Date: Monday, November 24, 2014 @ 09:05:15 Author: andrea Revision: 227043
upgpkg: kdebase-workspace 4.11.14-1 Upstream release Modified: kdebase-workspace/trunk/PKGBUILD Deleted: kdebase-workspace/trunk/CVE-2014-8651-2.patch kdebase-workspace/trunk/CVE-2014-8651.patch -----------------------+ CVE-2014-8651-2.patch | 30 ------------ CVE-2014-8651.patch | 120 ------------------------------------------------ PKGBUILD | 19 ++----- 3 files changed, 6 insertions(+), 163 deletions(-) Deleted: CVE-2014-8651-2.patch =================================================================== --- CVE-2014-8651-2.patch 2014-11-24 08:04:14 UTC (rev 227042) +++ CVE-2014-8651-2.patch 2014-11-24 08:05:15 UTC (rev 227043) @@ -1,30 +0,0 @@ -From: David Edmundson <[email protected]> -Date: Tue, 04 Nov 2014 13:00:54 +0000 -Subject: Validate timezone name before setting -X-Git-Url: http://quickgit.kde.org/?p=kde-workspace.git&a=commitdiff&h=54d0bfb5effff9c8cf60da890b7728cbe36a454e ---- -Validate timezone name before setting - -This patch ensures that the symlink /etc/localtime always points to a -file in /usr/share/timezones and not an arbitrary file in a user's home -directory. ---- - - ---- a/kcontrol/dateandtime/helper.cpp -+++ b/kcontrol/dateandtime/helper.cpp -@@ -123,6 +123,13 @@ - int ClockHelper::tz( const QString& selectedzone ) - { - int ret = 0; -+ -+ //only allow letters, numbers hyphen underscore plus and forward slash -+ //allowed pattern taken from time-util.c in systemd -+ if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) { -+ return ret; -+ } -+ - #if defined(USE_SOLARIS) // MARCO - - KTemporaryFile tf; - Deleted: CVE-2014-8651.patch =================================================================== --- CVE-2014-8651.patch 2014-11-24 08:04:14 UTC (rev 227042) +++ CVE-2014-8651.patch 2014-11-24 08:05:15 UTC (rev 227043) @@ -1,120 +0,0 @@ -From: David Edmundson <[email protected]> -Date: Tue, 04 Nov 2014 12:57:59 +0000 -Subject: Do not pass ntpUtility as an argument to datetime helper -X-Git-Url: http://quickgit.kde.org/?p=kde-workspace.git&a=commitdiff&h=eebcb17746d9fa86ea8c5a7344709ef6750781cf ---- -Do not pass ntpUtility as an argument to datetime helper - -Passing the name of a binary to run to a polkit helper is a security -risk as it allows any arbitrary process to be executed. - -This patch moves the detection of ntp utility location into the helper -function. - -REVIEW: 120977 ---- - - ---- a/kcontrol/dateandtime/dtime.cpp -+++ b/kcontrol/dateandtime/dtime.cpp -@@ -142,27 +142,15 @@ - //kclock->setEnabled(enabled); - } - --void Dtime::findNTPutility(){ -- QByteArray envpath = qgetenv("PATH"); -- if (!envpath.isEmpty() && envpath[0] == ':') { -- envpath = envpath.mid(1); -- } -- -- QString path = "/sbin:/usr/sbin:"; -- if (!envpath.isEmpty()) { -- path += QString::fromLocal8Bit(envpath); -- } else { -- path += QLatin1String("/bin:/usr/bin"); -- } -- -- foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { -- if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) { -- kDebug() << "ntpUtility = " << ntpUtility; -- return; -- } -- } -- -- kDebug() << "ntpUtility not found!"; -+void Dtime::findNTPutility() -+{ -+ const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin"); -+ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { -+ ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath); -+ if (!ntpUtility.isEmpty()) { -+ return; -+ } -+ } - } - - void Dtime::set_time() -@@ -238,7 +226,6 @@ - helperargs["ntp"] = true; - helperargs["ntpServers"] = list; - helperargs["ntpEnabled"] = setDateTimeAuto->isChecked(); -- helperargs["ntpUtility"] = ntpUtility; - - if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){ - // NTP Time setting - done in helper - ---- a/kcontrol/dateandtime/helper.cpp -+++ b/kcontrol/dateandtime/helper.cpp -@@ -52,8 +52,18 @@ - // clears it. So we have to use a reasonable default. - static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin"); - --int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled, -- const QString& ntpUtility ) -+static QString findNtpUtility() -+{ -+ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { -+ const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath); -+ if (!ntpUtility.isEmpty()) { -+ return ntpUtility; -+ } -+ } -+ return QString(); -+} -+ -+int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled ) - { - int ret = 0; - -@@ -68,6 +78,8 @@ - KConfigGroup config(&_config, "NTP"); - config.writeEntry("servers", ntpServers ); - config.writeEntry("enabled", ntpEnabled ); -+ -+ QString ntpUtility(findNtpUtility()); - - if ( ntpEnabled && !ntpUtility.isEmpty() ) { - // NTP Time setting -@@ -227,7 +239,7 @@ - int ret = 0; // error code - // The order here is important - if( _ntp ) -- ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() ); -+ ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool()); - if( _date ) - ret |= date( args.value("newdate").toString(), args.value("olddate").toString() ); - if( _tz ) - ---- a/kcontrol/dateandtime/helper.h -+++ b/kcontrol/dateandtime/helper.h -@@ -42,8 +42,7 @@ - ActionReply save(const QVariantMap &map); - - private: -- int ntp(const QStringList& ntpServers, bool ntpEnabled, -- const QString& ntpUtility); -+ int ntp(const QStringList& ntpServers, bool ntpEnabled); - int date(const QString& newdate, const QString& olddate); - int tz(const QString& selectedzone); - int tzreset(); - Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-11-24 08:04:14 UTC (rev 227042) +++ PKGBUILD 2014-11-24 08:05:15 UTC (rev 227043) @@ -4,9 +4,9 @@ pkgname=kdebase-workspace _pkgname=kde-workspace -pkgver=4.11.13 -_pkgver=4.14.2 -pkgrel=2 +pkgver=4.11.14 +_pkgver=4.14.3 +pkgrel=1 pkgdesc="Provides the interface and basic tools for the KDE workspace" arch=('i686' 'x86_64') url='https://projects.kde.org/projects/kde/kde-workspace' @@ -29,9 +29,8 @@ source=("http://download.kde.org/stable/${_pkgver}/src/${_pkgname}-${pkgver}.tar.xz"; 'kde.pam' 'kde-np.pam' 'kscreensaver.pam' 'kdm.service' 'kdm.logrotate' 'etc-scripts.patch' 'terminate-server.patch' 'kdm-xinitrd.patch' - 'khotkeys-qt4.patch' - 'CVE-2014-8651.patch' 'CVE-2014-8651-2.patch') -sha1sums=('34dcc710ad8628fefa1cf0fa8eab4efc98ff138f' + 'khotkeys-qt4.patch') +sha1sums=('ec79a5d638a93b1abbb99b22a7bea52d9a2c26eb' '660eae40a707d2711d8d7f32a93214865506b795' '6aeecc9e0e221f0515c6bf544f9a3c11cb6961fe' 'c6afdf8964b2b2c4809b2e8e694729b2661e29df' @@ -40,9 +39,7 @@ 'c079ebd157c836ba996190f0d2bcea1a7828d02c' 'ac7bc292c865bc1ab8c02e6341aa7aeaf1a3eeee' 'd509dac592bd8b310df27991b208c95b6d907514' - 'aa9d2e5a69986c4c3d47829721ea99edb473be12' - '9aa1cff4d69317debe83fc9ff1ea07fff350e717' - '9c025005d7830c54b99674bfcbfbc54155d6ecc1') + 'aa9d2e5a69986c4c3d47829721ea99edb473be12') prepare() { mkdir build @@ -58,10 +55,6 @@ # KDEBUG#202629 patch -p0 -i "${srcdir}"/terminate-server.patch - - # Fixed in 4.11.14 - patch -p1 -i "${srcdir}"/CVE-2014-8651.patch - patch -p1 -i "${srcdir}"/CVE-2014-8651-2.patch } build() {
