Bug#626844: pu: package kdenetwork/4:4.4.5-2+squeeze1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#626844: pu: package kdenetwork/4:4.4.5-2+squeeze1
From: Modestas Vainius <modax@debian.org>
Date: Sun, 15 May 2011 23:17:35 +0300
Message-id: <[🔎] 20110515201735.989.76628.reportbug@mdxdesktop.lan.vainius.eu>
Reply-to: Modestas Vainius <modax@debian.org>, 626844@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

[ Disclaimer: I've already asked security team about this upload and they told
me to do it via s-p-u ]

This upload would contain a patch that improves fix for CVE-2010-1000.
Change-by-change details are below while full diff is attached.

* Add cve_2010_1000_directory_traversal.diff, note that CVE-2010-1000 was
  already fixed, but this patch performs a better protection against that
  vulnerability.

  http://git.debian.org/?p=pkg-kde/kde-sc/kdenetwork.git;a=commit;h=f18dc

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (110, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff --git a/debian/changelog b/debian/changelog
index 1dc6e8e..45a905d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+kdenetwork (4:4.4.5-2+squeeze1) UNRELEASED; urgency=low
+
+  * Add cve_2010_1000_directory_traversal.diff, note that CVE-2010-1000 was
+    already fixed, but this patch performs a better protection against that
+    vulnerability.
+
+ -- José Manuel Santamaría Lema <panfaust@gmail.com>  Sun, 17 Apr 2011 20:04:11 +0200
+
 kdenetwork (4:4.4.5-2) unstable; urgency=low
 
   * Point debian/control Vcs fields to the new Git repository.
diff --git a/debian/patches/cve_2010_1000_directory_traversal.diff b/debian/patches/cve_2010_1000_directory_traversal.diff
new file mode 100644
index 0000000..125f104
--- /dev/null
+++ b/debian/patches/cve_2010_1000_directory_traversal.diff
@@ -0,0 +1,21 @@
+Origin: http://websvn.kde.org/?view=revision&revision=1227468
+Description: Further addresses CVE-2010-1000.
+ The file name of Metalink File is checked a better way, making it work under
+ more conditions.
+--- a/kget/ui/metalinkcreator/metalinker.cpp
++++ b/kget/ui/metalinkcreator/metalinker.cpp
+@@ -583,7 +583,13 @@
+         return false;
+     }
+ 
+-    if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) {
++    if (name.endsWith('/')) {
++        kError(5001) << "Name attribute of Metalink::File does not contain a file name:" << name;
++        return false;
++    }
++
++    const QStringList components = name.split('/');
++    if (name.startsWith('/') || components.contains("..") || components.contains(".")) {
+         kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name;
+         return false;
+     }
diff --git a/debian/patches/series b/debian/patches/series
index 899f203..b50afdb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 01_backport_use_system_libktorrent.diff
 02_debian_libktorrent_porting.diff
 03_kopete_icq_login_fix.diff
+cve_2010_1000_directory_traversal.diff

Reply to:

Prev by Date: Bug#626842: pu: package kde4libs/4:4.4.5-2+squeeze2
Next by Date: Bug#626845: pu: package qt4-x11/4:4.6.3-4+squeeze1
Previous by thread: Bug#626842: pu: package kde4libs/4:4.4.5-2+squeeze2
Next by thread: Bug#626845: pu: package qt4-x11/4:4.6.3-4+squeeze1
Index(es):
- Date
- Thread