[SCM] KDE Development Platform Libraries module packaging branch, squeeze, updated. debian/4.4.5-2+squeeze1-4-g2bfb1e4

José Manuel Santamaría Lema santa-guest at alioth.debian.org
Thu Apr 14 01:01:11 UTC 2011 

The following commit has been merged in the squeeze branch:
commit ae934a0adca8b1dc0c8fd5c370a2a30075633881
Author: José Manuel Santamaría Lema <panfaust at gmail.com>
Date:   Wed Apr 13 16:07:40 2011 +0200

    Fix CVE-2010-3170 for Konqueror.
---
 debian/changelog                               |    2 +
 debian/patches/cve_2010_3170_cn_wildcards.diff |   84 ++++++++++++++++++++++++
 debian/patches/series                          |    1 +
 3 files changed, 87 insertions(+), 0 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 9a10aac..b15352c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ kde4libs (4:4.4.5-2+squeeze2) UNRELEASED; urgency=low
 
   * Fix CVE-2011-1168 (Konqueror partially universal XSS in error pages) by
     cve_2011_1168_konqueror_xss.diff.
+  * Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) for
+    Konqueror by cve_2010_3170_cn_wildcards.diff.
 
  -- José Manuel Santamaría Lema <panfaust at gmail.com>  Tue, 12 Apr 2011 21:16:20 +0200
 
diff --git a/debian/patches/cve_2010_3170_cn_wildcards.diff b/debian/patches/cve_2010_3170_cn_wildcards.diff
new file mode 100644
index 0000000..640252b
--- /dev/null
+++ b/debian/patches/cve_2010_3170_cn_wildcards.diff
@@ -0,0 +1,84 @@
+Origin: https://projects.kde.org/projects/kde/kdelibs/repository/revisions/f2a059e6
+Description: Fix wildcard ssl handling.
+ We now correctly handle wildcards, rather than using shell globs. This removes
+ the same issue as QTBUG-4455. In addition, fixes CVE-2010-3170 for Konqueror.
+ References:
+ * http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
+--- a/kio/kio/tcpslavebase.cpp
++++ b/kio/kio/tcpslavebase.cpp
+@@ -4,6 +4,7 @@
+  * Copyright (C) 2001 Dawit Alemayehu <adawit at kde.org>
+  * Copyright (C) 2007,2008 Andreas Hartmetz <ahartmetz at gmail.com>
+  * Copyright (C) 2008 Roland Harnau <tau at gmx.eu>
++ * Copyright (C) 2010 Richard Moore <rich at kde.org>
+  *
+  * This file is part of the KDE project
+  *
+@@ -436,6 +437,49 @@ bool TCPSlaveBase::startSsl()
+     return startTLSInternal(KTcpSocket::TlsV1) & ResultOk;
+ }
+ 
++// Find out if a hostname matches an SSL certificate's Common Name (including wildcards)
++static bool isMatchingHostname(const QString &cnIn, const QString &hostnameIn)
++{
++    const QString cn = cnIn.toLower();
++    const QString hostname = hostnameIn.toLower();
++
++    const int wildcard = cn.indexOf(QLatin1Char('*'));
++
++    // Check this is a wildcard cert, if not then just compare the strings
++    if (wildcard < 0)
++        return cn == hostname;
++
++    const int firstCnDot = cn.indexOf(QLatin1Char('.'));
++    const int secondCnDot = cn.indexOf(QLatin1Char('.'), firstCnDot+1);
++
++    // Check at least 3 components
++    if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.length()))
++        return false;
++
++    // Check * is last character of 1st component (ie. there's a following .)
++    if (wildcard+1 != firstCnDot)
++        return false;
++
++    // Check only one star
++    if (cn.lastIndexOf(QLatin1Char('*')) != wildcard)
++        return false;
++
++    // Check characters preceding * (if any) match
++    if (wildcard && (hostname.leftRef(wildcard) != cn.leftRef(wildcard)))
++        return false;
++
++    // Check characters following first . match
++    if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot))
++        return false;
++
++    // Check if the hostname is an IP address, if so then wildcards are not allowed
++    QHostAddress addr(hostname);
++    if (!addr.isNull())
++        return false;
++
++    // Ok, I guess this was a wildcard CN and the hostname matches.
++    return true;
++}
+ 
+ TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
+ {
+@@ -492,7 +536,6 @@ TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
+     QSslCertificate peerCert = d->socket.peerCertificateChain().first();
+     QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
+     domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
+-    QRegExp domainMatcher(QString(), Qt::CaseInsensitive, QRegExp::Wildcard);
+     QMutableListIterator<KSslError> it(d->sslErrors);
+     while (it.hasNext()) {
+         // As of 4.4.0 Qt does not assign a certificate to the QSslError it emits
+@@ -503,8 +546,7 @@ TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
+             continue;
+         }
+         foreach (const QString &dp, domainPatterns) {
+-            domainMatcher.setPattern(dp);
+-            if (domainMatcher.exactMatch(d->host)) {
++            if (isMatchingHostname(dp,d->host)) {
+                 it.remove();
+             }
+         }
diff --git a/debian/patches/series b/debian/patches/series
index 707181e..ce6af15 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,4 @@
 30_kfileshare_kdesu_fileshareset.diff
 31_relax_plugin_kde_version_check.diff
 cve_2011_1168_konqueror_xss.diff
+cve_2010_3170_cn_wildcards.diff

-- 
KDE Development Platform Libraries module packaging

More information about the pkg-kde-commits mailing list