From d3d0811e23787b5c66edf94b3351a1555eb5010f Mon Sep 17 00:00:00 2001 From: root Date: Fri, 21 Oct 2011 23:14:54 +0000 Subject: Fri Oct 21 23:14:53 UTC 2011 --- extra/kdeutils/CVE-2011-2725.patch | 20 ++++++++++++++++++++ extra/kdeutils/PKGBUILD | 29 ++++++++++++++++++++--------- 2 files changed, 40 insertions(+), 9 deletions(-) create mode 100644 extra/kdeutils/CVE-2011-2725.patch (limited to 'extra/kdeutils') diff --git a/extra/kdeutils/CVE-2011-2725.patch b/extra/kdeutils/CVE-2011-2725.patch new file mode 100644 index 000000000..986bebc90 --- /dev/null +++ b/extra/kdeutils/CVE-2011-2725.patch @@ -0,0 +1,20 @@ +--- a/part/part.cpp ++++ b/part/part.cpp +@@ -558,8 +558,15 @@ void Part::slotPreviewExtracted(KJob *jo + if (!job->error()) { + const ArchiveEntry& entry = + m_model->entryForIndex(m_view->selectionModel()->currentIndex()); +- const QString fullName = +- m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName ].toString(); ++ ++ QString fullName = ++ m_previewDir->name() + QLatin1Char('/') + entry[FileName].toString(); ++ ++ // Make sure a maliciously crafted archive with parent folders named ".." do ++ // not cause the previewed file path to be located outside the temporary ++ // directory, resulting in a directory traversal issue. ++ fullName.remove(QLatin1String("../")); ++ + ArkViewer::view(fullName, widget()); + } else { + KMessageBox::error(widget(), job->errorString()); diff --git a/extra/kdeutils/PKGBUILD b/extra/kdeutils/PKGBUILD index fe47af50e..66fde812f 100644 --- a/extra/kdeutils/PKGBUILD +++ b/extra/kdeutils/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 140028 2011-10-05 19:12:50Z andrea $ +# $Id: PKGBUILD 140971 2011-10-20 07:26:23Z andrea $ # Maintainer: Andrea Scarpino # Contributor: Pierre Schmitz @@ -17,7 +17,7 @@ pkgname=('kdeutils-ark' 'kdeutils-superkaramba' 'kdeutils-sweeper') pkgver=4.7.2 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url='http://www.kde.org' license=('GPL' 'LGPL' 'FDL') @@ -25,17 +25,31 @@ groups=('kde' 'kdeutils') makedepends=('pkgconfig' 'cmake' 'automoc4' 'kdebase-lib' 'kdebase-workspace' 'kdebindings-python' 'system-config-printer-common' 'libarchive' 'qimageblitz' 'qjson') -source=("http://download.kde.org/stable/${pkgver}/src/${pkgbase}-${pkgver}.tar.bz2") -sha1sums=('52ce9b6b5f2c20475f46b6f7378ca4c530df37b4') +source=("http://download.kde.org/stable/${pkgver}/src/${pkgbase}-${pkgver}.tar.bz2" + 'CVE-2011-2725.patch') +sha1sums=('52ce9b6b5f2c20475f46b6f7378ca4c530df37b4' + 'bc7428edb6851b4f3dc772bc88ace576379e93f2') build() { - cd ${srcdir} + cd "${srcdir}"/${pkgbase}-${pkgver}/ark + patch -p1 -i "${srcdir}"/CVE-2011-2725.patch + + # Use Python2 + cd "${srcdir}"/${pkgbase}-${pkgver} + sed -i 's|/usr/bin/python|/usr/bin/python2|' \ + kcharselect/kcharselect-generate-datafile.py \ + superkaramba/examples/richtext/rtext.py + sed -i 's|/usr/bin/env python|/usr/bin/env python2|' \ + printer-applet/{authconn,debug,monitor,printer-applet,statereason}.py + + cd "${srcdir}" mkdir build cd build cmake ../${pkgbase}-${pkgver} \ -DCMAKE_BUILD_TYPE=Release \ -DCMAKE_SKIP_RPATH=ON \ - -DCMAKE_INSTALL_PREFIX=/usr + -DCMAKE_INSTALL_PREFIX=/usr \ + -DPYTHON_EXECUTABLE=/usr/bin/python2 make } @@ -159,9 +173,6 @@ package_kdeutils-printer-applet() { make DESTDIR=$pkgdir install cd $srcdir/build/printer-applet/doc make DESTDIR=$pkgdir install - - # Use the python2 executable - find "${pkgdir}" -name '*.py' | xargs sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python2|' } package_kdeutils-superkaramba() { -- cgit v1.2.3-54-g00ecf