[kde-runtime] fix bz#1164609, CVE-2014-8600, Insufficient Input Validation By IO Slaves
Than Ngo
than at fedoraproject.org
Mon Nov 17 11:01:28 UTC 2014
commit 79fc98ee9eeb30030c69315565b4828adafcb540
Author: Than Ngo <than at redhat.com>
Date: Mon Nov 17 12:01:21 2014 +0100
fix bz#1164609, CVE-2014-8600, Insufficient Input Validation By IO Slaves
kde-runtime-4.14.3-bz#1164609-CVE-2014-8600.patch | 20 ++++++++++++++++++++
kde-runtime.spec | 9 ++++++++-
2 files changed, 28 insertions(+), 1 deletions(-)
---
diff --git a/kde-runtime-4.14.3-bz#1164609-CVE-2014-8600.patch b/kde-runtime-4.14.3-bz#1164609-CVE-2014-8600.patch
new file mode 100644
index 0000000..b844660
--- /dev/null
+++ b/kde-runtime-4.14.3-bz#1164609-CVE-2014-8600.patch
@@ -0,0 +1,20 @@
+diff -up kde-runtime-4.14.3/kioslave/bookmarks/kio_bookmarks.cpp.me kde-runtime-4.14.3/kioslave/bookmarks/kio_bookmarks.cpp
+--- kde-runtime-4.14.3/kioslave/bookmarks/kio_bookmarks.cpp.me 2014-11-17 11:53:22.952583226 +0100
++++ kde-runtime-4.14.3/kioslave/bookmarks/kio_bookmarks.cpp 2014-11-17 11:56:11.094159901 +0100
+@@ -22,6 +22,7 @@
+ #include <stdlib.h>
+
+ #include <qregexp.h>
++#include <qtextdocument.h>
+
+ #include <kapplication.h>
+ #include <kcmdlineargs.h>
+@@ -197,7 +198,7 @@ void BookmarksProtocol::get( const KUrl&
+ echoImage(regexp.cap(1), regexp.cap(2), url.queryItem("size"));
+ } else {
+ echoHead();
+- echo("<p class=\"message\">" + i18n("Wrong request: %1",path) + "</p>");
++ echo("<p class=\"message\">" + i18n("Bad request: %1", Qt::escape(Qt::escape(url.prettyUrl()))) + "</p>");
+ }
+ finished();
+ }
diff --git a/kde-runtime.spec b/kde-runtime.spec
index 1e26d84..1a8d692 100644
--- a/kde-runtime.spec
+++ b/kde-runtime.spec
@@ -9,7 +9,7 @@
Name: kde-runtime
Summary: KDE Runtime
Version: 4.14.3
-Release: 1%{?dist}
+Release: 2%{?dist}
# http://techbase.kde.org/Policies/Licensing_Policy
License: LGPLv2+ and GPLv2+
@@ -66,6 +66,8 @@ Patch51: kde-runtime-4.11.2-install_gdb.patch
Patch60: kdebase-runtime-4.6.0-canberra.patch
## upstream patches
+# Insufficient Input Validation By IO Slaves
+Patch100: kde-runtime-4.14.3-bz#1164609-CVE-2014-8600.patch
# rhel patches
Patch300: kde-runtime-4.9.2-webkit.patch
@@ -228,6 +230,8 @@ Requires: %{name} = %{version}-%{release}
%patch60 -p1 -b .canberra
%endif
+%patch100 -p1 -b .CVE-2014-8600
+
%if ! 0%{?webkit}
%patch300 -p1 -b .webkit
%global no_webkit -DKDERUNTIME_NO_WEBKIT:BOOL=ON -DPLASMA_NO_KDEWEBKIT:BOOL=ON
@@ -461,6 +465,9 @@ fi
%{_kde4_datadir}/desktop-directories/kde-information.directory
%changelog
+* Mon Nov 17 2014 Than Ngo <than at redhat.com> - 4.14.3-2
+- fix bz#1164609, CVE-2014-8600, Insufficient Input Validation By IO Slaves
+
* Sat Nov 08 2014 Rex Dieter <rdieter at fedoraproject.org> - 4.14.3-1
- 4.14.3
More information about the scm-commits
mailing list