libs

Rafael Sadowski Sun, 18 Aug 2019 09:37:41 -0700

Fix CVE-2019-14744 in our KDE4 env.
https://kde.org/info/security/advisory-20190807-1.txt


OK?

RS

Index: Makefile
===================================================================
RCS file: /cvs/ports/x11/kde4/libs/Makefile,v
retrieving revision 1.90
diff -u -p -u -p -r1.90 Makefile
--- Makefile    21 Jan 2019 20:54:48 -0000      1.90
+++ Makefile    18 Aug 2019 15:54:08 -0000
@@ -12,7 +12,7 @@ PKGNAME-langlist =    kde4-langlist-$V
 PKG_ARCH-en_US =       *
 PKG_ARCH-langlist =    *
 PKGSPEC-main =         kdelibs-${MODKDE4_SPEC}
-REVISION-main =                16
+REVISION-main =                17
 REVISION-en_US =       0
 REVISION-langlist =    0
 
Index: patches/patch-kdecore_config_kconfig_cpp
===================================================================
RCS file: patches/patch-kdecore_config_kconfig_cpp
diff -N patches/patch-kdecore_config_kconfig_cpp
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-kdecore_config_kconfig_cpp    18 Aug 2019 15:54:08 -0000
@@ -0,0 +1,49 @@
+$OpenBSD$
+
+CVE-2019-14744
+Security: remove support for $(...) in config keys with [$e] marker.
+
+https://kde.org/info/security/advisory-20190807-1.txt
+
+Index: kdecore/config/kconfig.cpp
+--- kdecore/config/kconfig.cpp.orig
++++ kdecore/config/kconfig.cpp
+@@ -160,37 +160,7 @@ QString KConfigPrivate::expandString(const QString& va
+     int nDollarPos = aValue.indexOf( QLatin1Char('$') );
+     while( nDollarPos != -1 && nDollarPos+1 < aValue.length()) {
+         // there is at least one $
+-        if( aValue[nDollarPos+1] == QLatin1Char('(') ) {
+-            int nEndPos = nDollarPos+1;
+-            // the next character is not $
+-            while ( (nEndPos <= aValue.length()) && 
(aValue[nEndPos]!=QLatin1Char(')')) )
+-                nEndPos++;
+-            nEndPos++;
+-            QString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
+-
+-            QString result;
+-            QByteArray oldpath = qgetenv( "PATH" );
+-            QByteArray newpath;
+-            if (KGlobal::hasMainComponent()) {
+-                newpath = 
QFile::encodeName(KGlobal::dirs()->resourceDirs("exe").join(QChar::fromLatin1(KPATH_SEPARATOR)));
+-                if (!newpath.isEmpty() && !oldpath.isEmpty())
+-                    newpath += KPATH_SEPARATOR;
+-            }
+-            newpath += oldpath;
+-            setenv( "PATH", newpath, 1/*overwrite*/ );
+-// FIXME: wince does not have pipes
+-#ifndef _WIN32_WCE
+-            FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
+-            if (fs) {
+-                QTextStream ts(fs, QIODevice::ReadOnly);
+-                result = ts.readAll().trimmed();
+-                pclose(fs);
+-            }
+-#endif
+-            setenv( "PATH", oldpath, 1/*overwrite*/ );
+-            aValue.replace( nDollarPos, nEndPos-nDollarPos, result );
+-            nDollarPos += result.length();
+-        } else if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
++        if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
+             int nEndPos = nDollarPos+1;
+             // the next character is not $
+             QString aVarName;
Index: patches/patch-kdecore_doc_README_kiosk
===================================================================
RCS file: patches/patch-kdecore_doc_README_kiosk
diff -N patches/patch-kdecore_doc_README_kiosk
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-kdecore_doc_README_kiosk      18 Aug 2019 15:54:08 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+
+CVE-2019-14744
+Security: remove support for $(...) in config keys with [$e] marker.
+
+https://kde.org/info/security/advisory-20190807-1.txt
+
+
+Index: kdecore/doc/README.kiosk
+--- kdecore/doc/README.kiosk.orig
++++ kdecore/doc/README.kiosk
+@@ -640,18 +640,6 @@ The following syntax is also supported:
+ Name[$ei]=${USER}
+ 
+ 
+-Shell Commands in KDE config files.
+-===================================
+-
+-Since KDE-3.1 arbitrary entries in configuration files can contain shell 
+-commands. This way the value of a configuration entry can be determined
+-dynamically at runtime. In order to use this the entry must be marked 
+-with [$e]. 
+-
+-Example:
+-Host[$e]=$(hostname)
+-
+-
+ KDE Kiosk Application API
+ ==========================
+ 
Index: patches/patch-kdecore_tests_kconfigtest_cpp
===================================================================
RCS file: patches/patch-kdecore_tests_kconfigtest_cpp
diff -N patches/patch-kdecore_tests_kconfigtest_cpp
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-kdecore_tests_kconfigtest_cpp 18 Aug 2019 15:54:08 -0000
@@ -0,0 +1,24 @@
+$OpenBSD$
+
+CVE-2019-14744
+Security: remove support for $(...) in config keys with [$e] marker.
+
+https://kde.org/info/security/advisory-20190807-1.txt
+
+Index: kdecore/tests/kconfigtest.cpp
+--- kdecore/tests/kconfigtest.cpp.orig
++++ kdecore/tests/kconfigtest.cpp
+@@ -479,12 +479,8 @@ void KConfigTest::testPath()
+   QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + 
HOMEPATH) );
+   QVERIFY(group.hasKey("URL"));
+   QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH) );
+-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
+-  // I don't know if this will work on windows
+-  // This test hangs on OS X
+   QVERIFY(group.hasKey("hostname"));
+-  QCOMPARE(group.readEntry("hostname", QString()), 
QHostInfo::localHostName());
+-#endif
++  QCOMPARE(group.readEntry("hostname", QString()), QString("(hostname)")); // 
the $ got removed because empty var name
+   QVERIFY(group.hasKey("noeol"));
+   QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
+ }

CVE-2019-14744 x11/kde4/libs

Reply via email to