[SCM] Qt 4 packaging branch, master, updated. debian/4.8.2+dfsg-4-2-g6c47829
Lisandro Damián Nicanor Pérez
lisandro at alioth.debian.org
Sat Dec 8 17:33:03 UTC 2012
Gitweb-URL: http://git.debian.org/?p=pkg-kde/qt/qt4-x11.git;a=commitdiff;h=6c47829
The following commit has been merged in the master branch:
commit 6c47829956931fe2cdce32ceb1b3215c1f6ba5b4
Author: Lisandro Damián Nicanor Pérez Meyer <perezmeyer at gmail.com>
Date: Sat Dec 8 14:32:31 2012 -0300
Backport upstream patch to solve MITM attack.
---
debian/changelog | 5 ++-
.../patches/make_rules_for_redirect_stricter.patch | 32 ++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 37 insertions(+), 1 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 157368a..60f0421 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
qt4-x11 (4:4.8.2+dfsg-5) UNRELEASED; urgency=low
-
+ [ Lisandro Damián Nicanor Pérez Meyer ]
+ * Apply make_rules_for_redirect_stricter.patch taken from upstream to solve
+ a "man in the middle" attack, CVE-2012-5624. Thanks Thijs Kinkhorst
+ (Closes: #695156).
-- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org> Sat, 08 Dec 2012 14:26:18 -0300
diff --git a/debian/patches/make_rules_for_redirect_stricter.patch b/debian/patches/make_rules_for_redirect_stricter.patch
new file mode 100644
index 0000000..3622927
--- /dev/null
+++ b/debian/patches/make_rules_for_redirect_stricter.patch
@@ -0,0 +1,32 @@
+From 8ca687050b2c9789724df2cf9955d7ad7dd2c060 Mon Sep 17 00:00:00 2001
+From: Richard Moore <rich at kde.org>
+Date: Mon, 19 Nov 2012 20:48:39 +0000
+Subject: [PATCH] Make the rules for redirects a bit stricter.
+
+Change-Id: I7a3cec664aa028202de3d3bda9f499e4deb2998d
+---
+ src/declarative/qml/qdeclarativexmlhttprequest.cpp | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/declarative/qml/qdeclarativexmlhttprequest.cpp b/src/declarative/qml/qdeclarativexmlhttprequest.cpp
+index 5378a15..3de89a5 100644
+--- a/src/declarative/qml/qdeclarativexmlhttprequest.cpp
++++ b/src/declarative/qml/qdeclarativexmlhttprequest.cpp
+@@ -1272,9 +1272,11 @@ void QDeclarativeXMLHttpRequest::finished()
+ QVariant redirect = m_network->attribute(QNetworkRequest::RedirectionTargetAttribute);
+ if (redirect.isValid()) {
+ QUrl url = m_network->url().resolved(redirect.toUrl());
+- destroyNetwork();
+- requestFromUrl(url);
+- return;
++ if (url.scheme().toLower() != QLatin1String("file")) {
++ destroyNetwork();
++ requestFromUrl(url);
++ return;
++ }
+ }
+ }
+
+--
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index d37d71b..f259b96 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,6 +7,7 @@ Fix-cursor-truncate-to-include-line-position.patch
disable-SSL-compression-by-default.patch
fix_jit_crash_on_x86_64.patch
add_missing_map_noreserve.patch
+make_rules_for_redirect_stricter.patch
# qt-copy patches
0195-compositing-properties.diff
--
Qt 4 packaging
More information about the pkg-kde-commits
mailing list