Hello community, here is the log from the commit of package kdelibs4 for openSUSE:11.2 checked in at Thu Mar 24 18:34:42 CET 2011.
-------- --- old-versions/11.2/UPDATES/all/kdelibs4/kdelibs4.changes 2010-01-31 11:55:07.000000000 +0100 +++ 11.2/kdelibs4/kdelibs4.changes 2011-03-23 18:49:19.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Mar 22 20:05:02 UTC 2011 - [email protected] + +- Harden SSL verification against poisoned DNS attacks (bnc#669222) +- Fix launching apps with kdeinit when in su session (bnc#622304) + +------------------------------------------------------------------- calling whatdependson for 11.2-i586 New: ---- 551bfa12-ssl-wildcards.diff r1132903-kinit-xauth.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdelibs4.spec ++++++ --- /var/tmp/diff_new_pack.4EdMer/_old 2011-03-24 18:33:51.000000000 +0100 +++ /var/tmp/diff_new_pack.4EdMer/_new 2011-03-24 18:33:51.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package kdelibs4 (Version 4.3.5) +# spec file for package kdelibs4 # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -43,7 +43,7 @@ Summary: KDE Base Libraries Url: http://www.kde.org Version: 4.3.5 -Release: 0.<RELEASE1> +Release: 0.<RELEASE3> Requires: libstrigi0 >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`) Requires: soprano >= %( echo `rpm -q --queryformat '%{VERSION}' libsoprano-devel`) Recommends: strigi >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`) @@ -74,6 +74,8 @@ Patch21: policykit-workaround.patch Patch22: oom-protect-fix.diff Patch26: kstyle-no-dynamic-cast-bnc529640.diff +Patch27: 551bfa12-ssl-wildcards.diff +Patch28: r1132903-kinit-xauth.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %suse_version > 1010 %requires_ge libqt4-x11 @@ -148,6 +150,8 @@ %patch21 -p1 %patch22 %patch26 +%patch27 -p1 +%patch28 -p3 # # define KDE version exactly # ++++++ 551bfa12-ssl-wildcards.diff ++++++ diff --git a/kio/kio/tcpslavebase.cpp b/kio/kio/tcpslavebase.cpp index 84c9b82..8d66863 100644 --- a/kio/kio/tcpslavebase.cpp +++ b/kio/kio/tcpslavebase.cpp @@ -4,6 +4,7 @@ * Copyright (C) 2001 Dawit Alemayehu <[email protected]> * Copyright (C) 2007,2008 Andreas Hartmetz <[email protected]> * Copyright (C) 2008 Roland Harnau <[email protected]> + * Copyright (C) 2010 Richard Moore <[email protected]> * * This file is part of the KDE project * @@ -438,6 +439,49 @@ bool TCPSlaveBase::startSsl() return startTLSInternal(KTcpSocket::TlsV1) & ResultOk; } +// Find out if a hostname matches an SSL certificate's Common Name (including wildcards) +static bool isMatchingHostname(const QString &cnIn, const QString &hostnameIn) +{ + const QString cn = cnIn.toLower(); + const QString hostname = hostnameIn.toLower(); + + const int wildcard = cn.indexOf(QLatin1Char('*')); + + // Check this is a wildcard cert, if not then just compare the strings + if (wildcard < 0) + return cn == hostname; + + const int firstCnDot = cn.indexOf(QLatin1Char('.')); + const int secondCnDot = cn.indexOf(QLatin1Char('.'), firstCnDot+1); + + // Check at least 3 components + if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.length())) + return false; + + // Check * is last character of 1st component (ie. there's a following .) + if (wildcard+1 != firstCnDot) + return false; + + // Check only one star + if (cn.lastIndexOf(QLatin1Char('*')) != wildcard) + return false; + + // Check characters preceding * (if any) match + if (wildcard && (hostname.leftRef(wildcard) != cn.leftRef(wildcard))) + return false; + + // Check characters following first . match + if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot)) + return false; + + // Check if the hostname is an IP address, if so then wildcards are not allowed + QHostAddress addr(hostname); + if (!addr.isNull()) + return false; + + // Ok, I guess this was a wildcard CN and the hostname matches. + return true; +} TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_) { @@ -492,25 +536,34 @@ TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_) // domain<->certificate matching here. d->sslErrors = d->socket.sslErrors(); QSslCertificate peerCert = d->socket.peerCertificateChain().first(); - QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName)); - domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry); - QRegExp domainMatcher(QString(), Qt::CaseInsensitive, QRegExp::Wildcard); QMutableListIterator<KSslError> it(d->sslErrors); while (it.hasNext()) { // As of 4.4.0 Qt does not assign a certificate to the QSslError it emits // *in the case of HostNameMismatch*. A HostNameMismatch, however, will always // be an error of the peer certificate so we just don't check the error's // certificate(). - if (it.next().error() != KSslError::HostNameMismatch) { - continue; + + // Remove all HostNameMismatch, we have to redo name checking later. + if (it.next().error() == KSslError::HostNameMismatch) { + it.remove(); } - foreach (const QString &dp, domainPatterns) { - domainMatcher.setPattern(dp); - if (domainMatcher.exactMatch(d->host)) { - it.remove(); - } + } + // Redo name checking here and (re-)insert HostNameMismatch to sslErrors if + // host name does not match any of the names in server certificate. + // QSslSocket may not report HostNameMismatch error, when server + // certificate was issued for the IP we are connecting to. + QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName)); + domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry); + bool names_match = false; + foreach (const QString &dp, domainPatterns) { + if (isMatchingHostname(dp,d->host)) { + names_match = true; + break; } } + if (!names_match) { + d->sslErrors.insert(0, KSslError(KSslError::HostNameMismatch, peerCert)); + } // The app side needs the metadata now for the SSL error dialog (if any) but // the same metadata will be needed later, too. When "later" arrives the slave ++++++ r1132903-kinit-xauth.diff ++++++ --- trunk/KDE/kdelibs/kinit/kinit.cpp 2010/05/31 17:23:24 1132902 +++ trunk/KDE/kdelibs/kinit/kinit.cpp 2010/05/31 17:23:36 1132903 @@ -64,6 +64,7 @@ #include <klocale.h> #include <kdebug.h> #include <kde_file.h> +#include <ksavefile.h> #ifdef Q_OS_LINUX #include <sys/prctl.h> @@ -1574,6 +1575,42 @@ { XSetIOErrorHandler(kdeinit_xio_errhandler); XSetErrorHandler(kdeinit_x_errhandler); +/* + Handle the tricky case of running via kdesu/su/sudo/etc. There the usual case + is that kdesu (etc.) creates a file with xauth information, sets XAUTHORITY, + runs the command and removes the xauth file after the command finishes. However, + dbus and kdeinit daemon currently don't clean up properly and keeping running. + Which means that running a KDE app via kdesu the second time talks to kdeinit + with obsolete xauth information, which makes it unable to connect to X or launch + any X11 applications. + Even fixing the cleanup probably wouldn't be sufficient, since it'd be possible to + launch one kdesu session, another one, exit the first one and the app from the second + session would be using kdeinit from the first one. + So the trick here is to duplicate the xauth file to another file in KDE's tmp + location, make the file have a consistent name so that future sessions will use it + as well, point XAUTHORITY there and never remove the file (except for possible + tmp cleanup). +*/ + if( !qgetenv( "XAUTHORITY" ).isEmpty()) { + QByteArray display = qgetenv( DISPLAY ); + int i; + if((i = display.lastIndexOf('.')) > display.lastIndexOf(':') && i >= 0) + display.truncate(i); + display.replace(':','_'); +#ifdef __APPLE__ + display.replace('/','_'); +#endif + QString xauth = s_instance->dirs()->saveLocation( "tmp" ) + QLatin1String( "xauth-" ) + + QString::number( getuid()) + QLatin1String( "-" ) + QString::fromLocal8Bit( display ); + KSaveFile xauthfile( xauth ); + QFile xauthfrom( QFile::decodeName( qgetenv( "XAUTHORITY" ))); + if( !xauthfrom.open( QFile::ReadOnly ) || !xauthfile.open( QFile::WriteOnly ) + || xauthfile.write( xauthfrom.readAll()) != xauthfrom.size() || !xauthfile.finalize()) { + xauthfile.abort(); + } else { + setenv( "XAUTHORITY", QFile::encodeName( xauth ), true ); + } + } } // Borrowed from kdebase/kaudio/kaudioserver.cpp ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
