[kde-freebsd] Some security flaws that were recently fixed in KDE 4.3.3

Sun, 01 Nov 2009 23:19:28 -0800 

Gentlemen, good day.

I was made aware of the oCERT advisory,
  http://www.ocert.org/advisories/ocert-2009-015.html

that talks about 3 distinct security bugs for the KDE 4.  Advisory
has some details and links to the upstream fixes.  Patch for
kio_help is already integrated to the sources of kdelibs 4.3.1,
but the other two mentioned patches apply to the current sources
of FreeBSD KDE port.

I was able just to test the applicability of the patches and Tinderbox
builds on 7.x and 8.x.  I am not the KDE user and I can't really
validate that everything works as expected.  So I can hand off to
you a half-baked patch for the kdelibs4 and kdebase4-runtime and
VuXML entry for the said vulnerabilities.  If someone will be able
to verify that the patches cause no harm to the KDE ports and
everything works as expected, it will be greatly appreciated.

Thanks!
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #

From cc068dd02680ed4d007cb09711a4e48a9493d93b Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <[email protected]>
Date: Fri, 30 Oct 2009 08:27:33 +0300
Subject: [PATCH] KDE4: fixes for oCERT-2009-015

The fix for kdelibs/kdoctools/kio_help.cpp is already in the KDE-4.3.1,
so only first two patches mentioned in the advisory [1] should be
incorporated into the ports.

[1] http://www.ocert.org/advisories/ocert-2009-015.html

Signed-off-by: Eygene Ryabinkin <[email protected]>
---
 x11/kdebase4-runtime/Makefile                      |    2 +-
 .../files/patch-ocert-2009-015-kioslave            |   17 +++
 x11/kdelibs4/Makefile                              |    2 +-
 x11/kdelibs4/files/patch-ocert-2009-015-khtml      |  118 ++++++++++++++++++++
 4 files changed, 137 insertions(+), 2 deletions(-)
 create mode 100644 x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
 create mode 100644 x11/kdelibs4/files/patch-ocert-2009-015-khtml

diff --git a/x11/kdebase4-runtime/Makefile b/x11/kdebase4-runtime/Makefile
index 43515fc..d2394a6 100644
--- a/x11/kdebase4-runtime/Makefile
+++ b/x11/kdebase4-runtime/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase-runtime
 PORTVERSION=	${KDE4_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	${KDE4_BRANCH}/${PORTVERSION}/src
diff --git a/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave b/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
new file mode 100644
index 0000000..82c6c97
--- /dev/null
+++ b/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
@@ -0,0 +1,17 @@
+Obtained-From: http://websvn.kde.org/branches/KDE/4.3/kdebase/runtime/kioslave/info/info.cc?r1=1030579&r2=1030578&pathrev=1030579&view=patch
+--- kioslave/info/info.cc	2009/10/02 15:51:26	1030578
++++ kioslave/info/info.cc	2009/10/02 15:53:30	1030579
+@@ -89,6 +89,13 @@
+         return;
+     }
+ 
++    // '<' in the path looks suspicious, someone is trying info:/dir/<script>alert('xss')</script>
++    if (url.path().contains('<'))
++    {
++        error(KIO::ERR_DOES_NOT_EXIST, url.url());
++        return;
++    }
++
+     mimeType("text/html");
+     // extract the path and node from url
+     decodeURL( url );
diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index d4bea20..d7e4656 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE4_VERSION}
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	x11 kde ipv6
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	${KDE4_BRANCH}/${PORTVERSION}/src
diff --git a/x11/kdelibs4/files/patch-ocert-2009-015-khtml b/x11/kdelibs4/files/patch-ocert-2009-015-khtml
new file mode 100644
index 0000000..52e6b36
--- /dev/null
+++ b/x11/kdelibs4/files/patch-ocert-2009-015-khtml
@@ -0,0 +1,118 @@
+Obtained-From: http://websvn.kde.org/branches/KDE/4.3/kdelibs/khtml/ecma/xmlhttprequest.cpp?r1=1035539&r2=1035538&pathrev=1035539&view=patch
+--- khtml/ecma/xmlhttprequest.cpp	2009/10/15 10:13:41	1035538
++++ khtml/ecma/xmlhttprequest.cpp	2009/10/15 10:14:38	1035539
+@@ -49,7 +49,7 @@
+ 
+ using namespace KJS;
+ using namespace DOM;
+-// 
++//
+ ////////////////////// XMLHttpRequest Object ////////////////////////
+ 
+ /* Source for XMLHttpRequestProtoTable.
+@@ -269,7 +269,7 @@
+ static bool canSetRequestHeader(const QString& name)
+ {
+     static QSet<CaseInsensitiveString> forbiddenHeaders;
+-    
++
+     if (forbiddenHeaders.isEmpty()) {
+ 	static const char* hdrs[] = {
+ 	    "accept-charset",
+@@ -298,12 +298,12 @@
+ 	    "transfer-encoding",
+ 	    "unlock",
+ 	    "upgrade",
+-	    "via" 
++	    "via"
+ 	};
+ 	for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i)
+ 	    forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i]));
+     }
+-    
++
+     return !forbiddenHeaders.contains(name);
+ }
+ 
+@@ -326,9 +326,9 @@
+ 
+ XMLHttpRequest::~XMLHttpRequest()
+ {
+-  if (onLoadListener) 
++  if (onLoadListener)
+       onLoadListener->deref();
+-  if (onReadyStateChangeListener) 
++  if (onReadyStateChangeListener)
+       onReadyStateChangeListener->deref();
+   delete qObject;
+   qObject = 0;
+@@ -412,17 +412,18 @@
+       return;
+   }
+ 
+-  if (method == "post") {
+-    QString protocol = url.protocol().toLower();
++  const QString protocol = url.protocol().toLower();
++  // Abandon the request when the protocol is other than "http",
++  // instead of blindly doing a KIO::get on other protocols like file:/.
++  if (!protocol.startsWith(QLatin1String("http")) &&
++      !protocol.startsWith(QLatin1String("webdav")))
++  {
++    ec = DOMException::INVALID_ACCESS_ERR;
++    abort();
++    return;
++  }
+ 
+-    // Abondon the request when the protocol is other than "http",
+-    // instead of blindly changing it to a "get" request.
+-    if (!protocol.startsWith(QLatin1String("http")) &&
+-        !protocol.startsWith(QLatin1String("webdav")))
+-    {
+-      abort();
+-      return;
+-    }
++  if (method == "post") {
+ 
+     // FIXME: determine post encoding correctly by looking in headers
+     // for charset.
+@@ -580,7 +581,7 @@
+       ec = DOMException::INVALID_STATE_ERR;
+       return jsString("");
+   }
+-  
++
+   // ### test error flag, return jsNull
+ 
+   if (responseHeaders.isEmpty()) {
+@@ -809,7 +810,7 @@
+       setDOMException(exec, ec);
+       return ret;
+     }
+-  case XMLHttpRequest::GetResponseHeader: 
++  case XMLHttpRequest::GetResponseHeader:
+     {
+       if (args.size() < 1)
+           return throwError(exec, SyntaxError, "Not enough arguments");
+@@ -852,11 +853,11 @@
+         DOM::NodeImpl* docNode = toNode(args[0]);
+         if (docNode && docNode->isDocumentNode()) {
+           DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode);
+-          
++
+           try {
+             body = doc->toString().string();
+             // FIXME: also need to set content type, including encoding!
+-  
++
+           } catch(DOM::DOMException&) {
+             return throwError(exec, GeneralError, "Exception serializing document");
+           }
+@@ -866,7 +867,7 @@
+       }
+ 
+       request->send(body, ec);
+-      setDOMException(exec, ec);  
++      setDOMException(exec, ec);
+       return jsUndefined();
+     }
+   case XMLHttpRequest::SetRequestHeader:
-- 
1.6.3.1

Attachment: vuln.xml
Description: XML document

_______________________________________________
kde-freebsd mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/kde-freebsd
See also http://freebsd.kde.org/ for latest information

Reply via email to