rev 16509 - trunk/packages/kde3libs/debian/patches

Scott Kitterman kitterma-guest at alioth.debian.org
Thu Dec 31 20:13:05 UTC 2009


Author: kitterma-guest
Date: 2009-12-31 20:13:05 +0000 (Thu, 31 Dec 2009)
New Revision: 16509

Added:
   trunk/packages/kde3libs/debian/patches/65_gcc4.4_ftbfs.diff
   trunk/packages/kde3libs/debian/patches/CVE-2009-0689.diff
   trunk/packages/kde3libs/debian/patches/security_05_XMLHttpRequest_vulnerability.diff
Log:
svn add the patches ....

Added: trunk/packages/kde3libs/debian/patches/65_gcc4.4_ftbfs.diff
===================================================================
--- trunk/packages/kde3libs/debian/patches/65_gcc4.4_ftbfs.diff	                        (rev 0)
+++ trunk/packages/kde3libs/debian/patches/65_gcc4.4_ftbfs.diff	2009-12-31 20:13:05 UTC (rev 16509)
@@ -0,0 +1,26 @@
+#
+# Upstream: https://bugs.kde.org/show_bug.cgi?id=193242
+# Patch: http://websvn.kde.org/?view=rev&revision=975371
+# Description: fix FTBFS when using gcc-4.4
+#
+diff -Nur -x '*.orig' -x '*~' kdelibs-3.5.10.dfsg.1/kioslave/ftp/ftp.cc kdelibs-3.5.10.dfsg.1.new/kioslave/ftp/ftp.cc
+--- kdelibs-3.5.10.dfsg.1/kioslave/ftp/ftp.cc	2008-08-19 13:18:12.000000000 -0500
++++ kdelibs-3.5.10.dfsg.1.new/kioslave/ftp/ftp.cc	2009-09-15 15:45:06.536486919 -0500
+@@ -876,7 +876,7 @@
+   // The usual answer is '227 Entering Passive Mode. (160,39,200,55,6,245)'
+   // but anonftpd gives '227 =160,39,200,55,6,245'
+   int i[6];
+-  char *start = strchr(ftpResponse(3), '(');
++  const char *start = strchr(ftpResponse(3), '(');
+   if ( !start )
+     start = strchr(ftpResponse(3), '=');
+   if ( !start ||
+@@ -931,7 +931,7 @@
+     return ERR_INTERNAL;
+   }
+ 
+-  char *start = strchr(ftpResponse(3), '|');
++  const char *start = strchr(ftpResponse(3), '|');
+   if ( !start || sscanf(start, "|||%d|", &portnum) != 1)
+     return ERR_INTERNAL;
+ 

Added: trunk/packages/kde3libs/debian/patches/CVE-2009-0689.diff
===================================================================
--- trunk/packages/kde3libs/debian/patches/CVE-2009-0689.diff	                        (rev 0)
+++ trunk/packages/kde3libs/debian/patches/CVE-2009-0689.diff	2009-12-31 20:13:05 UTC (rev 16509)
@@ -0,0 +1,15 @@
+Description: fix array overrun (CVE-2009-0689)
+Origin: http://websvn.kde.org/?view=revision&revision=1052100
+
+diff -Nur -x '*.orig' -x '*~' kdelibs-3.5.10/kjs/dtoa.cpp kdelibs-3.5.10.new/kjs/dtoa.cpp
+--- kdelibs-3.5.10/kjs/dtoa.cpp	2005-09-10 03:27:24.000000000 -0500
++++ kdelibs-3.5.10.new/kjs/dtoa.cpp	2009-12-03 08:39:37.333058232 -0600
+@@ -487,7 +487,7 @@
+ #define FREE_DTOA_LOCK(n)	/*nothing*/
+ #endif
+ 
+-#define Kmax 15
++#define Kmax (sizeof(size_t) << 3)
+ 
+  struct
+ Bigint {

Added: trunk/packages/kde3libs/debian/patches/security_05_XMLHttpRequest_vulnerability.diff
===================================================================
--- trunk/packages/kde3libs/debian/patches/security_05_XMLHttpRequest_vulnerability.diff	                        (rev 0)
+++ trunk/packages/kde3libs/debian/patches/security_05_XMLHttpRequest_vulnerability.diff	2009-12-31 20:13:05 UTC (rev 16509)
@@ -0,0 +1,31 @@
+Index: xmlhttprequest.cpp
+===================================================================
+--- kdelibs-3.5.10.dfsg.1/khtml/ecma/xmlhttprequest.cpp	(revision 954808)
++++ kdelibs-3.5.10.dfsg.1/khtml/ecma/xmlhttprequest.cpp	(working copy)
+@@ -342,17 +342,17 @@
+ {
+   aborted = false;
+ 
++  const QString protocol = url.protocol().lower();
++  // Abandon the request when the protocol is other than "http",
++  // instead of blindly doing a KIO::get on other protocols like file:/.
++  if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
++  {
++    abort();
++    return;
++  }
++
+   if (method == "post") {
+-    QString protocol = url.protocol().lower();
+ 
+-    // Abondon the request when the protocol is other than "http",
+-    // instead of blindly changing it to a "get" request.
+-    if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
+-    {
+-      abort();
+-      return;
+-    }
+-
+     // FIXME: determine post encoding correctly by looking in headers
+     // for charset.
+     QByteArray buf;




More information about the pkg-kde-commits mailing list