Moritz Muehlenhoff wrote:
> Hi,
> this applies to woody as well. Attached you can find the backported upstream
> patch against 2.2.2. BTW, this is CAN-2004-1165.
>
> Cheers,
> Moritz
> diff -Naur kdelibs-2.2.2.orig/kio/ftp/ftp.cc kdelibs-2.2.2/kio/ftp/ftp.cc
> --- kdelibs-2.2.2.orig/kio/ftp/ftp.cc Wed Jan 5 12:29:07 2005
> +++ kdelibs-2.2.2/kio/ftp/ftp.cc Wed Jan 5 12:28:25 2005
> @@ -596,6 +596,14 @@
> {
> assert( sControl > 0 );
>
> + if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
> + {
> + kdWarning(7102) << "Invalid command received (contains CR or LF): "
> + << cmd.data() << endl;
> + error( ERR_UNSUPPORTED_ACTION, m_host );
> + return false;
> + }
> +
> QCString buf = cmd;
> buf += "\r\n";
Thanks, that was on my agenda as well. Working on it now.
Please
. update the package in sid
. mention the CVE id from the subject in the changelog
. tell me the version number of the fixed package
. use priority=high
. no need to upload into sarge directly, except the version in
sid is not meant to go into testing
Regards,
Joey
--
Let's call it an accidental feature. -- Larry Wall