Hello community, here is the log from the commit of package kdirstat for openSUSE:Factory checked in at 2014-07-11 06:46:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kdirstat (Old) and /work/SRC/openSUSE:Factory/.kdirstat.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kdirstat" Changes: -------- --- /work/SRC/openSUSE:Factory/kdirstat/kdirstat.changes 2011-09-23 02:06:34.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.kdirstat.new/kdirstat.changes 2014-07-11 06:46:46.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Jul 2 13:10:00 UTC 2014 - [email protected] + +- Fixed a command injection problem (CVE-2014-2528) with patch from + upstream (bnc#868682) The patch file is fix-CVE-2014-2528.diff + +------------------------------------------------------------------- New: ---- fix-CVE-2014-2528.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdirstat.spec ++++++ --- /var/tmp/diff_new_pack.2n75YR/_old 2014-07-11 06:46:47.000000000 +0200 +++ /var/tmp/diff_new_pack.2n75YR/_new 2014-07-11 06:46:47.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package kdirstat (Version 2.4.4) +# spec file for package kdirstat # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,19 +15,19 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild - Name: kdirstat BuildRequires: kdelibs3-devel Url: http://kdirstat.sourceforge.net +Summary: Graphical Directory Statistics for Used Disk Space License: GPL-2.0+ Group: Productivity/File utilities -Summary: Graphical Directory Statistics for Used Disk Space Version: 2.4.4 -Release: 255 +Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build Source0: kdirstat-%{version}.tar.bz2 +# PATCH-FIX-UPSTREAM fix-CVE-2014-2528.diff -- fix performance issue with Klipper see https://bugs.kde.org/show_bug.cgi?id=238084 +Patch0: fix-CVE-2014-2528.diff %description KDirStat (KDE Directory Statistics) is a utility program that sums up @@ -42,11 +42,11 @@ %prep %setup -q -. /etc/opt/kde3/common_options -update_admin --no-unsermake +%patch0 %build . /etc/opt/kde3/common_options +update_admin --no-unsermake ./configure $configkde --disable-final make %{?jobs:-j %jobs} ++++++ fix-CVE-2014-2528.diff ++++++ Index: kdirstat/kcleanup.cpp =================================================================== --- kdirstat.orig/kcleanup.cpp +++ kdirstat/kcleanup.cpp @@ -311,10 +311,10 @@ KCleanup::expandVariables( const KFileIn { QString expanded = unexpanded; - expanded.replace( QRegExp( "%p" ), - "\"" + QString::fromLocal8Bit( item->url() ) + "\"" ); - expanded.replace( QRegExp( "%n" ), - "\"" + QString::fromLocal8Bit( item->name() ) + "\"" ); + QString url = QString::fromLocal8Bit( item->url() ).replace("'", "'\\''"); + expanded.replace( QRegExp( "%p" ), "'" + url + "'" ); + QString name = QString::fromLocal8Bit( item->name() ).replace("'", "'\\''"); + expanded.replace( QRegExp( "%n" ), "'" + name + "'" ); if ( KDE::versionMajor() >= 3 && KDE::versionMinor() >= 4 ) expanded.replace( QRegExp( "%t" ), "trash:/" ); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
