Hello community,
here is the log from the commit of package kwebkitpart for openSUSE:Factory
checked in at 2015-03-12 16:36:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kwebkitpart (Old)
and /work/SRC/openSUSE:Factory/.kwebkitpart.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kwebkitpart"
Changes:
--------
--- /work/SRC/openSUSE:Factory/kwebkitpart/kwebkitpart.changes 2014-06-02
07:00:31.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.kwebkitpart.new/kwebkitpart.changes
2015-03-12 16:36:59.000000000 +0100
@@ -1,0 +2,5 @@
+Mon Mar 9 19:31:47 UTC 2015 - hrvoje.sen...@gmail.com
+
+- Added sanitize-html.patch, CVE-2014-8600
+
+-------------------------------------------------------------------
New:
----
sanitize-html.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kwebkitpart.spec ++++++
--- /var/tmp/diff_new_pack.9Ue0av/_old 2015-03-12 16:37:00.000000000 +0100
+++ /var/tmp/diff_new_pack.9Ue0av/_new 2015-03-12 16:37:00.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kwebkitpart
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,8 @@
Patch1: 0002-Copy-only-the-email-address-and-not-the-mailto-link.patch
# PATCH-FIX-UPSTREAM 0003-Show-correct-SSL-information-on-redirection.patch --
kde#335389
Patch2: 0003-Show-correct-SSL-information-on-redirection.patch
+# PATCH-FIX-UPSTREAM sanitize-html.patch -- CVE-2014-8600
+Patch3: sanitize-html.patch
BuildRequires: libkde4-devel >= 4.8.3
BuildRequires: sqlite-devel
Recommends: kwebkitpart-lang
@@ -53,6 +55,7 @@
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1
tar xjf $RPM_SOURCE_DIR/%{name}-lang.tar.bz2
echo "add_subdirectory(lang)" >> CMakeLists.txt
bunzip2 -d < %{S:2} > README.html
++++++ sanitize-html.patch ++++++
From: Albert Astals Cid <aa...@kde.org>
Date: Thu, 13 Nov 2014 14:06:01 +0000
Subject: Sanitize html
X-Git-Url:
http://quickgit.kde.org/?p=kwebkitpart.git&a=commitdiff&h=641aa7c75631084260ae89aecbdb625e918c6689
---
Sanitize html
As discussed by the security team
---
--- a/src/webpage.cpp
+++ b/src/webpage.cpp
@@ -226,23 +226,26 @@
doc += QL1S( "<h3>" );
doc += i18n( "Details of the Request:" );
doc += QL1S( "</h3><ul><li>" );
- doc += i18n( "URL: %1", reqUrl.url() );
+ // escape URL twice: once for i18n, and once for HTML.
+ doc += i18n( "URL: %1", Qt::escape( Qt::escape( reqUrl.prettyUrl() ) ) );
doc += QL1S( "</li><li>" );
const QString protocol (reqUrl.protocol());
if ( !protocol.isNull() ) {
- doc += i18n( "Protocol: %1", protocol );
+ // escape protocol twice: once for i18n, and once for HTML.
+ doc += i18n( "Protocol: %1", Qt::escape( Qt::escape( protocol ) ) );
doc += QL1S( "</li><li>" );
}
doc += i18n( "Date and Time: %1",
KGlobal::locale()->formatDateTime(QDateTime::currentDateTime(),
KLocale::LongDate) );
doc += QL1S( "</li><li>" );
- doc += i18n( "Additional Information: %1" , text );
+ // escape text twice: once for i18n, and once for HTML.
+ doc += i18n( "Additional Information: %1", Qt::escape( Qt::escape( text )
) );
doc += QL1S( "</li></ul><h3>" );
doc += i18n( "Description:" );
doc += QL1S( "</h3><p>" );
- doc += description;
+ doc += Qt::escape( description );
doc += QL1S( "</p>" );
if ( causes.count() ) {
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
