[SECURITY] KDE-3.2.2

Sob, 15 Maj 2004, 17:14:23 CEST

Hej,

W KDE w wersjach 3.2.2 i wcześniejszych wykryto błąd pozwalający
tworzyć / obcinać pliki o wybranej nazwie poprzez odpowiednio
skonstruowany URL. Oficjalne ogłoszenie będzie w poniedziałek.

W załączniku dwie łatki, które będą dostarczone razem z ogłoszeniem oraz
łatka na speca (dodaje patche oraz BR).
-- 
--= Michal Kochanowicz =--==--==BOFH==--==--= michal w michal.waw.pl =--
--= finger me for PGP public key or visit http://michal.waw.pl/PGP =--
--==--==--==--==--==-- Vodka. Connecting people.--==--==--==--==--==--
A chodzenie po górach SSIE!!!
-------------- następna część ---------
Index: kapplication.cpp
===================================================================
RCS file: /home/kde/kdelibs/kdecore/kapplication.cpp,v
retrieving revision 1.637.2.8
diff -u -p -r1.637.2.8 kapplication.cpp

--- kdelibs/kdecore/kapplication.cpp	8 Apr 2004 09:56:28 -0000	1.637.2.8
+++ kdelibs/kdecore/kapplication.cpp	14 May 2004 12:24:53 -0000
@@ -2172,7 +2172,7 @@ void KApplication::invokeMailer(const QS
 
    if (command.isEmpty() || command == QString::fromLatin1("kmail")
        || command.endsWith("/kmail"))
-     command = QString::fromLatin1("kmail --composer -s %s -c %c -b %b --body %B --attach %A %t");
+     command = QString::fromLatin1("kmail --composer -s %s -c %c -b %b --body %B --attach %A -- %t");
 
    // TODO: Take care of the preferred terminal app (instead of hardcoding
    // Konsole), this will probably require a rewrite of the configurable
-------------- następna część ---------
Index: ktelnetservice.cpp
===================================================================
RCS file: /home/kde/kdelibs/kio/misc/ktelnetservice.cpp,v
retrieving revision 1.7.2.1
diff -u -p -r1.7.2.1 ktelnetservice.cpp
--- kio/misc/ktelnetservice.cpp	18 Feb 2004 11:42:12 -0000	1.7.2.1
+++ kio/misc/ktelnetservice.cpp	13 May 2004 15:12:14 -0000
@@ -77,10 +77,19 @@ int main(int argc, char **argv)
 		cmd << url.user();
 	}
 
+        QString host;
         if (!url.host().isEmpty())
-           cmd << url.host(); // telnet://host
+           host = url.host(); // telnet://host
         else if (!url.path().isEmpty())
-           cmd << url.path(); // telnet:host
+           host = url.path(); // telnet:host
+
+        if (host.isEmpty() || host.startsWith("-"))
+        {
+            kdError() << "Invalid hostname " << host << endl;
+            return 2;
+        }
+
+        cmd << host;
         
 	if (url.port()){
             if ( url.protocol() == "ssh" )
-------------- następna część ---------
Index: kdelibs.spec
===================================================================
RCS file: /cvsroot/SPECS/kdelibs.spec,v
retrieving revision 1.312
diff -u -r1.312 kdelibs.spec
--- kdelibs.spec	13 May 2004 17:06:40 -0000	1.312
+++ kdelibs.spec	15 May 2004 15:11:42 -0000
@@ -22,7 +22,7 @@
 Summary(uk):	K Desktop Environment - âŚÂĚŚĎÔĹËÉ
 Name:		kdelibs
 Version:	%{_ver}
-Release:	2
+Release:	3
 Epoch:		9
 License:	LGPL
 Group:		X11/Libraries
@@ -39,6 +39,8 @@
 ##Patch4:		%{name}-add_japanese_utf8_detection.patch
 Patch5:		%{name}-idn.patch
 Patch6:		kde-common-QTDOCDIR.patch
+Patch7:		%{name}-ktelnetservice.patch
+Patch8:		%{name}-kapplication.patch
 Icon:		kdelibs.xpm
 URL:		http://www.kde.org/
 BuildRequires:	unsermake >= 040511
@@ -85,6 +87,7 @@
 BuildRequires:	rpmbuild(macros) >= 1.129
 BuildRequires:	zlib-devel
 BuildRequires:	libidn-devel
+BuildRequires:	expat-devel
 %if %{with apidocs}
 BuildRequires:	qt-doc >= %{qtver}
 BuildRequires:	doxygen
@@ -265,6 +268,8 @@
 ###%patch4 -p1
 %patch5 -p0
 %patch6 -p1
+%patch7 -p0
+%patch8 -p1
 
 # unwanted manpages (no binaries)
 rm -f debian/{kdb2html.sgml,knotify.sgml,xml2man.sgml}
