Hello community, here is the log from the commit of package kdelibs4 for openSUSE:11.2 checked in at Mon Apr 18 18:17:01 CEST 2011.
-------- --- old-versions/11.2/UPDATES/all/kdelibs4/kdelibs4.changes 2011-03-23 18:49:19.000000000 +0100 +++ 11.2/kdelibs4/kdelibs4.changes 2011-04-11 18:17:16.000000000 +0200 @@ -1,0 +2,6 @@ +Mon Apr 11 15:51:52 UTC 2011 - [email protected] + +- Add patch vs XSS vulnerability in KHTML error handling + (CVE-2011-1168) + +------------------------------------------------------------------- calling whatdependson for 11.2-i586 New: ---- 77dc792c-khtml-xss.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdelibs4.spec ++++++ --- /var/tmp/diff_new_pack.13T3fM/_old 2011-04-18 18:16:41.000000000 +0200 +++ /var/tmp/diff_new_pack.13T3fM/_new 2011-04-18 18:16:41.000000000 +0200 @@ -43,7 +43,7 @@ Summary: KDE Base Libraries Url: http://www.kde.org Version: 4.3.5 -Release: 0.<RELEASE3> +Release: 0.<RELEASE5> Requires: libstrigi0 >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`) Requires: soprano >= %( echo `rpm -q --queryformat '%{VERSION}' libsoprano-devel`) Recommends: strigi >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`) @@ -76,6 +76,7 @@ Patch26: kstyle-no-dynamic-cast-bnc529640.diff Patch27: 551bfa12-ssl-wildcards.diff Patch28: r1132903-kinit-xauth.diff +Patch29: 77dc792c-khtml-xss.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %suse_version > 1010 %requires_ge libqt4-x11 @@ -152,6 +153,7 @@ %patch26 %patch27 -p1 %patch28 -p3 +%patch29 -p1 # # define KDE version exactly # ++++++ 77dc792c-khtml-xss.diff ++++++ --- a/khtml/khtml_part.cpp +++ b/khtml/khtml_part.cpp @@ -1848,7 +1848,10 @@ void KHTMLPart::htmlError( int errorCode stream >> errorName >> techName >> description >> causes >> solutions; QString url, protocol, datetime; - url = Qt::escape( reqUrl.prettyUrl() ); + + // This is somewhat confusing, but we have to escape the externally- + // controlled URL twice: once for i18n, and once for HTML. + url = Qt::escape( Qt::escape( reqUrl.prettyUrl() ) ); protocol = reqUrl.protocol(); datetime = KGlobal::locale()->formatDateTime( QDateTime::currentDateTime(), KLocale::LongDate ); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
