Hello community, here is the log from the commit of package kdelibs4 for openSUSE:Factory checked in at 2019-08-09 16:51:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kdelibs4 (Old) and /work/SRC/openSUSE:Factory/.kdelibs4.new.9556 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kdelibs4" Fri Aug 9 16:51:14 2019 rev:307 rq:721478 version:4.14.38 Changes: -------- --- /work/SRC/openSUSE:Factory/kdelibs4/kdelibs4.changes 2019-08-06 15:08:18.495853136 +0200 +++ /work/SRC/openSUSE:Factory/.kdelibs4.new.9556/kdelibs4.changes 2019-08-09 16:51:16.837498518 +0200 @@ -1,0 +2,6 @@ +Wed Aug 7 07:51:45 UTC 2019 - Fabian Vogt <[email protected]> + +- Add patch to drop involuntary command execution (boo#1144600): + * 0001-Security-remove-support-for-.-in-config-keys-with-e-.patch + +------------------------------------------------------------------- New: ---- 0001-Security-remove-support-for-.-in-config-keys-with-e-.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdelibs4.spec ++++++ --- /var/tmp/diff_new_pack.tn3boA/_old 2019-08-09 16:51:17.653498356 +0200 +++ /var/tmp/diff_new_pack.tn3boA/_new 2019-08-09 16:51:17.653498356 +0200 @@ -62,6 +62,8 @@ Patch19: 0001-Make-kssl-compile-against-OpenSSL-1.1.0.patch # PATCH-FIX-OPENSUSE 0001-Fix-the-smbclient-4.9-check.patch -- Fix a CMake test failure in kdebase4-runtime when using Samba 4.9 Patch20: 0001-Fix-the-smbclient-4.9-check.patch +# PATCH-FIX-UPSTREAM +Patch21: 0001-Security-remove-support-for-.-in-config-keys-with-e-.patch BuildRequires: OpenEXR-devel BuildRequires: automoc4 BuildRequires: avahi-compat-mDNSResponder-devel @@ -151,6 +153,7 @@ %patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 %build EXTRA_FLAGS="-DLIB_INSTALL_DIR=%{_kde4_libdir} \ ++++++ 0001-Security-remove-support-for-.-in-config-keys-with-e-.patch ++++++ >From 06ee7568491c488032572a6a59b5a5062e092516 Mon Sep 17 00:00:00 2001 From: Kai Uwe Broulik <[email protected]> Date: Wed, 7 Aug 2019 09:47:46 +0200 Subject: [PATCH] Security: remove support for $(...) in config keys with [$e] marker. It is very unclear at this point what a valid use case for this feature would possibly be. The old documentation only mentions $(hostname) as an example, which can be done with $HOSTNAME instead. Note that $(...) is still supported in Exec lines of desktop files, this does not require [$e] anyway (and actually works better without it, otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...). (This is a backport of KDE Frameworks 5 kconfig patch to kdelibs) --- kdecore/config/kconfig.cpp | 32 +------------------------------- kdecore/doc/README.kiosk | 12 ------------ kdecore/tests/kconfigtest.cpp | 6 +----- 3 files changed, 2 insertions(+), 48 deletions(-) diff --git a/kdecore/config/kconfig.cpp b/kdecore/config/kconfig.cpp index 7ea26a5480..b30584b302 100644 --- a/kdecore/config/kconfig.cpp +++ b/kdecore/config/kconfig.cpp @@ -160,37 +160,7 @@ QString KConfigPrivate::expandString(const QString& value) int nDollarPos = aValue.indexOf( QLatin1Char('$') ); while( nDollarPos != -1 && nDollarPos+1 < aValue.length()) { // there is at least one $ - if( aValue[nDollarPos+1] == QLatin1Char('(') ) { - int nEndPos = nDollarPos+1; - // the next character is not $ - while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=QLatin1Char(')')) ) - nEndPos++; - nEndPos++; - QString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 ); - - QString result; - QByteArray oldpath = qgetenv( "PATH" ); - QByteArray newpath; - if (KGlobal::hasMainComponent()) { - newpath = QFile::encodeName(KGlobal::dirs()->resourceDirs("exe").join(QChar::fromLatin1(KPATH_SEPARATOR))); - if (!newpath.isEmpty() && !oldpath.isEmpty()) - newpath += KPATH_SEPARATOR; - } - newpath += oldpath; - setenv( "PATH", newpath, 1/*overwrite*/ ); -// FIXME: wince does not have pipes -#ifndef _WIN32_WCE - FILE *fs = popen(QFile::encodeName(cmd).data(), "r"); - if (fs) { - QTextStream ts(fs, QIODevice::ReadOnly); - result = ts.readAll().trimmed(); - pclose(fs); - } -#endif - setenv( "PATH", oldpath, 1/*overwrite*/ ); - aValue.replace( nDollarPos, nEndPos-nDollarPos, result ); - nDollarPos += result.length(); - } else if( aValue[nDollarPos+1] != QLatin1Char('$') ) { + if( aValue[nDollarPos+1] != QLatin1Char('$') ) { int nEndPos = nDollarPos+1; // the next character is not $ QString aVarName; diff --git a/kdecore/doc/README.kiosk b/kdecore/doc/README.kiosk index b95002d040..d902c61ea9 100644 --- a/kdecore/doc/README.kiosk +++ b/kdecore/doc/README.kiosk @@ -640,18 +640,6 @@ The following syntax is also supported: Name[$ei]=${USER} -Shell Commands in KDE config files. -=================================== - -Since KDE-3.1 arbitrary entries in configuration files can contain shell -commands. This way the value of a configuration entry can be determined -dynamically at runtime. In order to use this the entry must be marked -with [$e]. - -Example: -Host[$e]=$(hostname) - - KDE Kiosk Application API ========================== diff --git a/kdecore/tests/kconfigtest.cpp b/kdecore/tests/kconfigtest.cpp index 78e6ad180e..37ea3c2825 100644 --- a/kdecore/tests/kconfigtest.cpp +++ b/kdecore/tests/kconfigtest.cpp @@ -479,12 +479,8 @@ void KConfigTest::testPath() QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH) ); QVERIFY(group.hasKey("URL")); QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH) ); -#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC) - // I don't know if this will work on windows - // This test hangs on OS X QVERIFY(group.hasKey("hostname")); - QCOMPARE(group.readEntry("hostname", QString()), QHostInfo::localHostName()); -#endif + QCOMPARE(group.readEntry("hostname", QString()), QString("(hostname)")); // the $ got removed because empty var name QVERIFY(group.hasKey("noeol")); QCOMPARE(group.readEntry("noeol", QString()), QString("foo")); } -- 2.22.0
