From c24e41ea44cf2db29715430743d86e0a7bc42ea5 Mon Sep 17 00:00:00 2001 From: André Fabian Silva Delgado Date: Thu, 19 Jun 2014 03:17:36 -0300 Subject: kdelibs-libre-4.13.2-3: KMail/KIO POP3 SSL MITM Flaw --- libre/kdelibs-libre/CVE-2014-3494.patch | 55 +++++++++++++++++++++++++++++++++ libre/kdelibs-libre/PKGBUILD | 17 +++++----- 2 files changed, 65 insertions(+), 7 deletions(-) create mode 100644 libre/kdelibs-libre/CVE-2014-3494.patch (limited to 'libre/kdelibs-libre') diff --git a/libre/kdelibs-libre/CVE-2014-3494.patch b/libre/kdelibs-libre/CVE-2014-3494.patch new file mode 100644 index 000000000..648d4fd7d --- /dev/null +++ b/libre/kdelibs-libre/CVE-2014-3494.patch @@ -0,0 +1,55 @@ +From: David Faure +Date: Wed, 18 Jun 2014 18:29:04 +0000 +Subject: Don't require a job to handle messageboxes. +X-Git-Url: http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d +--- +Don't require a job to handle messageboxes. + +The POP3 ioslave doesn't have a job when it gets here. +--- + + +--- a/kio/kio/usernotificationhandler.cpp ++++ b/kio/kio/usernotificationhandler.cpp +@@ -19,7 +19,7 @@ + #include "usernotificationhandler_p.h" + + #include "slave.h" +-#include "job_p.h" ++#include "jobuidelegate.h" + + #include + +@@ -76,19 +76,18 @@ + + if (m_cachedResults.contains(key)) { + result = *(m_cachedResults[key]); +- } else if (r->slave->job()) { +- SimpleJobPrivate* jobPrivate = SimpleJobPrivate::get(r->slave->job()); +- if (jobPrivate) { +- result = jobPrivate->requestMessageBox(r->type, +- r->data.value(MSG_TEXT).toString(), +- r->data.value(MSG_CAPTION).toString(), +- r->data.value(MSG_YES_BUTTON_TEXT).toString(), +- r->data.value(MSG_NO_BUTTON_TEXT).toString(), +- r->data.value(MSG_YES_BUTTON_ICON).toString(), +- r->data.value(MSG_NO_BUTTON_ICON).toString(), +- r->data.value(MSG_DONT_ASK_AGAIN).toString(), +- r->data.value(MSG_META_DATA).toMap()); +- } ++ } else { ++ JobUiDelegate ui; ++ const JobUiDelegate::MessageBoxType type = static_cast(r->type); ++ result = ui.requestMessageBox(type, ++ r->data.value(MSG_TEXT).toString(), ++ r->data.value(MSG_CAPTION).toString(), ++ r->data.value(MSG_YES_BUTTON_TEXT).toString(), ++ r->data.value(MSG_NO_BUTTON_TEXT).toString(), ++ r->data.value(MSG_YES_BUTTON_ICON).toString(), ++ r->data.value(MSG_NO_BUTTON_ICON).toString(), ++ r->data.value(MSG_DONT_ASK_AGAIN).toString(), ++ r->data.value(MSG_META_DATA).toMap()); + m_cachedResults.insert(key, new int(result)); + } + } else { + diff --git a/libre/kdelibs-libre/PKGBUILD b/libre/kdelibs-libre/PKGBUILD index b3208d956..c1031943c 100644 --- a/libre/kdelibs-libre/PKGBUILD +++ b/libre/kdelibs-libre/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 214788 2014-06-10 17:50:05Z andyrtr $ +# $Id: PKGBUILD 215302 2014-06-18 21:22:58Z andrea $ # Maintainer (Arch): Andrea Scarpino # Maintainer: André Silva @@ -6,7 +6,7 @@ _pkgname=kdelibs pkgname=kdelibs-libre pkgver=4.13.2 -pkgrel=2 +pkgrel=3 pkgdesc="KDE Core Libraries, without nonfree plugins recommendation support" arch=('i686' 'x86_64' 'mips64el') url='https://projects.kde.org/projects/kde/kdelibs' @@ -21,26 +21,29 @@ depends=('attica' 'libxss' 'krb5' 'grantlee' 'qca' 'libdbusmenu-qt' 'polkit-qt' makedepends=('cmake' 'automoc4' 'avahi' 'libgl' 'hspell' 'mesa') install=${_pkgname}.install source=("http://download.kde.org/stable/${pkgver}/src/${_pkgname}-${pkgver}.tar.xz" - 'kde-applications-menu.patch' 'qt4.patch' 'khtml-fsdg.diff') + 'kde-applications-menu.patch' 'khtml-fsdg.diff' 'qt4.patch' + 'CVE-2014-3494.patch') sha1sums=('c540edeb7da23f5a8feacb4d775bce43f2060a96' '86ee8c8660f19de8141ac99cd6943964d97a1ed7' + 'a1502a964081ad583a00cf90c56e74bf60121830' 'ed1f57ee661e5c7440efcaba7e51d2554709701c' - 'a1502a964081ad583a00cf90c56e74bf60121830') + 'c8b4010c68cee6352a68d97da3d5316f52207e83') prepare() { + mkdir build cd ${_pkgname}-${pkgver} # avoid file conflict with gnome-menus patch -p1 -i "${srcdir}"/kde-applications-menu.patch + # don't ask the user to download a plugin, it's probably nonfree. + patch -p1 -i "${srcdir}"/khtml-fsdg.diff # qmake refers to Qt5 patch -p1 -i "${srcdir}"/qt4.patch # fix build with giflib 5.1.0 sed -i "/DGifCloseFile/s:file:&, NULL:g" khtml/imload/decoders/gifloader.cpp - # don't ask the user to download a plugin, it's probably nonfree. - patch -p1 -i "${srcdir}"/khtml-fsdg.diff + patch -p1 -i "${srcdir}"/CVE-2014-3494.patch } build() { - mkdir build cd build cmake ../${_pkgname}-${pkgver} \ -DCMAKE_BUILD_TYPE=Release \ -- cgit v1.2.3-54-g00ecf