Hello community, here is the log from the commit of package kdelibs3 for openSUSE:Factory checked in at 2015-06-06 09:54:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kdelibs3 (Old) and /work/SRC/openSUSE:Factory/.kdelibs3.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kdelibs3" Changes: -------- --- /work/SRC/openSUSE:Factory/kdelibs3/kdelibs3.changes 2015-03-25 21:33:13.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.kdelibs3.new/kdelibs3.changes 2015-06-06 09:54:22.000000000 +0200 @@ -1,0 +2,5 @@ +Fri Jun 5 03:01:00 UTC 2015 - [email protected] + +- add security patch kdelibs-3.5.10-CVE-2013-2074.patch from Fedora + +------------------------------------------------------------------- New: ---- kdelibs-3.5.10-CVE-2013-2074.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdelibs3.spec ++++++ --- /var/tmp/diff_new_pack.UEV1rA/_old 2015-06-06 09:54:24.000000000 +0200 +++ /var/tmp/diff_new_pack.UEV1rA/_new 2015-06-06 09:54:24.000000000 +0200 @@ -207,6 +207,7 @@ Patch230: libxml2-parser.patch Patch231: kdelibs-3.5.10-cups16.patch Patch232: kdelibs-3.5.10-cups20.patch +Patch233: kdelibs-3.5.10-CVE-2013-2074.patch %description This package contains kdelibs, one of the basic packages of the K @@ -344,6 +345,7 @@ %patch88 %patch89 %patch90 +%patch233 -p1 %patch95 %patch97 %if %suse_version < 1030 ++++++ kdelibs-3.5.10-CVE-2013-2074.patch ++++++ diff -ur kdelibs-3.5.10/kioslave/http/http.cc kdelibs-3.5.10-CVE-2013-2074/kioslave/http/http.cc --- kdelibs-3.5.10/kioslave/http/http.cc 2008-02-13 10:41:06.000000000 +0100 +++ kdelibs-3.5.10-CVE-2013-2074/kioslave/http/http.cc 2013-05-14 17:54:42.000000000 +0200 @@ -288,7 +288,7 @@ m_bUseProxy = m_proxyURL.isValid(); kdDebug(7113) << "(" << m_pid << ") Using proxy: " << m_bUseProxy << - " URL: " << m_proxyURL.url() << + " URL: " << m_proxyURL.prettyURL() << " Realm: " << m_strProxyRealm << endl; } @@ -458,7 +458,7 @@ bool HTTPProtocol::checkRequestURL( const KURL& u ) { - kdDebug (7113) << "(" << m_pid << ") HTTPProtocol::checkRequestURL: " << u.url() << endl; + kdDebug (7113) << "(" << m_pid << ") HTTPProtocol::checkRequestURL: " << u.prettyURL() << endl; m_request.url = u; @@ -640,7 +640,7 @@ void HTTPProtocol::listDir( const KURL& url ) { - kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::listDir " << url.url() + kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::listDir " << url.prettyURL() << endl; if ( !checkRequestURL( url ) ) @@ -807,7 +807,7 @@ void HTTPProtocol::davGeneric( const KURL& url, KIO::HTTP_METHOD method ) { - kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::davGeneric " << url.url() + kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::davGeneric " << url.prettyURL() << endl; if ( !checkRequestURL( url ) ) @@ -1206,7 +1206,7 @@ void HTTPProtocol::mkdir( const KURL& url, int ) { - kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::mkdir " << url.url() + kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::mkdir " << url.prettyURL() << endl; if ( !checkRequestURL( url ) ) @@ -1228,7 +1228,7 @@ void HTTPProtocol::get( const KURL& url ) { - kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::get " << url.url() + kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::get " << url.prettyURL() << endl; if ( !checkRequestURL( url ) ) @@ -1543,8 +1543,10 @@ callError = true; } + // Huh? This looks like inverted logic to me (it doesn't make sense to me as + // written), but I'm only fixing the CVE now. -- Kevin Kofler if ( !url.isNull() ) - url = m_request.url.url(); + url = m_request.url.prettyURL(); QString action, errorString; KIO::Error kError; @@ -1840,7 +1842,7 @@ if ( !checkRequestURL( url ) ) continue; - kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::multi_get " << url.url() << endl; + kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::multi_get " << url.prettyURL() << endl; m_request.method = HTTP_GET; m_request.path = url.path(); @@ -2212,12 +2214,12 @@ if (bCacheOnly) { - error( ERR_DOES_NOT_EXIST, m_request.url.url() ); + error( ERR_DOES_NOT_EXIST, m_request.url.prettyURL() ); return false; } if (bOffline) { - error( ERR_COULD_NOT_CONNECT, m_request.url.url() ); + error( ERR_COULD_NOT_CONNECT, m_request.url.prettyURL() ); return false; } } @@ -2891,7 +2893,7 @@ errorPage(); else { - error(ERR_INTERNAL_SERVER, m_request.url.url()); + error(ERR_INTERNAL_SERVER, m_request.url.prettyURL()); return false; } } @@ -2931,7 +2933,7 @@ errorPage(); else { - error(ERR_DOES_NOT_EXIST, m_request.url.url()); + error(ERR_DOES_NOT_EXIST, m_request.url.prettyURL()); return false; } m_request.bCachedWrite = false; // Don't put in cache @@ -3584,7 +3586,7 @@ KURL u(m_request.url, locationStr); if(!u.isValid()) { - error(ERR_MALFORMED_URL, u.url()); + error(ERR_MALFORMED_URL, u.prettyURL()); return false; } if ((u.protocol() != "http") && (u.protocol() != "https") && @@ -3592,7 +3594,7 @@ (u.protocol() != "webdavs")) { redirection(u); - error(ERR_ACCESS_DENIED, u.url()); + error(ERR_ACCESS_DENIED, u.prettyURL()); return false; } @@ -3613,10 +3615,10 @@ sendMetaData(); } - kdDebug(7113) << "(" << m_pid << ") request.url: " << m_request.url.url() + kdDebug(7113) << "(" << m_pid << ") request.url: " << m_request.url.prettyURL() << endl << "LocationStr: " << locationStr.data() << endl; - kdDebug(7113) << "(" << m_pid << ") Requesting redirection to: " << u.url() + kdDebug(7113) << "(" << m_pid << ") Requesting redirection to: " << u.prettyURL() << endl; // If we're redirected to a http:// url, remember that we're doing webdav... @@ -3832,7 +3834,7 @@ if (!m_request.fcache) { m_request.bCachedWrite = false; // Error creating cache entry. - kdDebug(7113) << "(" << m_pid << ") Error creating cache entry for " << m_request.url.url()<<"!\n"; + kdDebug(7113) << "(" << m_pid << ") Error creating cache entry for " << m_request.url.prettyURL()<<"!\n"; } m_request.expireDate = expireDate; m_maxCacheSize = config()->readNumEntry("MaxCacheSize", DEFAULT_MAX_CACHE_SIZE) / 2; @@ -3840,11 +3842,11 @@ } if (m_request.bCachedWrite && !m_strMimeType.isEmpty()) - kdDebug(7113) << "(" << m_pid << ") Cache, adding \"" << m_request.url.url() << "\"" << endl; + kdDebug(7113) << "(" << m_pid << ") Cache, adding \"" << m_request.url.prettyURL() << "\"" << endl; else if (m_request.bCachedWrite && m_strMimeType.isEmpty()) - kdDebug(7113) << "(" << m_pid << ") Cache, pending \"" << m_request.url.url() << "\"" << endl; + kdDebug(7113) << "(" << m_pid << ") Cache, pending \"" << m_request.url.prettyURL() << "\"" << endl; else - kdDebug(7113) << "(" << m_pid << ") Cache, not adding \"" << m_request.url.url() << "\"" << endl; + kdDebug(7113) << "(" << m_pid << ") Cache, not adding \"" << m_request.url.prettyURL() << "\"" << endl; return true; } ++++++ kdelibs_networkstatus_branch2.diff ++++++ --- /var/tmp/diff_new_pack.UEV1rA/_old 2015-06-06 09:54:25.000000000 +0200 +++ /var/tmp/diff_new_pack.UEV1rA/_new 2015-06-06 09:54:25.000000000 +0200 @@ -22,18 +22,18 @@ + if (bCacheOnly && bOffline) + { -+ error( ERR_OFFLINE_MODE, m_request.url.url() ); -+ return false; -+ } ++ error( ERR_OFFLINE_MODE, m_request.url.prettyURL() ); ++ return false; } ++ if (bCacheOnly) { - error( ERR_DOES_NOT_EXIST, m_request.url.url() ); + error( ERR_DOES_NOT_EXIST, m_request.url.prettyURL() ); @@ -2217,7 +2224,7 @@ bool HTTPProtocol::httpOpen() } if (bOffline) { -- error( ERR_COULD_NOT_CONNECT, m_request.url.url() ); -+ error( ERR_OFFLINE_MODE, m_request.url.url() ); +- error( ERR_COULD_NOT_CONNECT, m_request.url.prettyURL() ); ++ error( ERR_OFFLINE_MODE, m_request.url.prettyURL() ); return false; } }
