rev 16509 - trunk/packages/kde3libs/debian/patches
Scott Kitterman
kitterma-guest at alioth.debian.org
Thu Dec 31 20:13:05 UTC 2009
Author: kitterma-guest
Date: 2009-12-31 20:13:05 +0000 (Thu, 31 Dec 2009)
New Revision: 16509
Added:
trunk/packages/kde3libs/debian/patches/65_gcc4.4_ftbfs.diff
trunk/packages/kde3libs/debian/patches/CVE-2009-0689.diff
trunk/packages/kde3libs/debian/patches/security_05_XMLHttpRequest_vulnerability.diff
Log:
svn add the patches ....
Added: trunk/packages/kde3libs/debian/patches/65_gcc4.4_ftbfs.diff
===================================================================
--- trunk/packages/kde3libs/debian/patches/65_gcc4.4_ftbfs.diff (rev 0)
+++ trunk/packages/kde3libs/debian/patches/65_gcc4.4_ftbfs.diff 2009-12-31 20:13:05 UTC (rev 16509)
@@ -0,0 +1,26 @@
+#
+# Upstream: https://bugs.kde.org/show_bug.cgi?id=193242
+# Patch: http://websvn.kde.org/?view=rev&revision=975371
+# Description: fix FTBFS when using gcc-4.4
+#
+diff -Nur -x '*.orig' -x '*~' kdelibs-3.5.10.dfsg.1/kioslave/ftp/ftp.cc kdelibs-3.5.10.dfsg.1.new/kioslave/ftp/ftp.cc
+--- kdelibs-3.5.10.dfsg.1/kioslave/ftp/ftp.cc 2008-08-19 13:18:12.000000000 -0500
++++ kdelibs-3.5.10.dfsg.1.new/kioslave/ftp/ftp.cc 2009-09-15 15:45:06.536486919 -0500
+@@ -876,7 +876,7 @@
+ // The usual answer is '227 Entering Passive Mode. (160,39,200,55,6,245)'
+ // but anonftpd gives '227 =160,39,200,55,6,245'
+ int i[6];
+- char *start = strchr(ftpResponse(3), '(');
++ const char *start = strchr(ftpResponse(3), '(');
+ if ( !start )
+ start = strchr(ftpResponse(3), '=');
+ if ( !start ||
+@@ -931,7 +931,7 @@
+ return ERR_INTERNAL;
+ }
+
+- char *start = strchr(ftpResponse(3), '|');
++ const char *start = strchr(ftpResponse(3), '|');
+ if ( !start || sscanf(start, "|||%d|", &portnum) != 1)
+ return ERR_INTERNAL;
+
Added: trunk/packages/kde3libs/debian/patches/CVE-2009-0689.diff
===================================================================
--- trunk/packages/kde3libs/debian/patches/CVE-2009-0689.diff (rev 0)
+++ trunk/packages/kde3libs/debian/patches/CVE-2009-0689.diff 2009-12-31 20:13:05 UTC (rev 16509)
@@ -0,0 +1,15 @@
+Description: fix array overrun (CVE-2009-0689)
+Origin: http://websvn.kde.org/?view=revision&revision=1052100
+
+diff -Nur -x '*.orig' -x '*~' kdelibs-3.5.10/kjs/dtoa.cpp kdelibs-3.5.10.new/kjs/dtoa.cpp
+--- kdelibs-3.5.10/kjs/dtoa.cpp 2005-09-10 03:27:24.000000000 -0500
++++ kdelibs-3.5.10.new/kjs/dtoa.cpp 2009-12-03 08:39:37.333058232 -0600
+@@ -487,7 +487,7 @@
+ #define FREE_DTOA_LOCK(n) /*nothing*/
+ #endif
+
+-#define Kmax 15
++#define Kmax (sizeof(size_t) << 3)
+
+ struct
+ Bigint {
Added: trunk/packages/kde3libs/debian/patches/security_05_XMLHttpRequest_vulnerability.diff
===================================================================
--- trunk/packages/kde3libs/debian/patches/security_05_XMLHttpRequest_vulnerability.diff (rev 0)
+++ trunk/packages/kde3libs/debian/patches/security_05_XMLHttpRequest_vulnerability.diff 2009-12-31 20:13:05 UTC (rev 16509)
@@ -0,0 +1,31 @@
+Index: xmlhttprequest.cpp
+===================================================================
+--- kdelibs-3.5.10.dfsg.1/khtml/ecma/xmlhttprequest.cpp (revision 954808)
++++ kdelibs-3.5.10.dfsg.1/khtml/ecma/xmlhttprequest.cpp (working copy)
+@@ -342,17 +342,17 @@
+ {
+ aborted = false;
+
++ const QString protocol = url.protocol().lower();
++ // Abandon the request when the protocol is other than "http",
++ // instead of blindly doing a KIO::get on other protocols like file:/.
++ if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
++ {
++ abort();
++ return;
++ }
++
+ if (method == "post") {
+- QString protocol = url.protocol().lower();
+
+- // Abondon the request when the protocol is other than "http",
+- // instead of blindly changing it to a "get" request.
+- if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
+- {
+- abort();
+- return;
+- }
+-
+ // FIXME: determine post encoding correctly by looking in headers
+ // for charset.
+ QByteArray buf;
More information about the pkg-kde-commits
mailing list