rev 5776 - in branches/etch/packages/kdelibs/debian: . patches
Ana Beatriz Guerrero López
ana at alioth.debian.org
Mon Mar 26 18:12:50 CET 2007
Author: ana
Date: 2007-03-26 17:12:49 +0000 (Mon, 26 Mar 2007)
New Revision: 5776
Added:
branches/etch/packages/kdelibs/debian/patches/46_CVE-2007-1564-kdelibs-3.5.6.diff
Modified:
branches/etch/packages/kdelibs/debian/changelog
Log:
kdelibs 4:3.5.5a.dfsg.1-7 security fix for CVE-2007-1564
Modified: branches/etch/packages/kdelibs/debian/changelog
===================================================================
--- branches/etch/packages/kdelibs/debian/changelog 2007-03-24 23:00:09 UTC (rev 5775)
+++ branches/etch/packages/kdelibs/debian/changelog 2007-03-26 17:12:49 UTC (rev 5776)
@@ -1,3 +1,11 @@
+kdelibs (4:3.5.5a.dfsg.1-7) unstable; urgency=high
+
+ * Add patch 46_CVE-2007-1564-kdelibs-3.5.6.diff: untrusted sites that allow
+ Javascript injection could cause Konqueror or other web browsers based on
+ KHTML to perform port scanning. CVE-2007-1564.
+
+ -- Ana Beatriz Guerrero Lopez <ana at debian.org> Mon, 26 Mar 2007 18:57:14 +0100
+
kdelibs (4:3.5.5a.dfsg.1-6) unstable; urgency=high
+++ Changes by Ana Beatriz Guerrero Lopez:
Added: branches/etch/packages/kdelibs/debian/patches/46_CVE-2007-1564-kdelibs-3.5.6.diff
===================================================================
--- branches/etch/packages/kdelibs/debian/patches/46_CVE-2007-1564-kdelibs-3.5.6.diff 2007-03-24 23:00:09 UTC (rev 5775)
+++ branches/etch/packages/kdelibs/debian/patches/46_CVE-2007-1564-kdelibs-3.5.6.diff 2007-03-26 17:12:49 UTC (rev 5776)
@@ -0,0 +1,81 @@
+--- khtml/ecma/kjs_html.cpp
++++ khtml/ecma/kjs_html.cpp
+@@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty
+ getDOMNode(exec, frameElement.contentDocument()) : Undefined();
+ case FrameContentWindow: {
+ KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart();
+- if (part)
+- return Value(Window::retrieveWindow(part));
+- else
++ if (part) {
++ Window *w = Window::retrieveWindow(part);
++ if (w)
++ return Value(w);
++ }
+ return Undefined();
+ }
+ case FrameFrameBorder: return String(frameElement.frameBorder());
+@@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty
+ getDOMNode(exec, iFrame.contentDocument()) : Undefined();
+ case IFrameContentWindow: {
+ KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart();
+- if (part)
+- return Value(Window::retrieveWindow(part));
+- else
++ if (part) {
++ Window *w = Window::retrieveWindow(part);
++ if (w)
++ return Value(w);
++ }
+ return Undefined();
+ }
+ case IFrameFrameBorder: return String(iFrame.frameBorder());
+--- kioslave/ftp/ftp.cc
++++ kioslave/ftp/ftp.cc
+@@ -58,6 +58,7 @@
+ #include <kmimemagic.h>
+ #include <kmimetype.h>
+ #include <ksockaddr.h>
++#include <ksocketaddress.h>
+ #include <kio/ioslave_defaults.h>
+ #include <kio/slaveconfig.h>
+ #include <kremoteencoding.h>
+@@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm
+ return true;
+ }
+
+-
+ /*
+ * ftpOpenPASVDataConnection - set up data connection, using PASV mode
+ *
+@@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection()
+ if (sa != NULL && sa->family() != PF_INET)
+ return ERR_INTERNAL; // no PASV for non-PF_INET connections
+
++ const KInetSocketAddress *sin = static_cast<const KInetSocketAddress*>(sa);
++
+ if (m_extControl & pasvUnknown)
+ return ERR_INTERNAL; // already tried and got "unknown command"
+
+@@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection()
+ }
+
+ // Make hostname and port number ...
+- QString host;
+- host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]);
+ int port = i[4] << 8 | i[5];
+
++ // we ignore the host part on purpose for two reasons
++ // a) it might be wrong anyway
++ // b) it would make us being suceptible to a port scanning attack
++
+ // now connect the data socket ...
+ m_data = new FtpSocket("PASV");
+- m_data->setAddress(host, port);
+- kdDebug(7102) << "Connecting to " << host << " on port " << port << endl;
++ m_data->setAddress(sin->nodeName(), port);
++
++ kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl;
+ return m_data->connectSocket(connectTimeout(), false);
+ }
+
More information about the pkg-kde-commits
mailing list