Hello community, here is the log from the commit of package kdeutils4 for openSUSE:11.4 checked in at Tue Feb 28 12:33:11 CET 2012.
-------- --- old-versions/11.4/all/kdeutils4/kdeutils4.changes 2011-01-25 14:35:59.000000000 +0100 +++ 11.4/kdeutils4/kdeutils4.changes 2012-02-28 10:23:59.000000000 +0100 @@ -1,0 +2,5 @@ +Tue Feb 28 09:18:21 UTC 2012 - idon...@suse.com + +- Add fix for CVE-2011-2725 + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/kdeutils4 Destination is old-versions/11.4/UPDATES/all/kdeutils4 calling whatdependson for 11.4-i586 New: ---- CVE-2011-2725.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdeutils4.spec ++++++ --- /var/tmp/diff_new_pack.Hna3JI/_old 2012-02-28 12:32:34.000000000 +0100 +++ /var/tmp/diff_new_pack.Hna3JI/_new 2012-02-28 12:32:34.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package kdeutils4 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,19 +26,32 @@ %if %with_python BuildRequires: python-kde4-devel %endif -License: GPLv2+ -Group: Productivity/Other Summary: Base Package of KDE Utility Programs +License: GPL-2.0+ +Group: Productivity/Other Url: http://www.kde.org Version: 4.6.0 -Release: 1 -BuildRequires: gmp-devel kdebase4-workspace-devel >= %version libqimageblitz-devel net-snmp-devel pcsc-lite python-devel -BuildRequires: libkdepimlibs4-devel libkonq-devel libqca2-devel libzip-devel oxygen-icon-theme-large -BuildRequires: libarchive-devel libknotificationitem-devel libqjson-devel xz-devel +Release: 4.<RELEASE5> +BuildRequires: gmp-devel +BuildRequires: kdebase4-workspace-devel >= %version +BuildRequires: libarchive-devel +BuildRequires: libkdepimlibs4-devel +BuildRequires: libknotificationitem-devel +BuildRequires: libkonq-devel +BuildRequires: libqca2-devel +BuildRequires: libqimageblitz-devel +BuildRequires: libqjson-devel +BuildRequires: libzip-devel +BuildRequires: net-snmp-devel +BuildRequires: oxygen-icon-theme-large +BuildRequires: pcsc-lite +BuildRequires: python-devel +BuildRequires: xz-devel Source0: kdeutils-%version.tar.bz2 Patch: 4_5_BRANCH.diff Patch1: desktop-files.diff Patch2: kgpg-autostart.diff +Patch3: CVE-2011-2725.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %kde4_runtime_requires Suggests: ark @@ -73,6 +86,7 @@ %patch %patch1 %patch2 +%patch3 -p1 %build %cmake_kde4 -d build @@ -125,9 +139,9 @@ # rm -rf filelists %package -n ark -License: GPLv2+ -Group: Productivity/Archiving/Compression + Summary: KDE Archiver Tool +Group: Productivity/Archiving/Compression Provides: kde4-ark = 4.3.0 Obsoletes: kde4-ark < 4.3.0 %kde4_runtime_requires @@ -154,9 +168,9 @@ %_kde4_iconsdir/hicolor/*/apps/utilities-file-archiver.* %package -n kcalc -License: GPLv2+ -Group: Productivity/Scientific/Math + Summary: Scientific Calculator +Group: Productivity/Scientific/Math Provides: kde4-kcalc = 4.3.0 Obsoletes: kde4-kcalc < 4.3.0 %kde4_runtime_requires @@ -180,9 +194,9 @@ %doc AUTHORS COPYING COPYING.DOC README %package -n filelight -License: GPLv2+ -Group: System/GUI/KDE + Summary: Graphical disk usage viewer +Group: System/GUI/KDE %kde4_runtime_requires %description -n filelight @@ -205,9 +219,9 @@ %dir %_kde4_appsdir/filelightpart %package -n kcharselect -License: GPLv2+ -Group: Productivity/Other + Summary: KDE Character Selector +Group: Productivity/Other Provides: kde4-kcharselect = 4.3.0 Obsoletes: kde4-kcharselect < 4.3.0 %kde4_runtime_requires @@ -230,9 +244,9 @@ %doc AUTHORS COPYING COPYING.DOC README %package -n kdf -License: GPLv2+ -Group: System/Monitoring + Summary: Disk Usage Viewer +Group: System/Monitoring Provides: kde4-kdf = 4.3.0 Obsoletes: kde4-kdf < 4.3.0 %kde4_runtime_requires @@ -259,9 +273,9 @@ %exclude %_kde4_iconsdir/hicolor/*/apps/kwikdisk.* %package -n kfloppy -License: GPLv2+ -Group: System/GUI/KDE + Summary: Floppy Formatter +Group: System/GUI/KDE Provides: kde4-kfloppy = 4.3.0 Obsoletes: kde4-kfloppy < 4.3.0 %kde4_runtime_requires @@ -285,9 +299,9 @@ %doc AUTHORS COPYING COPYING.DOC README %package -n kgpg -License: GPLv2+ -Group: Productivity/Security + Summary: Encryption Tool +Group: Productivity/Security Provides: kde4-kgpg = 4.3.0 Obsoletes: kde4-kgpg < 4.3.0 %kde4_runtime_requires @@ -313,9 +327,9 @@ %doc AUTHORS COPYING COPYING.DOC README %package -n ktimer -License: GPLv2+ -Group: Productivity/Other + Summary: Countdown Launcher +Group: Productivity/Other Provides: kde4-ktimer = 4.3.0 Obsoletes: kde4-ktimer < 4.3.0 %kde4_runtime_requires @@ -338,9 +352,9 @@ %doc AUTHORS COPYING COPYING.DOC README %package -n kwalletmanager -License: GPLv2+ -Group: System/GUI/KDE + Summary: Wallet Management Tool +Group: System/GUI/KDE Provides: kde4-kwalletmanager = 4.3.0 Obsoletes: kde4-kwalletmanager < 4.3.0 %kde4_runtime_requires @@ -365,9 +379,9 @@ %_kde4_appsdir/kwalletmanager %package -n kwikdisk -License: GPLv2+ -Group: System/GUI/KDE + Summary: Removable Media Utility +Group: System/GUI/KDE Provides: kde4-kwikdisk = 4.3.0 Obsoletes: kde4-kwikdisk < 4.3.0 %kde4_runtime_requires @@ -394,9 +408,9 @@ %_kde4_iconsdir/hicolor/*/apps/kwikdisk.* %package -n sweeper -License: GPLv2+ -Group: System/GUI/KDE + Summary: KDE Privacy Utility +Group: System/GUI/KDE Provides: kde4-sweeper = 4.3.0 Obsoletes: kde4-sweeper < 4.3.0 %kde4_runtime_requires @@ -419,9 +433,9 @@ %doc AUTHORS COPYING COPYING.DOC README %package -n superkaramba -License: GPLv2+ -Group: System/GUI/KDE + Summary: Desktop Widgets +Group: System/GUI/KDE Provides: kde4-superkaramba = 4.3.0 Obsoletes: kde4-superkaramba < 4.3.0 %kde4_runtime_requires @@ -446,11 +460,13 @@ %if %with_python %package -n kde4-printer-applet -License: GPLv2+ -Group: Productivity/Other + Summary: System tray utility to show current print jobs +Group: Productivity/Other %kde4_runtime_requires -Requires: python-kde4 python-cups system-config-printer +Requires: python-cups +Requires: python-kde4 +Requires: system-config-printer %description -n kde4-printer-applet This package contains a system tray utility to show current print jobs. @@ -471,9 +487,9 @@ %endif %package -n kremotecontrol -License: GPLv2+ -Group: Productivity/Other + Summary: KDE Frontend for the Linux Infrared Remote Control system +Group: Productivity/Other Obsoletes: kdelirc < %{version} Provides: kdelirc = %{version} %kde4_runtime_requires ++++++ CVE-2011-2725.patch ++++++ diff -up kdeutils-4.7.2/ark/part/part.cpp.orig kdeutils-4.7.2/ark/part/part.cpp --- kdeutils-4.7.2/ark/part/part.cpp.orig 2011-10-18 16:57:02.000000000 +0200 +++ kdeutils-4.7.2/ark/part/part.cpp 2011-10-18 16:57:45.000000000 +0200 @@ -558,8 +558,15 @@ void Part::slotPreviewExtracted(KJob *jo if (!job->error()) { const ArchiveEntry& entry = m_model->entryForIndex(m_view->selectionModel()->currentIndex()); - const QString fullName = - m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName ].toString(); + + QString fullName = + m_previewDir->name() + QLatin1Char('/') + entry[FileName].toString(); + + // Make sure a maliciously crafted archive with parent folders named ".." do + // not cause the previewed file path to be located outside the temporary + // directory, resulting in a directory traversal issue. + fullName.remove(QLatin1String("../")); + ArkViewer::view(fullName, widget()); } else { KMessageBox::error(widget(), job->errorString()); continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org