kdelibs-libre-4.13.2-3: KMail/KIO POP3 SSL MITM Flaw

2 files changed, 65 insertions, 7 deletions

diff --git a/libre/kdelibs-libre/CVE-2014-3494.patch b/libre/kdelibs-libre/CVE-2014-3494.patch
new file mode 100644
index 000000000..648d4fd7d
--- /dev/null
+++ b/libre/kdelibs-libre/CVE-2014-3494.patch
@@ -0,0 +1,55 @@
+From: David Faure <faure@kde.org>
+Date: Wed, 18 Jun 2014 18:29:04 +0000
+Subject: Don't require a job to handle messageboxes.
+X-Git-Url: http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d
+---
+Don't require a job to handle messageboxes.
+
+The POP3 ioslave doesn't have a job when it gets here.
+---
+
+
+--- a/kio/kio/usernotificationhandler.cpp
++++ b/kio/kio/usernotificationhandler.cpp
+@@ -19,7 +19,7 @@
+ #include "usernotificationhandler_p.h"
+ 
+ #include "slave.h"
+-#include "job_p.h"
++#include "jobuidelegate.h"
+ 
+ #include <kdebug.h>
+ 
+@@ -76,19 +76,18 @@
+ 
+         if (m_cachedResults.contains(key)) {
+             result = *(m_cachedResults[key]);
+-        } else if (r->slave->job()) {
+-            SimpleJobPrivate* jobPrivate = SimpleJobPrivate::get(r->slave->job());
+-            if (jobPrivate) {
+-                result = jobPrivate->requestMessageBox(r->type,
+-                                                      r->data.value(MSG_TEXT).toString(),
+-                                                      r->data.value(MSG_CAPTION).toString(),
+-                                                      r->data.value(MSG_YES_BUTTON_TEXT).toString(),
+-                                                      r->data.value(MSG_NO_BUTTON_TEXT).toString(),
+-                                                      r->data.value(MSG_YES_BUTTON_ICON).toString(),
+-                                                      r->data.value(MSG_NO_BUTTON_ICON).toString(),
+-                                                      r->data.value(MSG_DONT_ASK_AGAIN).toString(),
+-                                                      r->data.value(MSG_META_DATA).toMap());
+-            }
++        } else {
++            JobUiDelegate ui;
++            const JobUiDelegate::MessageBoxType type = static_cast<JobUiDelegate::MessageBoxType>(r->type);
++            result = ui.requestMessageBox(type,
++                                          r->data.value(MSG_TEXT).toString(),
++                                          r->data.value(MSG_CAPTION).toString(),
++                                          r->data.value(MSG_YES_BUTTON_TEXT).toString(),
++                                          r->data.value(MSG_NO_BUTTON_TEXT).toString(),
++                                          r->data.value(MSG_YES_BUTTON_ICON).toString(),
++                                          r->data.value(MSG_NO_BUTTON_ICON).toString(),
++                                          r->data.value(MSG_DONT_ASK_AGAIN).toString(),
++                                          r->data.value(MSG_META_DATA).toMap());
+             m_cachedResults.insert(key, new int(result));
+         }
+     } else {
+
diff --git a/libre/kdelibs-libre/PKGBUILD b/libre/kdelibs-libre/PKGBUILD
index b3208d956..c1031943c 100644
--- a/libre/kdelibs-libre/PKGBUILD
+++ b/libre/kdelibs-libre/PKGBUILD
@@ -1,4 +1,4 @@
-# $Id: PKGBUILD 214788 2014-06-10 17:50:05Z andyrtr $
+# $Id: PKGBUILD 215302 2014-06-18 21:22:58Z andrea $
 # Maintainer (Arch): Andrea Scarpino <andrea@archlinux.org
 # Contributor (Arch): Pierre Schmitz <pierre@archlinux.de>
 # Maintainer: André Silva <emulatorman@parabola.nu>
@@ -6,7 +6,7 @@
 _pkgname=kdelibs
 pkgname=kdelibs-libre
 pkgver=4.13.2
-pkgrel=2
+pkgrel=3
 pkgdesc="KDE Core Libraries, without nonfree plugins recommendation support"
 arch=('i686' 'x86_64' 'mips64el')
 url='https://projects.kde.org/projects/kde/kdelibs'
@@ -21,26 +21,29 @@ depends=('attica' 'libxss' 'krb5' 'grantlee' 'qca' 'libdbusmenu-qt' 'polkit-qt'
 makedepends=('cmake' 'automoc4' 'avahi' 'libgl' 'hspell' 'mesa')
 install=${_pkgname}.install
 source=("http://download.kde.org/stable/${pkgver}/src/${_pkgname}-${pkgver}.tar.xz"
-        'kde-applications-menu.patch' 'qt4.patch' 'khtml-fsdg.diff')
+        'kde-applications-menu.patch' 'khtml-fsdg.diff' 'qt4.patch'
+        'CVE-2014-3494.patch')
 sha1sums=('c540edeb7da23f5a8feacb4d775bce43f2060a96'
           '86ee8c8660f19de8141ac99cd6943964d97a1ed7'
+          'a1502a964081ad583a00cf90c56e74bf60121830'
           'ed1f57ee661e5c7440efcaba7e51d2554709701c'
-          'a1502a964081ad583a00cf90c56e74bf60121830')
+          'c8b4010c68cee6352a68d97da3d5316f52207e83')
 
 prepare() {
+       mkdir build
        cd ${_pkgname}-${pkgver}
        # avoid file conflict with gnome-menus
        patch -p1 -i "${srcdir}"/kde-applications-menu.patch
+       # don't ask the user to download a plugin, it's probably nonfree.
+       patch -p1 -i "${srcdir}"/khtml-fsdg.diff
        # qmake refers to Qt5
        patch -p1 -i "${srcdir}"/qt4.patch
        # fix build with giflib 5.1.0
        sed -i "/DGifCloseFile/s:file:&, NULL:g" khtml/imload/decoders/gifloader.cpp
-       # don't ask the user to download a plugin, it's probably nonfree.
-       patch -p1 -i "${srcdir}"/khtml-fsdg.diff
+       patch -p1 -i "${srcdir}"/CVE-2014-3494.patch
 }
 
 build() {
-       mkdir build
        cd build
        cmake ../${_pkgname}-${pkgver} \
                -DCMAKE_BUILD_TYPE=Release \