress*>(sa);
++
+   if (m_extControl & pasvUnknown)
+     return ERR_INTERNAL;       // already tried and got "unknown command"
+ 
+@@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection()
+   }
+ 
+   // Make hostname and port number ...
+-  QString host;
+-  host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]);
+   int port = i[4] << 8 | i[5];
+ 
++  // we ignore the host part on purpose for two reasons
++  // a) it might be wrong anyway
++  // b) it would make us being suceptible to a port scanning attack
++
+   // now connect the data socket ...
+   m_data = new FtpSocket("PASV");
+-  m_data->setAddress(host, port);
+-  kdDebug(7102) << "Connecting to " << host << " on port " << port << endl;
++  m_data->setAddress(sin->nodeName(), port);
++
++  kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl;
+   return m_data->connectSocket(connectTimeout(), false);
+ }
+

More information about the pkg-kde-commits mailing list