diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2019-08-08 05:25:56 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2019-08-08 17:59:45 +0200 |
commit | 850107940f28c76e783f86fa9f6a9643e4b49ad1 (patch) | |
tree | db4ab552f75e57c501d08b6ec52b7b074260ad48 /source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch | |
parent | 527faada86a6c302b1f9e72da1cb87b70d83141c (diff) | |
download | current-850107940f28c76e783f86fa9f6a9643e4b49ad1.tar.gz current-850107940f28c76e783f86fa9f6a9643e4b49ad1.tar.xz |
Thu Aug 8 05:25:56 UTC 201920190808052556
kde/kdelibs-4.14.38-x86_64-4.txz: Rebuilt.
kconfig: malicious .desktop files (and others) would execute code.
For more information, see:
https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
(* Security fix *)
Diffstat (limited to '')
-rw-r--r-- | source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch b/source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch new file mode 100644 index 000000000..58afcaaed --- /dev/null +++ b/source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch @@ -0,0 +1,112 @@ +From 2c3762feddf7e66cf6b64d9058f625a715694a00 Mon Sep 17 00:00:00 2001 +From: Kai Uwe Broulik <kde@privat.broulik.de> +Date: Wed, 7 Aug 2019 09:47:46 +0200 +Subject: Security: remove support for $(...) in config keys with [$e] marker. + +It is very unclear at this point what a valid use case for this feature +would possibly be. The old documentation only mentions $(hostname) as +an example, which can be done with $HOSTNAME instead. + +Note that $(...) is still supported in Exec lines of desktop files, +this does not require [$e] anyway (and actually works better without it, +otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...). + +Thanks to Fabian Vogt for testing. + +(This is a backport of KDE Frameworks 5 kconfig patch to kdelibs) + +Differential Revision: https://phabricator.kde.org/D22989 +--- + kdecore/config/kconfig.cpp | 32 +------------------------------- + kdecore/doc/README.kiosk | 12 ------------ + kdecore/tests/kconfigtest.cpp | 6 +----- + 3 files changed, 2 insertions(+), 48 deletions(-) + +diff --git a/kdecore/config/kconfig.cpp b/kdecore/config/kconfig.cpp +index 7ea26a5..b30584b 100644 +--- a/kdecore/config/kconfig.cpp ++++ b/kdecore/config/kconfig.cpp +@@ -160,37 +160,7 @@ QString KConfigPrivate::expandString(const QString& value) + int nDollarPos = aValue.indexOf( QLatin1Char('$') ); + while( nDollarPos != -1 && nDollarPos+1 < aValue.length()) { + // there is at least one $ +- if( aValue[nDollarPos+1] == QLatin1Char('(') ) { +- int nEndPos = nDollarPos+1; +- // the next character is not $ +- while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=QLatin1Char(')')) ) +- nEndPos++; +- nEndPos++; +- QString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 ); +- +- QString result; +- QByteArray oldpath = qgetenv( "PATH" ); +- QByteArray newpath; +- if (KGlobal::hasMainComponent()) { +- newpath = QFile::encodeName(KGlobal::dirs()->resourceDirs("exe").join(QChar::fromLatin1(KPATH_SEPARATOR))); +- if (!newpath.isEmpty() && !oldpath.isEmpty()) +- newpath += KPATH_SEPARATOR; +- } +- newpath += oldpath; +- setenv( "PATH", newpath, 1/*overwrite*/ ); +-// FIXME: wince does not have pipes +-#ifndef _WIN32_WCE +- FILE *fs = popen(QFile::encodeName(cmd).data(), "r"); +- if (fs) { +- QTextStream ts(fs, QIODevice::ReadOnly); +- result = ts.readAll().trimmed(); +- pclose(fs); +- } +-#endif +- setenv( "PATH", oldpath, 1/*overwrite*/ ); +- aValue.replace( nDollarPos, nEndPos-nDollarPos, result ); +- nDollarPos += result.length(); +- } else if( aValue[nDollarPos+1] != QLatin1Char('$') ) { ++ if( aValue[nDollarPos+1] != QLatin1Char('$') ) { + int nEndPos = nDollarPos+1; + // the next character is not $ + QString aVarName; +diff --git a/kdecore/doc/README.kiosk b/kdecore/doc/README.kiosk +index b95002d..d902c61 100644 +--- a/kdecore/doc/README.kiosk ++++ b/kdecore/doc/README.kiosk +@@ -640,18 +640,6 @@ The following syntax is also supported: + Name[$ei]=${USER} + + +-Shell Commands in KDE config files. +-=================================== +- +-Since KDE-3.1 arbitrary entries in configuration files can contain shell +-commands. This way the value of a configuration entry can be determined +-dynamically at runtime. In order to use this the entry must be marked +-with [$e]. +- +-Example: +-Host[$e]=$(hostname) +- +- + KDE Kiosk Application API + ========================== + +diff --git a/kdecore/tests/kconfigtest.cpp b/kdecore/tests/kconfigtest.cpp +index 78e6ad1..37ea3c2 100644 +--- a/kdecore/tests/kconfigtest.cpp ++++ b/kdecore/tests/kconfigtest.cpp +@@ -479,12 +479,8 @@ void KConfigTest::testPath() + QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH) ); + QVERIFY(group.hasKey("URL")); + QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH) ); +-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC) +- // I don't know if this will work on windows +- // This test hangs on OS X + QVERIFY(group.hasKey("hostname")); +- QCOMPARE(group.readEntry("hostname", QString()), QHostInfo::localHostName()); +-#endif ++ QCOMPARE(group.readEntry("hostname", QString()), QString("(hostname)")); // the $ got removed because empty var name + QVERIFY(group.hasKey("noeol")); + QCOMPARE(group.readEntry("noeol", QString()), QString("foo")); + } +-- +cgit v1.1 + + |