jreznik pushed to kdelibs3 (epel7). "fix for CVE-2009-2702 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 2 15:35:22 UTC 2015
>From 79734ca9df11fb79bae20a5c49bb2c2d829a74fe Mon Sep 17 00:00:00 2001
From: Than Ngo <than at fedoraproject.org>
Date: Fri, 4 Sep 2009 12:48:11 +0000
Subject: fix for CVE-2009-2702 drop support fedora <10
diff --git a/kdelibs-3.5.10-CVE-2009-2702.patch b/kdelibs-3.5.10-CVE-2009-2702.patch
new file mode 100644
index 0000000..e6f06a7
--- /dev/null
+++ b/kdelibs-3.5.10-CVE-2009-2702.patch
@@ -0,0 +1,62 @@
+diff -pruN kdelibs-3.5.4.orig/kio/kssl/kopenssl.cc kdelibs-3.5.4/kio/kssl/kopenssl.cc
+--- kdelibs-3.5.4.orig/kio/kssl/kopenssl.cc 2009-08-31 20:50:12.000000000 +0200
++++ kdelibs-3.5.4/kio/kssl/kopenssl.cc 2009-08-31 21:46:47.000000000 +0200
+@@ -196,6 +196,7 @@ static int (*K_X509_NAME_add_entry_by_tx
+ static X509_NAME *(*K_X509_NAME_new)() = 0L;
+ static int (*K_X509_REQ_set_subject_name)(X509_REQ*,X509_NAME*) = 0L;
+ static unsigned char *(*K_ASN1_STRING_data)(ASN1_STRING*) = 0L;
++static int (*K_ASN1_STRING_length)(ASN1_STRING*) = 0L;
+ static STACK_OF(SSL_CIPHER) *(*K_SSL_get_ciphers)(const SSL *ssl) = 0L;
+
+ #endif
+@@ -498,6 +499,7 @@ KConfig *cfg;
+ K_X509_NAME_new = (X509_NAME *(*)()) _cryptoLib->symbol("X509_NAME_new");
+ K_X509_REQ_set_subject_name = (int (*)(X509_REQ*,X509_NAME*)) _cryptoLib->symbol("X509_REQ_set_subject_name");
+ K_ASN1_STRING_data = (unsigned char *(*)(ASN1_STRING*)) _cryptoLib->symbol("ASN1_STRING_data");
++ K_ASN1_STRING_length = (int (*)(ASN1_STRING*)) _cryptoLib->symbol("ASN1_STRING_length");
+ #endif
+ }
+
+@@ -1549,6 +1551,13 @@ unsigned char *KOpenSSLProxy::ASN1_STRIN
+ return 0L;
+ }
+
++
++int KOpenSSLProxy::ASN1_STRING_length(ASN1_STRING *x) {
++ if (K_ASN1_STRING_length) return (K_ASN1_STRING_length)(x);
++ return 0L;
++}
++
++
+ STACK_OF(SSL_CIPHER) *KOpenSSLProxy::SSL_get_ciphers(const SSL* ssl) {
+ if (K_SSL_get_ciphers) return (K_SSL_get_ciphers)(ssl);
+ return 0L;
+diff -pruN kdelibs-3.5.4.orig/kio/kssl/kopenssl.h kdelibs-3.5.4/kio/kssl/kopenssl.h
+--- kdelibs-3.5.4.orig/kio/kssl/kopenssl.h 2006-07-22 10:16:39.000000000 +0200
++++ kdelibs-3.5.4/kio/kssl/kopenssl.h 2009-08-31 21:46:47.000000000 +0200
+@@ -622,6 +622,11 @@ public:
+ unsigned char *ASN1_STRING_data(ASN1_STRING *x);
+
+ /*
++ * ASN1_STRING_length
++ */
++ int ASN1_STRING_length(ASN1_STRING *x);
++
++ /*
+ *
+ */
+ int OBJ_obj2nid(ASN1_OBJECT *o);
+diff -pruN kdelibs-3.5.4.orig/kio/kssl/ksslcertificate.cc kdelibs-3.5.4/kio/kssl/ksslcertificate.cc
+--- kdelibs-3.5.4.orig/kio/kssl/ksslcertificate.cc 2006-01-19 18:06:12.000000000 +0100
++++ kdelibs-3.5.4/kio/kssl/ksslcertificate.cc 2009-08-31 21:54:38.000000000 +0200
+@@ -1099,7 +1099,9 @@ QStringList KSSLCertificate::subjAltName
+ }
+
+ QString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5);
+- if (!s.isEmpty()) {
++ if (!s.isEmpty() &&
++ /* skip subjectAltNames with embedded NULs */
++ s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) {
+ rc += s;
+ }
+ }
diff --git a/kdelibs3.spec b/kdelibs3.spec
index 6aa9260..f954581 100644
--- a/kdelibs3.spec
+++ b/kdelibs3.spec
@@ -8,13 +8,7 @@
%define arts 1
%define arts_ev 8:1.5.10
-
-%if 0%{?fedora} > 8
%define qt3 qt3
-%else
-%define qt3_epoch 1:
-%define qt3 qt
-%endif
%define qt3_version 3.3.8b
%define qt3_ev %{?qt3_epoch}%{qt3_version}
# unfortunately, this doesn't work for 3.3.8b which still identifies as 3.3.8
@@ -36,18 +30,11 @@
Summary: K Desktop Environment 3 - Libraries
Version: 3.5.10
-Release: 14%{?dist}
+Release: 15%{?dist}
-%if 0%{?fedora} > 8
Name: kdelibs3
Obsoletes: kdelibs < 6:%{version}-%{release}
Provides: kdelibs = 6:%{version}-%{release}
-%else
-Name: kdelibs
-Epoch: 6
-Obsoletes: kdelibs3 < %{version}-%{release}
-Provides: kdelibs3 = %{version}-%{release}
-%endif
License: LGPLv2
Url: http://www.kde.org/
@@ -108,6 +95,8 @@ Patch202: kdelibs-3.5.4-CVE-2009-1687.patch
Patch203: kdelibs-3.5.4-CVE-2009-1690.patch
# fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
Patch204: kdelibs-3.5.10-cve-2009-1698.patch
+# fix CVE-2009-2702 - ssl incorrect verification of SSL certificate with NUL in subjectAltName
+Patch205: kdelibs-3.5.10-CVE-2009-2702.patch
#{?arts:Requires: arts >= %{arts_ev}}
#Requires: %{qt3} >= %{qt3_ev}
@@ -116,22 +105,18 @@ Requires: hicolor-icon-theme
Requires: kde-settings >= 3.5
%endif
Requires: kde-filesystem
-%if "%{name}" != "kdelibs"
Requires: kdelibs-common
-%endif
Requires: redhat-menus
Requires: shadow-utils
BuildRequires: sudo
Requires(hint): sudo
-%if 0%{?fedora} > 4 || 0%{?rhel} > 4
%define libkdnssd libkdnssd
# omit for now, may contribute to http://bugzilla.redhat.com/441222
#Requires: %{libkdnssd}
%define BuildRequires: xorg-x11-proto-devel libX11-devel
%define _with_rgbfile --with-rgbfile=%{_datadir}/X11/rgb.txt
Requires: iceauth
-%endif
Requires(pre): coreutils
Requires(post): /sbin/ldconfig
@@ -163,24 +148,16 @@ BuildRequires: libart_lgpl-devel
BuildRequires: bzip2-devel
BuildRequires: libtiff-devel
BuildRequires: libacl-devel libattr-devel
-%if 0%{?fedora} >= 9
BuildRequires: enchant-devel
Requires: hunspell
-%else
-BuildRequires: aspell-devel
-%endif
BuildRequires: krb5-devel
BuildRequires: openldap-devel
BuildRequires: db4-devel
BuildRequires: alsa-lib-devel
BuildRequires: pkgconfig
BuildRequires: glibc-kernheaders
-%if 0%{?fedora} > 5 || 0%{?rhel} > 4
%define _with_libutempter 1
BuildRequires: libutempter-devel
-%else
-BuildRequires: utempter
-%endif
BuildRequires: findutils
BuildRequires: jasper-devel
BuildRequires: OpenEXR-devel
@@ -211,13 +188,8 @@ kimgio (image manipulation).
%package devel
Group: Development/Libraries
Summary: Header files and documentation for compiling KDE 3 applications.
-%if "%{name}" == "kdelibs"
-Obsoletes: kdelibs3-devel < %{version}-%{release}
-Provides: kdelibs3-devel = %{version}-%{release}
-%else
Obsoletes: kdelibs-devel < 6:%{version}-%{release}
Provides: kdelibs-devel = 6:%{version}-%{release}
-%endif
Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
Requires: %{qt3}-devel
Requires: openssl-devel
@@ -231,15 +203,9 @@ applications for KDE 3.
Group: Development/Documentation
Summary: KDE 3 API documentation.
Requires: %{name} = %{?epoch:%{epoch}:}%{version}
-%if "%{name}" == "kdelibs"
-Provides: kdelibs3-apidocs = %{version}-%{release}
-%else
Obsoletes: kdelibs-apidocs < 6:%{version}-%{release}
Provides: kdelibs-apidocs = 6:%{version}-%{release}
-%endif
-%if 0%{?fedora} > 9
BuildArch: noarch
-%endif
%description apidocs
This package includes the KDE 3 API documentation in HTML
@@ -266,16 +232,12 @@ format for easy browsing
%patch43 -p1 -b .lang
%patch45 -p1 -b .xdg-autostart
%patch46 -p1 -b .kate-vhdl
-%if 0%{?fedora} >= 9
%patch48 -p1 -b .kspell
%patch49 -p1 -b .kspell2
%patch50 -p1 -b .no-ispell
-%endif
%patch51 -p1 -b .cupsserverbin
%patch52 -p1 -b .KDE3
-%if "%{name}" != "kdelibs"
%patch53 -p1 -b .drkonqi-kde4
-%endif
%patch54 -p1 -b .flock-redefinition
%patch55 -p1 -b .latex-syntax
@@ -289,6 +251,7 @@ format for easy browsing
%patch202 -p1 -b .cve-2009-1687
%patch203 -p1 -b .cve-2009-1690
%patch204 -p1 -b .cve-2009-1698
+%patch205 -p1 -b .cve-2009-2702
sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h
@@ -331,11 +294,7 @@ export DO_NOT_COMPILE="libkscreensaver"
--enable-sendfile \
--with-distribution="$(cat /etc/redhat-release 2>/dev/null)" \
--with-alsa \
-%if 0%{?fedora} >= 9
--without-aspell \
-%else
- --with-aspell \
-%endif
--without-hspell \
--disable-libfam \
--enable-dnotify \
@@ -384,13 +343,6 @@ popd
install -p -m 644 -D %{SOURCE1} %{buildroot}%{_sysconfdir}/profile.d/kde.sh
install -p -m 644 -D %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/kde.csh
-%if "%{name}" == "kdelibs"
-# menus
-mkdir -p %{buildroot}%{_sysconfdir}/kde/xdg/menus
-mv %{buildroot}%{_sysconfdir}/xdg/menus/applications.menu \
- %{buildroot}%{_sysconfdir}/xdg/menus/kde-applications.menu
-%endif
-
# Use hicolor-icon-theme rpm/pkg instead (#178319)
rm -rf $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/
@@ -426,7 +378,6 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" | xargs \
rm -f %{buildroot}%{_libdir}/libkdnssd.la
%{?libkdnssd:rm -rf %{buildroot}{%{_libdir}/libkdnssd.*,%{_includedir}/kde/dnssd}}
-%if "%{name}" != "kdelibs"
# remove conflicts with kdelibs-4
rm -f %{buildroot}%{_bindir}/checkXML
rm -f %{buildroot}%{_bindir}/ksvgtopng
@@ -484,8 +435,6 @@ rm -f %{buildroot}%{_bindir}/preparetips
# don't show kresources
sed -i -e "s,^OnlyShowIn=KDE;,OnlyShowIn=KDE3;," %{buildroot}%{_datadir}/applications/kde/kresources.desktop
-%endif
-
%if 0%{?include_crystalsvg} == 0
# remove all crystalsvg icons for now
rm -rf %{buildroot}%{_datadir}/icons/crystalsvg/
@@ -600,15 +549,7 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
%{_datadir}/servicetypes/*
%ghost %{_datadir}/services/ksycoca
%{_docdir}/HTML/en/kspell
-%if "%{name}" == "kdelibs"
-%{_sysconfdir}/xdg/menus/*.menu
-%{_datadir}/autostart/*
-# include also the conflicting file in kdelibs fedora < 9
-%{_docdir}/HTML/en/common
-%{_datadir}/locale/all_languages
-%else
%{_docdir}/HTML/en/common/*
-%endif
%if 0%{?include_crystalsvg}
%{_datadir}/icons/crystalsvg/
%endif
@@ -616,12 +557,6 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
%files devel
%defattr(-,root,root,-)
# include also the conflicting file in kdelibs-devel fedora < 9
-%if "%{name}" == "kdelibs"
-%{_bindir}/checkXML
-%{_bindir}/ksvgtopng
-%{_bindir}/kunittestmodrunner
-%{_bindir}/preparetips
-%endif
%{_bindir}/dcopidl*
%{_bindir}/kconfig_compiler
%{_bindir}/makekdewidgets
@@ -640,6 +575,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
%changelog
+* Fri Sep 04 2009 Than Ngo <than at redhat.com> - 3.5.10-15
+- fix for CVE-2009-2702
+
* Thu Sep 03 2009 Rex Dieter <rdieter at fedoraproject.org> - 3.5.10-14
- kde.(sh|csh): drop KDE_IS_PRELINKED (workaround bug #515539)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/kdelibs3.git/commit/?h=epel7&id=79734ca9df11fb79bae20a5c49bb2c2d829a74fe
More information about the scm-commits
mailing list