From 7a00da32661a8ba729193fa8cc1c483f3a6dddec Mon Sep 17 00:00:00 2001 From: Johannes Huber Date: Tue, 28 Feb 2017 22:01:11 +0100 Subject: [PATCH] kde-frameworks/kio: Fix information leak Revision bump backports upstream patch to fix a information leak when accessing https when using a malicious PAC file. https://www.kde.org/info/security/advisory-20170228-1.txt Gentoo-bug: 611256 Package-Manager: Portage-2.3.3, Repoman-2.3.1 --- .../kio/files/kio-5.29.0-sanitize-url.patch | 38 +++++++++ kde-frameworks/kio/kio-5.29.0-r1.ebuild | 81 +++++++++++++++++++ kde-frameworks/kio/kio-5.31.0-r1.ebuild | 81 +++++++++++++++++++ 3 files changed, 200 insertions(+) create mode 100644 kde-frameworks/kio/files/kio-5.29.0-sanitize-url.patch create mode 100644 kde-frameworks/kio/kio-5.29.0-r1.ebuild create mode 100644 kde-frameworks/kio/kio-5.31.0-r1.ebuild diff --git a/kde-frameworks/kio/files/kio-5.29.0-sanitize-url.patch b/kde-frameworks/kio/files/kio-5.29.0-sanitize-url.patch new file mode 100644 index 000000000000..f9f398652d95 --- /dev/null +++ b/kde-frameworks/kio/files/kio-5.29.0-sanitize-url.patch @@ -0,0 +1,38 @@ +commit f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 +Author: Albert Astals Cid +Date: Tue Feb 28 19:00:48 2017 +0100 + + Sanitize URLs before passing them to FindProxyForURL + + Remove user/password information + For https: remove path and query + + Thanks to safebreach.com for reporting the problem + + CCMAIL: yoni.fridburg@safebreach.com + CCMAIL: amit.klein@safebreach.com + CCMAIL: itzik.kotler@safebreach.com + +diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp +index a0235f73..2485c54d 100644 +--- a/src/kpac/script.cpp ++++ b/src/kpac/script.cpp +@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url) + } + } + ++ QUrl cleanUrl = url; ++ cleanUrl.setUserInfo(QString()); ++ if (cleanUrl.scheme() == QLatin1String("https")) { ++ cleanUrl.setPath(QString()); ++ cleanUrl.setQuery(QString()); ++ } ++ + QScriptValueList args; +- args << url.url(); +- args << url.host(); ++ args << cleanUrl.url(); ++ args << cleanUrl.host(); + + QScriptValue result = func.call(QScriptValue(), args); + if (result.isError()) { diff --git a/kde-frameworks/kio/kio-5.29.0-r1.ebuild b/kde-frameworks/kio/kio-5.29.0-r1.ebuild new file mode 100644 index 000000000000..3e102a991655 --- /dev/null +++ b/kde-frameworks/kio/kio-5.29.0-r1.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +KDE_TEST="forceoptional" +VIRTUALX_REQUIRED="test" +inherit kde5 + +DESCRIPTION="Framework providing transparent file and data management" +LICENSE="LGPL-2+" +KEYWORDS="~amd64 ~arm ~x86" +IUSE="acl +handbook kerberos +kwallet X" + +COMMON_DEPEND=" + $(add_frameworks_dep karchive) + $(add_frameworks_dep kbookmarks) + $(add_frameworks_dep kcodecs) + $(add_frameworks_dep kcompletion) + $(add_frameworks_dep kconfig) + $(add_frameworks_dep kconfigwidgets) + $(add_frameworks_dep kcoreaddons) + $(add_frameworks_dep kdbusaddons) + $(add_frameworks_dep ki18n) + $(add_frameworks_dep kiconthemes) + $(add_frameworks_dep kitemviews) + $(add_frameworks_dep kjobwidgets) + $(add_frameworks_dep knotifications) + $(add_frameworks_dep kservice) + $(add_frameworks_dep ktextwidgets) + $(add_frameworks_dep kwidgetsaddons) + $(add_frameworks_dep kwindowsystem) + $(add_frameworks_dep kxmlgui) + $(add_frameworks_dep solid) + $(add_qt_dep qtdbus) + $(add_qt_dep qtgui) + $(add_qt_dep qtnetwork 'ssl') + $(add_qt_dep qtscript) + $(add_qt_dep qtwidgets) + $(add_qt_dep qtxml) + dev-libs/libxml2 + dev-libs/libxslt + acl? ( + sys-apps/attr + virtual/acl + ) + kerberos? ( virtual/krb5 ) + kwallet? ( $(add_frameworks_dep kwallet) ) + X? ( $(add_qt_dep qtx11extras) ) +" +DEPEND="${COMMON_DEPEND} + $(add_qt_dep qtconcurrent) + handbook? ( $(add_frameworks_dep kdoctools) ) + test? ( sys-libs/zlib ) + X? ( + x11-libs/libX11 + x11-libs/libXrender + x11-proto/xproto + ) +" +PDEPEND=" + $(add_frameworks_dep kded) +" +RDEPEND="${COMMON_DEPEND}" + +# tests hang +RESTRICT+=" test" + +PATCHES=( "${FILESDIR}/${P}-sanitize-url.patch" ) + +src_configure() { + local mycmakeargs=( + $(cmake-utils_use_find_package acl ACL) + $(cmake-utils_use_find_package handbook KF5DocTools) + $(cmake-utils_use_find_package kerberos GSSAPI) + $(cmake-utils_use_find_package kwallet KF5Wallet) + $(cmake-utils_use_find_package X X11) + ) + + kde5_src_configure +} diff --git a/kde-frameworks/kio/kio-5.31.0-r1.ebuild b/kde-frameworks/kio/kio-5.31.0-r1.ebuild new file mode 100644 index 000000000000..b634e48d89c7 --- /dev/null +++ b/kde-frameworks/kio/kio-5.31.0-r1.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +KDE_TEST="forceoptional-recursive" +VIRTUALX_REQUIRED="test" +inherit kde5 + +DESCRIPTION="Framework providing transparent file and data management" +LICENSE="LGPL-2+" +KEYWORDS="~amd64 ~arm ~x86" +IUSE="acl +handbook kerberos +kwallet X" + +COMMON_DEPEND=" + $(add_frameworks_dep karchive) + $(add_frameworks_dep kbookmarks) + $(add_frameworks_dep kcodecs) + $(add_frameworks_dep kcompletion) + $(add_frameworks_dep kconfig) + $(add_frameworks_dep kconfigwidgets) + $(add_frameworks_dep kcoreaddons) + $(add_frameworks_dep kdbusaddons) + $(add_frameworks_dep ki18n) + $(add_frameworks_dep kiconthemes) + $(add_frameworks_dep kitemviews) + $(add_frameworks_dep kjobwidgets) + $(add_frameworks_dep knotifications) + $(add_frameworks_dep kservice) + $(add_frameworks_dep ktextwidgets) + $(add_frameworks_dep kwidgetsaddons) + $(add_frameworks_dep kwindowsystem) + $(add_frameworks_dep kxmlgui) + $(add_frameworks_dep solid) + $(add_qt_dep qtdbus) + $(add_qt_dep qtgui) + $(add_qt_dep qtnetwork 'ssl') + $(add_qt_dep qtscript) + $(add_qt_dep qtwidgets) + $(add_qt_dep qtxml) + dev-libs/libxml2 + dev-libs/libxslt + acl? ( + sys-apps/attr + virtual/acl + ) + kerberos? ( virtual/krb5 ) + kwallet? ( $(add_frameworks_dep kwallet) ) + X? ( $(add_qt_dep qtx11extras) ) +" +DEPEND="${COMMON_DEPEND} + $(add_qt_dep qtconcurrent) + handbook? ( $(add_frameworks_dep kdoctools) ) + test? ( sys-libs/zlib ) + X? ( + x11-libs/libX11 + x11-libs/libXrender + x11-proto/xproto + ) +" +PDEPEND=" + $(add_frameworks_dep kded) +" +RDEPEND="${COMMON_DEPEND}" + +# tests hang +RESTRICT+=" test" + +PATCHES=( "${FILESDIR}/${PN}-5.29.0-sanitize-url.patch" ) + +src_configure() { + local mycmakeargs=( + $(cmake-utils_use_find_package acl ACL) + $(cmake-utils_use_find_package handbook KF5DocTools) + $(cmake-utils_use_find_package kerberos GSSAPI) + $(cmake-utils_use_find_package kwallet KF5Wallet) + $(cmake-utils_use_find_package X X11) + ) + + kde5_src_configure +} -- 2.26.2