Hello community, here is the log from the commit of package kwebkitpart for openSUSE:Factory checked in at 2015-03-12 16:36:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kwebkitpart (Old) and /work/SRC/openSUSE:Factory/.kwebkitpart.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kwebkitpart" Changes: -------- --- /work/SRC/openSUSE:Factory/kwebkitpart/kwebkitpart.changes 2014-06-02 07:00:31.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.kwebkitpart.new/kwebkitpart.changes 2015-03-12 16:36:59.000000000 +0100 @@ -1,0 +2,5 @@ +Mon Mar 9 19:31:47 UTC 2015 - hrvoje.sen...@gmail.com + +- Added sanitize-html.patch, CVE-2014-8600 + +------------------------------------------------------------------- New: ---- sanitize-html.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kwebkitpart.spec ++++++ --- /var/tmp/diff_new_pack.9Ue0av/_old 2015-03-12 16:37:00.000000000 +0100 +++ /var/tmp/diff_new_pack.9Ue0av/_new 2015-03-12 16:37:00.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package kwebkitpart # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,8 @@ Patch1: 0002-Copy-only-the-email-address-and-not-the-mailto-link.patch # PATCH-FIX-UPSTREAM 0003-Show-correct-SSL-information-on-redirection.patch -- kde#335389 Patch2: 0003-Show-correct-SSL-information-on-redirection.patch +# PATCH-FIX-UPSTREAM sanitize-html.patch -- CVE-2014-8600 +Patch3: sanitize-html.patch BuildRequires: libkde4-devel >= 4.8.3 BuildRequires: sqlite-devel Recommends: kwebkitpart-lang @@ -53,6 +55,7 @@ %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 tar xjf $RPM_SOURCE_DIR/%{name}-lang.tar.bz2 echo "add_subdirectory(lang)" >> CMakeLists.txt bunzip2 -d < %{S:2} > README.html ++++++ sanitize-html.patch ++++++ From: Albert Astals Cid <aa...@kde.org> Date: Thu, 13 Nov 2014 14:06:01 +0000 Subject: Sanitize html X-Git-Url: http://quickgit.kde.org/?p=kwebkitpart.git&a=commitdiff&h=641aa7c75631084260ae89aecbdb625e918c6689 --- Sanitize html As discussed by the security team --- --- a/src/webpage.cpp +++ b/src/webpage.cpp @@ -226,23 +226,26 @@ doc += QL1S( "<h3>" ); doc += i18n( "Details of the Request:" ); doc += QL1S( "</h3><ul><li>" ); - doc += i18n( "URL: %1", reqUrl.url() ); + // escape URL twice: once for i18n, and once for HTML. + doc += i18n( "URL: %1", Qt::escape( Qt::escape( reqUrl.prettyUrl() ) ) ); doc += QL1S( "</li><li>" ); const QString protocol (reqUrl.protocol()); if ( !protocol.isNull() ) { - doc += i18n( "Protocol: %1", protocol ); + // escape protocol twice: once for i18n, and once for HTML. + doc += i18n( "Protocol: %1", Qt::escape( Qt::escape( protocol ) ) ); doc += QL1S( "</li><li>" ); } doc += i18n( "Date and Time: %1", KGlobal::locale()->formatDateTime(QDateTime::currentDateTime(), KLocale::LongDate) ); doc += QL1S( "</li><li>" ); - doc += i18n( "Additional Information: %1" , text ); + // escape text twice: once for i18n, and once for HTML. + doc += i18n( "Additional Information: %1", Qt::escape( Qt::escape( text ) ) ); doc += QL1S( "</li></ul><h3>" ); doc += i18n( "Description:" ); doc += QL1S( "</h3><p>" ); - doc += description; + doc += Qt::escape( description ); doc += QL1S( "</p>" ); if ( causes.count() ) { -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org