rpms/kdelibs/F-11 kdelibs-4.3.1-CVE-2009-2702.patch, NONE, 1.1 kdelibs.spec, 1.494, 1.495

Than Ngo than at fedoraproject.org
Fri Sep 4 12:25:54 UTC 2009 

Author: than

Update of /cvs/extras/rpms/kdelibs/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30780

Modified Files:
	kdelibs.spec 
Added Files:
	kdelibs-4.3.1-CVE-2009-2702.patch 
Log Message:
security fix for -CVE-2009-2702



kdelibs-4.3.1-CVE-2009-2702.patch:
 kopenssl.cpp        |    9 +++++++++
 kopenssl.h          |    6 +++++-
 ksslcertificate.cpp |    4 +++-
 3 files changed, 17 insertions(+), 2 deletions(-)

--- NEW FILE kdelibs-4.3.1-CVE-2009-2702.patch ---
diff -Nur kdelibs-4.3.1.orig/kio/kssl/kopenssl.cpp kdelibs-4.3.1/kio/kssl/kopenssl.cpp
--- kdelibs-4.3.1.orig/kio/kssl/kopenssl.cpp	2008-10-23 01:05:00.000000000 +0200
+++ kdelibs-4.3.1/kio/kssl/kopenssl.cpp	2009-09-04 14:09:22.000000000 +0200
@@ -196,6 +196,7 @@
 static X509_NAME *(*K_X509_NAME_new)() = 0L;
 static int (*K_X509_REQ_set_subject_name)(X509_REQ*,X509_NAME*) = 0L;
 static unsigned char *(*K_ASN1_STRING_data)(ASN1_STRING*) = 0L;
+static int (*K_ASN1_STRING_length)(ASN1_STRING*) = 0L;
 static STACK_OF(SSL_CIPHER) *(*K_SSL_get_ciphers)(const SSL *ssl) = 0L;
 
 #endif
@@ -530,6 +531,7 @@
       K_X509_NAME_new = (X509_NAME *(*)()) d->cryptoLib->resolveFunction("X509_NAME_new");
       K_X509_REQ_set_subject_name = (int (*)(X509_REQ*,X509_NAME*)) d->cryptoLib->resolveFunction("X509_REQ_set_subject_name");
       K_ASN1_STRING_data = (unsigned char *(*)(ASN1_STRING*)) d->cryptoLib->resolveFunction("ASN1_STRING_data");
+      K_ASN1_STRING_length = (int (*)(ASN1_STRING*)) d->cryptoLib->resolveFunction("ASN1_STRING_length");
 #endif
    }
 
@@ -1577,6 +1579,13 @@
    return 0L;
 }
 
+
+int KOpenSSLProxy::ASN1_STRING_length(ASN1_STRING *x) {
+   if (K_ASN1_STRING_length) return (K_ASN1_STRING_length)(x);
+   return 0L;
+}
+
+
 STACK_OF(SSL_CIPHER) *KOpenSSLProxy::SSL_get_ciphers(const SSL* ssl) {
   if (K_SSL_get_ciphers) return (K_SSL_get_ciphers)(ssl);
   return 0L;
diff -Nur kdelibs-4.3.1.orig/kio/kssl/kopenssl.h kdelibs-4.3.1/kio/kssl/kopenssl.h
--- kdelibs-4.3.1.orig/kio/kssl/kopenssl.h	2009-05-19 14:06:53.000000000 +0200
+++ kdelibs-4.3.1/kio/kssl/kopenssl.h	2009-09-04 14:09:22.000000000 +0200
@@ -589,13 +589,17 @@
     */
    void ASN1_INTEGER_free(ASN1_INTEGER *x);
 
-
    /*
     *  ASN1_STRING_data
     */
    unsigned char *ASN1_STRING_data(ASN1_STRING *x);
 
    /*
+    * ASN1_STRING_length
+    */
+   int ASN1_STRING_length(ASN1_STRING *x);
+
+   /*
     *
     */
    int OBJ_obj2nid(ASN1_OBJECT *o);
diff -Nur kdelibs-4.3.1.orig/kio/kssl/ksslcertificate.cpp kdelibs-4.3.1/kio/kssl/ksslcertificate.cpp
--- kdelibs-4.3.1.orig/kio/kssl/ksslcertificate.cpp	2009-01-16 16:07:05.000000000 +0100
+++ kdelibs-4.3.1/kio/kssl/ksslcertificate.cpp	2009-09-04 14:09:22.000000000 +0200
@@ -1305,7 +1305,9 @@
         }
 
         QString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5);
-        if (!s.isEmpty()) {
+        if (!s.isEmpty()  &&
+                /* skip subjectAltNames with embedded NULs */
+                s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) {
             rc += s;
         }
     }


Index: kdelibs.spec
===================================================================
RCS file: /cvs/extras/rpms/kdelibs/F-11/kdelibs.spec,v
retrieving revision 1.494
retrieving revision 1.495
diff -u -p -r1.494 -r1.495
--- kdelibs.spec	2 Sep 2009 18:01:35 -0000	1.494
+++ kdelibs.spec	4 Sep 2009 12:25:54 -0000	1.495
@@ -4,17 +4,13 @@
 
 Summary: K Desktop Environment 4 - Libraries
 Version: 4.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 
-%if 0%{?fedora} > 8
 Name: kdelibs
 Epoch: 6
 Obsoletes: kdelibs4 < %{version}-%{release}
 Provides:  kdelibs4 = %{version}-%{release}
 %{?_isa:Provides: kdelibs4%{?_isa} = %{version}-%{release}}
-%else
-Name: kdelibs4
-%endif
 
 # http://techbase.kde.org/Policies/Licensing_Policy
 License: LGPLv2+
@@ -41,12 +37,8 @@ Requires: kde-filesystem >= 4-23
 Requires: kde-settings
 %{?_kde4_macros_api:Requires: kde4-macros(api) = %{_kde4_macros_api} }
 Requires: shared-mime-info
-%if "%{name}" == "kdelibs"
 Requires: kdelibs-common
-%endif
-%if 0%{?fedora} >= 9
 Requires: hunspell
-%endif
 Requires: phonon%{?_isa} >= %{phonon_ver} 
 Requires: soprano%{?_isa} >= %{soprano_ver} 
 Requires: strigi-libs%{?_isa} >= %{strigi_ver} 
@@ -80,12 +72,16 @@ Patch14: kdelibs-4.2.85-libexecdir.patch
 # kstandarddirs changes: search /etc/kde, find /usr/libexec/kde4
 Patch18: kdelibs-4.1.72-kstandarddirs.patch
 Patch20: kdelibs-4.1.70-cmake.patch
+Patch21: kdelibs-4.3.1-ossl-1.x.patch
 # patch to fix keditbookmarks crash (kde#160679)
 Patch22: kdelibs-4.3.0-bookmarks.patch
 
 # upstream
 # 4.3 branch
 
+# security fix
+Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
+
 BuildRequires: qt4-devel >= 4.5.0
 # qt4%{_?_isa} isn't provided yet -- Rex
 #Requires: qt4%{?_isa} >= %{_qt4_version}
@@ -95,10 +91,6 @@ Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
 
 BuildRequires: alsa-lib-devel
-%if 0%{?fedora} < 9
-# we don't want a hard dependency on aspell on F9+, use enchant only
-BuildRequires: aspell-devel
-%endif
 BuildRequires: automoc4 >= 0.9.88
 BuildRequires: avahi-devel
 BuildRequires: bzip2-devel
@@ -145,13 +137,11 @@ Provides: kross(qtscript) = %{version}-%
 %description
 Libraries for the K Desktop Environment 4.
 
-%if "%{name}" == "kdelibs"
 %package common
 Group: System Environment/Libraries
 Summary: Common files for KDE 3 and KDE 4 libraries
 %description common
 This package includes the common files for the KDE 3 and KDE 4 libraries.
-%endif
 
 %package devel
 Group: Development/Libraries
@@ -161,10 +151,8 @@ Conflicts: kdebase-runtime < 4.2.90
 Conflicts: kdebase-workspace-devel < 4.2.90
 Provides: plasma-devel = %{version}-%{release}
 Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
-%if "%{name}" != "kdelibs4"
 Obsoletes: kdelibs4-devel < %{version}-%{release}
 Provides:  kdelibs4-devel = %{version}-%{release}
-%endif
 Requires: cmake >= 2.6.2-3
 Requires: automoc4 >= 0.9.88
 Requires: qt4-devel
@@ -184,14 +172,7 @@ Summary: KDE 4 API documentation
 # Not strictly required -- Rex
 # Requires: %{name} = %{?epoch:%{epoch}:}%{version}
 Requires: kde-filesystem
-%if "%{name}" != "kdelibs4"
 Provides: kdelibs4-apidocs = %{version}-%{release}
-#else
-# Don't do that for now, we'd need to make sure all Requires: kdelibs-apidocs
-# (in kdevelop etc.) are fixed to kdelibs3-apidocs first and it may not be
-# worth it anyway.
-#Provides: kdelibs-apidocs = 6:%{version}-%{release}
-%endif
 
 %description apidocs
 This package includes the KDE 4 API documentation in HTML
@@ -211,11 +192,14 @@ format for easy browsing.
 %patch14 -p1 -b .libexecdir
 %patch18 -p1 -b .kstandarddirs
 %patch20 -p1 -b .xxcmake
+%patch21 -p1 -b .ossl-1.x
 %patch22 -p1 -b .bookmarks
 
 # upstream patches
 # 4.3
 
+# security fix
+%patch200 -p1 -b .CVE-2009-2702
 
 %build
 
@@ -400,11 +384,15 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Fri Sep 04 2009 Than Ngo <than at redhat.com> - 4.3.1-3
+- security fix for -CVE-2009-2702
+
 * Wed Sep 02 2009 Ben Boeckel <MathStuf at gmail.com> - 4.3.1-2
 - Patch for kde#160679
 
 * Fri Aug 28 2009 Than Ngo <than at redhat.com> - 4.3.1-1
 - 4.3.1
+- openssl-1.0 build fixes
 
 * Wed Aug 26 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.3.0-8
 - BR: xz-devel

More information about the scm-commits mailing list