Bug#626842: pu: package kde4libs/4:4.4.5-2+squeeze2

2011-06-12 Thread Adam D. Barratt 
tag 626842 + squeeze confirmed
thanks

On Sun, 2011-05-15 at 23:12 +0300, Modestas Vainius wrote:
 The upload would fix 3 CVEs and bug #612675. Change-by-change details are 
 below
 while full diff is attached.

Please go ahead; sorry for the delay.

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1307894052.15770.18.ca...@hathi.jungle.funky-badger.org

Processed: Re: Bug#626842: pu: package kde4libs/4:4.4.5-2+squeeze2

2011-06-12 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

 tag 626842 + squeeze confirmed
Bug #626842 [release.debian.org] pu: package kde4libs/4:4.4.5-2+squeeze2
Added tag(s) squeeze and confirmed.
 thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
626842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626842
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.c.13078940763732.transcr...@bugs.debian.org

Bug#626842: pu: package kde4libs/4:4.4.5-2+squeeze2

2011-05-15 Thread Modestas Vainius 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

Hello,

[ Disclaimer: I've already asked security team about this upload and they told
me to do it via s-p-u ]

The upload would fix 3 CVEs and bug #612675. Change-by-change details are below
while full diff is attached.

* Fix CVE-2011-1168 (Konqueror partially universal XSS in error pages) by
  cve_2011_1168_konqueror_xss.diff.

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=20deb674

* Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) for
  Konqueror by cve_2010_3170_cn_wildcards.diff.

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=ae934a0a

* Fix CVE-2011-1094 (kdelibs does not properly verify that the server hostname
  matches the Common Name of the Subject of an X.509 certificate if that CN is
  an IP address) by cve_2011_1094_ssl_verify_hostname.diff.

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=2bfb1e47

  [ kde4libs non-security changes ]

* KTar: use unsigned arithmetic when calculating checksum of tar header record
  (as per ustar specification). However, when reading archive, verify
  checksum by calculating it both ways (unsigned and signed) and accept if
  either matches (partially solves #612675). Implemented in
  ktar_header_checksum_fix.diff patch.

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=af9374ec

* Fix KTar longlink support when filenames are encoded in the UTF-8 (or other
  multibyte) locale. Implemented in ktar_longlink_length_in_bytes.diff patch
  (thanks to Ibragimov Rinat). Closes: #612675

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=66efdda4

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (110, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog
index 7e056e6..aac9418 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+kde4libs (4:4.4.5-2+squeeze2) UNRELEASED; urgency=low
+
+  [ José Manuel Santamaría Lema ]
+  * Fix CVE-2011-1168 (Konqueror partially universal XSS in error pages) by
+cve_2011_1168_konqueror_xss.diff.
+  * Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) for
+Konqueror by cve_2010_3170_cn_wildcards.diff.
+  * Fix CVE-2011-1094 (kdelibs does not properly verify that the server hostname
+matches the Common Name of the Subject of an X.509 certificate if that CN is
+an IP address) by cve_2011_1094_ssl_verify_hostname.diff.
+
+  [ Modestas Vainius ]
+  * KTar: use unsigned arithmetic when calculating checksum of tar header record
+(as per ustar specification). However, when reading archive, verify
+checksum by calculating it both ways (unsigned and signed) and accept if
+either matches (partially solves #612675). Implemented in
+ktar_header_checksum_fix.diff patch.
+  * Fix KTar longlink support when filenames are encoded in the UTF-8 (or other
+multibyte) locale. Implemented in ktar_longlink_length_in_bytes.diff patch
+(thanks to Ibragimov Rinat). Closes: #612675
+
+ -- José Manuel Santamaría Lema panfa...@gmail.com  Tue, 12 Apr 2011 21:16:20 +0200
+
 kde4libs (4:4.4.5-2+squeeze1) stable-proposed-updates; urgency=low
 
   * Add a kconf_update script (migrate_from_kde3_icon_theme) to migrate away
diff --git a/debian/patches/cve_2010_3170_cn_wildcards.diff b/debian/patches/cve_2010_3170_cn_wildcards.diff
new file mode 100644
index 000..640252b
--- /dev/null
+++ b/debian/patches/cve_2010_3170_cn_wildcards.diff
@@ -0,0 +1,84 @@
+Origin: https://projects.kde.org/projects/kde/kdelibs/repository/revisions/f2a059e6
+Description: Fix wildcard ssl handling.
+ We now correctly handle wildcards, rather than using shell globs. This removes
+ the same issue as QTBUG-4455. In addition, fixes CVE-2010-3170 for Konqueror.
+ References:
+ * http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
+--- a/kio/kio/tcpslavebase.cpp
 b/kio/kio/tcpslavebase.cpp
+@@ -4,6 +4,7 @@
+  * Copyright (C) 2001 Dawit Alemayehu ada...@kde.org
+  * Copyright (C) 2007,2008 Andreas Hartmetz ahartm...@gmail.com
+  * Copyright (C) 2008 Roland Harnau t...@gmx.eu
++ * Copyright (C) 2010 Richard Moore r...@kde.org
+  *
+  * This file is part of the KDE project
+  *
+@@ -436,6 +437,49 @@ bool TCPSlaveBase::startSsl()
+ return startTLSInternal(KTcpSocket::TlsV1)  ResultOk;
+ }
+ 
++// Find out if a hostname matches an SSL certificate's Common Name (including wildcards)
++static bool isMatchingHostname(const QString cnIn, const QString hostnameIn)
++{
++const QString cn = cnIn.toLower();
++const QString hostname = hostnameIn.toLower();
++
++const int wildcard = cn.indexOf(QLatin1Char('*'));
++
++// Check this is a wildcard