[SCM] KDE Base Workspace module packaging branch, master, updated. debian/4.11.13-1-3-gd9526cc

Fri Nov 7 08:24:58 UTC 2014

Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-sc/kde-workspace.git;a=commitdiff;h=d9526cc

The following commit has been merged in the master branch:
commit d9526cc9179a7f2ed4dc77280a753c42eaec457c
Author: Maximiliano Curia <maxy at debian.org>
Date:   Fri Nov 7 09:24:01 2014 +0100

    New patch: upstream_validate_timezone_name_before_setting.patch, avoids .. in timezone name.
---
 debian/changelog                                   |  2 ++
 debian/patches/series                              |  1 +
 ...eam_validate_timezone_name_before_setting.patch | 28 ++++++++++++++++++++++
 3 files changed, 31 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b953329..7c05cf4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ kde-workspace (4:4.11.13-2~) UNRELEASED; urgency=medium
 
   * New patch: upstream_do_not_pass_ntpUtility_as_an_argument.patch fix
     for https://www.kde.org/info/security/advisory-20141106-1.txt
+  * New patch: upstream_validate_timezone_name_before_setting.patch,
+    avoids .. in timezone name.
 
  -- Maximiliano Curia <maxy at debian.org>  Fri, 07 Nov 2014 09:07:20 +0100
 
diff --git a/debian/patches/series b/debian/patches/series
index 2f9db29..0bd5ed8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,4 @@ kubuntu_avoid_zic_and_deep_copy_timezone_data.diff
 check_if_SensorMgr
 ksysguardd_acpi_valgrind_complain
 upstream_do_not_pass_ntpUtility_as_an_argument.patch
+upstream_validate_timezone_name_before_setting.patch
diff --git a/debian/patches/upstream_validate_timezone_name_before_setting.patch b/debian/patches/upstream_validate_timezone_name_before_setting.patch
new file mode 100644
index 0000000..882ad73
--- /dev/null
+++ b/debian/patches/upstream_validate_timezone_name_before_setting.patch
@@ -0,0 +1,28 @@
+commit 54d0bfb5effff9c8cf60da890b7728cbe36a454e
+Author: David Edmundson <kde at davidedmundson.co.uk>
+Date:   Tue Nov 4 14:00:54 2014 +0100
+
+    Validate timezone name before setting
+    
+    This patch ensures that the symlink /etc/localtime always points to a
+    file in /usr/share/timezones and not an arbitrary file in a user's home
+    directory.
+
+diff --git a/kcontrol/dateandtime/helper.cpp b/kcontrol/dateandtime/helper.cpp
+index 101d8ca..21fc51a 100644
+--- a/kcontrol/dateandtime/helper.cpp
++++ b/kcontrol/dateandtime/helper.cpp
+@@ -123,6 +123,13 @@ int ClockHelper::date( const QString& newdate, const QString& olddate )
+ int ClockHelper::tz( const QString& selectedzone )
+ {
+     int ret = 0;
++
++    //only allow letters, numbers hyphen underscore plus and forward slash
++    //allowed pattern taken from time-util.c in systemd
++    if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) {
++        return ret;
++    }
++
+ #if defined(USE_SOLARIS)	// MARCO
+ 
+         KTemporaryFile tf;

-- 
KDE Base Workspace module packaging

