Fix CVE-2019-14744 in our KDE5 env.
https://kde.org/info/security/advisory-20190807-1.txt
OK?
RS
Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/kf5/kconfig/Makefile,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 Makefile
--- Makefile 30 Mar 2019 09:13:49 -0000 1.10
+++ Makefile 18 Aug 2019 15:38:31 -0000
@@ -2,6 +2,7 @@
COMMENT = KDE configuration system
DISTNAME = kconfig-${VERSION}
+REVISION = 0
SHARED_LIBS = KF5ConfigCore 4.3
SHARED_LIBS += KF5ConfigGui 4.3
Index: patches/patch-autotests_kconfigtest_cpp
===================================================================
RCS file: patches/patch-autotests_kconfigtest_cpp
diff -N patches/patch-autotests_kconfigtest_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-autotests_kconfigtest_cpp 18 Aug 2019 15:38:31 -0000
@@ -0,0 +1,35 @@
+$OpenBSD$
+
+CVE-2019-14744
+Security: remove support for $(...) in config keys with [$e] marker.
+
+https://kde.org/info/security/advisory-20190807-1.txt
+
+Index: autotests/kconfigtest.cpp
+--- autotests/kconfigtest.cpp.orig
++++ autotests/kconfigtest.cpp
+@@ -38,7 +38,7 @@
+ #include <utime.h>
+ #endif
+ #ifndef Q_OS_WIN
+-#include <unistd.h> // gethostname
++#include <unistd.h> // getuid
+ #endif
+
+ KCONFIGGROUP_DECLARE_ENUM_QOBJECT(KConfigTest, Testing)
+@@ -545,14 +545,8 @@ void KConfigTest::testPath()
+ QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://"
+ HOMEPATH));
+ QVERIFY(group.hasKey("URL"));
+ QCOMPARE(group.readEntry("URL", QString()), QString("file://" +
HOMEPATH));
+-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
+- // I don't know if this will work on windows
+- // This test hangs on OS X
+ QVERIFY(group.hasKey("hostname"));
+- char hostname[256];
+- QVERIFY(::gethostname(hostname, sizeof(hostname)) == 0);
+- QCOMPARE(group.readEntry("hostname", QString()),
QString::fromLatin1(hostname));
+-#endif
++ QCOMPARE(group.readEntry("hostname", QString()),
QStringLiteral("(hostname)")); // the $ got removed because empty var name
+ QVERIFY(group.hasKey("noeol"));
+ QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
+
Index: patches/patch-docs_options_md
===================================================================
RCS file: patches/patch-docs_options_md
diff -N patches/patch-docs_options_md
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-docs_options_md 18 Aug 2019 15:38:31 -0000
@@ -0,0 +1,34 @@
+$OpenBSD$
+
+CVE-2019-14744
+Security: remove support for $(...) in config keys with [$e] marker.
+
+https://kde.org/info/security/advisory-20190807-1.txt
+
+
+Index: docs/options.md
+--- docs/options.md.orig
++++ docs/options.md
+@@ -67,18 +67,15 @@ environment variables (and `XDG_CONFIG_HOME` in partic
+ Shell Expansion
+ ---------------
+
+-If an entry is marked with `$e`, environment variables and shell commands will
+-be expanded.
++If an entry is marked with `$e`, environment variables will be expanded.
+
+ Name[$e]=$USER
+- Host[$e]=$(hostname)
+
+ When the "Name" entry is read `$USER` will be replaced with the value of the
+-`$USER` environment variable, and `$(hostname)` will be replaced with the
output
+-of the `hostname` command.
++`$USER` environment variable.
+
+-Note that the application will replace `$USER` and `$(hostname)` with their
+-respective expanded values after saving. To prevent this combine the `$e`
option
++Note that the application will replace `$USER` with its
++expanded value after saving. To prevent this combine the `$e` option
+ with `$i` (immmutable) option. For example:
+
+ Name[$ei]=$USER
Index: patches/patch-src_core_kconfig_cpp
===================================================================
RCS file: patches/patch-src_core_kconfig_cpp
diff -N patches/patch-src_core_kconfig_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_core_kconfig_cpp 18 Aug 2019 15:38:31 -0000
@@ -0,0 +1,62 @@
+$OpenBSD$
+
+CVE-2019-14744
+Security: remove support for $(...) in config keys with [$e] marker.
+
+https://kde.org/info/security/advisory-20190807-1.txt
+
+
+Index: src/core/kconfig.cpp
+--- src/core/kconfig.cpp.orig
++++ src/core/kconfig.cpp
+@@ -28,19 +28,6 @@
+ #include <cstdlib>
+ #include <fcntl.h>
+
+-#ifdef _MSC_VER
+-static inline FILE *popen(const char *cmd, const char *mode)
+-{
+- return _popen(cmd, mode);
+-}
+-static inline int pclose(FILE *stream)
+-{
+- return _pclose(stream);
+-}
+-#else
+-#include <unistd.h>
+-#endif
+-
+ #include "kconfigbackend_p.h"
+ #include "kconfiggroup.h"
+
+@@ -183,29 +170,7 @@ QString KConfigPrivate::expandString(const QString &va
+ int nDollarPos = aValue.indexOf(QLatin1Char('$'));
+ while (nDollarPos != -1 && nDollarPos + 1 < aValue.length()) {
+ // there is at least one $
+- if (aValue[nDollarPos + 1] == QLatin1Char('(')) {
+- int nEndPos = nDollarPos + 1;
+- // the next character is not $
+- while ((nEndPos <= aValue.length()) && (aValue[nEndPos] !=
QLatin1Char(')'))) {
+- nEndPos++;
+- }
+- nEndPos++;
+- QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos -
3);
+-
+- QString result;
+-
+-// FIXME: wince does not have pipes
+-#ifndef _WIN32_WCE
+- FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
+- if (fs) {
+- QTextStream ts(fs, QIODevice::ReadOnly);
+- result = ts.readAll().trimmed();
+- pclose(fs);
+- }
+-#endif
+- aValue.replace(nDollarPos, nEndPos - nDollarPos, result);
+- nDollarPos += result.length();
+- } else if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
++ if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
+ int nEndPos = nDollarPos + 1;
+ // the next character is not $
+ QStringRef aVarName;
