[SCM] KDE Development Platform Libraries module packaging branch, squeeze, updated. debian/4.4.5-2+squeeze1-2-g20deb67

José Manuel Santamaría Lema santa-guest at alioth.debian.org
Tue Apr 12 23:04:52 UTC 2011


The following commit has been merged in the squeeze branch:
commit 20deb67485d6c2350ed8888561c73bf12462c82d
Author: José Manuel Santamaría Lema <panfaust at gmail.com>
Date:   Wed Apr 13 01:04:57 2011 +0200

    Add cve_2011_1168_konqueror_xss.diff
---
 debian/changelog                                |    3 ++-
 debian/patches/cve_2011_1168_konqueror_xss.diff |   19 +++++++++++++++++++
 debian/patches/series                           |    1 +
 3 files changed, 22 insertions(+), 1 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 26c0875..9a10aac 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 kde4libs (4:4.4.5-2+squeeze2) UNRELEASED; urgency=low
 
-  * 
+  * Fix CVE-2011-1168 (Konqueror partially universal XSS in error pages) by
+    cve_2011_1168_konqueror_xss.diff.
 
  -- José Manuel Santamaría Lema <panfaust at gmail.com>  Tue, 12 Apr 2011 21:16:20 +0200
 
diff --git a/debian/patches/cve_2011_1168_konqueror_xss.diff b/debian/patches/cve_2011_1168_konqueror_xss.diff
new file mode 100644
index 0000000..7725eee
--- /dev/null
+++ b/debian/patches/cve_2011_1168_konqueror_xss.diff
@@ -0,0 +1,19 @@
+Origin: https://projects.kde.org/projects/kde/kdelibs/repository/revisions/8b06e2c
+Description: This patch fixes CVE-2011-1168.
+ References:
+ * http://www.kde.org/info/security/advisory-20110411-1.txt
+ * http://www.nth-dimension.org.uk/pub/NDSA20110321.txt.asc
+--- a/khtml/khtml_part.cpp
++++ b/khtml/khtml_part.cpp
+@@ -1848,7 +1848,10 @@
+   stream >> errorName >> techName >> description >> causes >> solutions;
+ 
+   QString url, protocol, datetime;
+-  url = Qt::escape( reqUrl.prettyUrl() );
++
++  // This is somewhat confusing, but we have to escape the externally-
++  // controlled URL twice: once for i18n, and once for HTML.
++  url = Qt::escape( Qt::escape( reqUrl.prettyUrl() ) );
+   protocol = reqUrl.protocol();
+   datetime = KGlobal::locale()->formatDateTime( QDateTime::currentDateTime(),
+                                                 KLocale::LongDate );
diff --git a/debian/patches/series b/debian/patches/series
index 44ca285..707181e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,3 +18,4 @@
 29_hurd_support.diff
 30_kfileshare_kdesu_fileshareset.diff
 31_relax_plugin_kde_version_check.diff
+cve_2011_1168_konqueror_xss.diff

-- 
KDE Development Platform Libraries module packaging



More information about the pkg-kde-commits mailing list