Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu
Hello,
[ Disclaimer: I've already asked security team about this upload and they told
me to do it via s-p-u ]
The upload would fix 3 CVEs and bug #612675. Change-by-change details are below
while full diff is attached.
* Fix CVE-2011-1168 (Konqueror partially universal XSS in error pages) by
cve_2011_1168_konqueror_xss.diff.
http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=20deb674
* Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) for
Konqueror by cve_2010_3170_cn_wildcards.diff.
http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=ae934a0a
* Fix CVE-2011-1094 (kdelibs does not properly verify that the server hostname
matches the Common Name of the Subject of an X.509 certificate if that CN is
an IP address) by cve_2011_1094_ssl_verify_hostname.diff.
http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=2bfb1e47
[ kde4libs non-security changes ]
* KTar: use unsigned arithmetic when calculating checksum of tar header record
(as per ustar specification). However, when reading archive, verify
checksum by calculating it both ways (unsigned and signed) and accept if
either matches (partially solves #612675). Implemented in
ktar_header_checksum_fix.diff patch.
http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=af9374ec
* Fix KTar longlink support when filenames are encoded in the UTF-8 (or other
multibyte) locale. Implemented in ktar_longlink_length_in_bytes.diff patch
(thanks to Ibragimov Rinat). Closes: #612675
http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=66efdda4
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (110, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog
index 7e056e6..aac9418 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+kde4libs (4:4.4.5-2+squeeze2) UNRELEASED; urgency=low
+
+ [ José Manuel Santamaría Lema ]
+ * Fix CVE-2011-1168 (Konqueror partially universal XSS in error pages) by
+cve_2011_1168_konqueror_xss.diff.
+ * Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) for
+Konqueror by cve_2010_3170_cn_wildcards.diff.
+ * Fix CVE-2011-1094 (kdelibs does not properly verify that the server hostname
+matches the Common Name of the Subject of an X.509 certificate if that CN is
+an IP address) by cve_2011_1094_ssl_verify_hostname.diff.
+
+ [ Modestas Vainius ]
+ * KTar: use unsigned arithmetic when calculating checksum of tar header record
+(as per ustar specification). However, when reading archive, verify
+checksum by calculating it both ways (unsigned and signed) and accept if
+either matches (partially solves #612675). Implemented in
+ktar_header_checksum_fix.diff patch.
+ * Fix KTar longlink support when filenames are encoded in the UTF-8 (or other
+multibyte) locale. Implemented in ktar_longlink_length_in_bytes.diff patch
+(thanks to Ibragimov Rinat). Closes: #612675
+
+ -- José Manuel Santamaría Lema panfa...@gmail.com Tue, 12 Apr 2011 21:16:20 +0200
+
kde4libs (4:4.4.5-2+squeeze1) stable-proposed-updates; urgency=low
* Add a kconf_update script (migrate_from_kde3_icon_theme) to migrate away
diff --git a/debian/patches/cve_2010_3170_cn_wildcards.diff b/debian/patches/cve_2010_3170_cn_wildcards.diff
new file mode 100644
index 000..640252b
--- /dev/null
+++ b/debian/patches/cve_2010_3170_cn_wildcards.diff
@@ -0,0 +1,84 @@
+Origin: https://projects.kde.org/projects/kde/kdelibs/repository/revisions/f2a059e6
+Description: Fix wildcard ssl handling.
+ We now correctly handle wildcards, rather than using shell globs. This removes
+ the same issue as QTBUG-4455. In addition, fixes CVE-2010-3170 for Konqueror.
+ References:
+ * http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
+--- a/kio/kio/tcpslavebase.cpp
b/kio/kio/tcpslavebase.cpp
+@@ -4,6 +4,7 @@
+ * Copyright (C) 2001 Dawit Alemayehu ada...@kde.org
+ * Copyright (C) 2007,2008 Andreas Hartmetz ahartm...@gmail.com
+ * Copyright (C) 2008 Roland Harnau t...@gmx.eu
++ * Copyright (C) 2010 Richard Moore r...@kde.org
+ *
+ * This file is part of the KDE project
+ *
+@@ -436,6 +437,49 @@ bool TCPSlaveBase::startSsl()
+ return startTLSInternal(KTcpSocket::TlsV1) ResultOk;
+ }
+
++// Find out if a hostname matches an SSL certificate's Common Name (including wildcards)
++static bool isMatchingHostname(const QString cnIn, const QString hostnameIn)
++{
++const QString cn = cnIn.toLower();
++const QString hostname = hostnameIn.toLower();
++
++const int wildcard = cn.indexOf(QLatin1Char('*'));
++
++// Check this is a wildcard