Thu Aug 8 05:25:56 UTC 201920190808052556

kde/kdelibs-4.14.38-x86_64-4.txz: Rebuilt. kconfig: malicious .desktop files (and others) would execute code. For more information, see: https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744 (* Security fix *)
author: Patrick J Volkerding <volkerdi@slackware.com> 2019-08-08 05:25:56 +0000
committer: Eric Hameleers <alien@slackware.com> 2019-08-08 17:59:45 +0200
commit: 850107940f28c76e783f86fa9f6a9643e4b49ad1 (patch)
tree: db4ab552f75e57c501d08b6ec52b7b074260ad48 /source/kde
parent: 527faada86a6c302b1f9e72da1cb87b70d83141c (diff)
download: current-850107940f28c76e783f86fa9f6a9643e4b49ad1.tar.gz
current-850107940f28c76e783f86fa9f6a9643e4b49ad1.tar.xz
3 files changed, 116 insertions, 1 deletions
diff --git a/source/kde/build/kdelibs b/source/kde/build/kdelibs
index 00750edc0..b8626c4cf 100644
--- a/source/kde/build/kdelibs
+++ b/source/kde/build/kdelibs
@@ -1 +1 @@
-3
+4
diff --git a/source/kde/patch/kdelibs.patch b/source/kde/patch/kdelibs.patch
index 7dea979f3..00b4ebc80 100644
--- a/source/kde/patch/kdelibs.patch
+++ b/source/kde/patch/kdelibs.patch
@@ -15,3 +15,6 @@ zcat $CWD/patch/kdelibs/return-application-icons-properly.patch.gz | patch -R -p
 # Support OpenSSL-1.1.x:
 zcat $CWD/patch/kdelibs/kdelibs-openssl-1.1.patch.gz | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
 
+# Security: remove support for $(...) in config keys with [$e] marker. (CVE-2019-14744)
+zcat $CWD/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch.gz | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
+
diff --git a/source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch b/source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch
new file mode 100644
index 000000000..58afcaaed
--- /dev/null
+++ b/source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch
@@ -0,0 +1,112 @@
+From 2c3762feddf7e66cf6b64d9058f625a715694a00 Mon Sep 17 00:00:00 2001
+From: Kai Uwe Broulik <kde@privat.broulik.de>
+Date: Wed, 7 Aug 2019 09:47:46 +0200
+Subject: Security: remove support for $(...) in config keys with [$e] marker.
+
+It is very unclear at this point what a valid use case for this feature
+would possibly be. The old documentation only mentions $(hostname) as
+an example, which can be done with $HOSTNAME instead.
+
+Note that $(...) is still supported in Exec lines of desktop files,
+this does not require [$e] anyway (and actually works better without it,
+otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...).
+
+Thanks to Fabian Vogt for testing.
+
+(This is a backport of KDE Frameworks 5 kconfig patch to kdelibs)
+
+Differential Revision: https://phabricator.kde.org/D22989
+---
+ kdecore/config/kconfig.cpp    | 32 +-------------------------------
+ kdecore/doc/README.kiosk      | 12 ------------
+ kdecore/tests/kconfigtest.cpp |  6 +-----
+ 3 files changed, 2 insertions(+), 48 deletions(-)
+
+diff --git a/kdecore/config/kconfig.cpp b/kdecore/config/kconfig.cpp
+index 7ea26a5..b30584b 100644
+--- a/kdecore/config/kconfig.cpp
++++ b/kdecore/config/kconfig.cpp
+@@ -160,37 +160,7 @@ QString KConfigPrivate::expandString(const QString& value)
+     int nDollarPos = aValue.indexOf( QLatin1Char('$') );
+     while( nDollarPos != -1 && nDollarPos+1 < aValue.length()) {
+         // there is at least one $
+-        if( aValue[nDollarPos+1] == QLatin1Char('(') ) {
+-            int nEndPos = nDollarPos+1;
+-            // the next character is not $
+-            while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=QLatin1Char(')')) )
+-                nEndPos++;
+-            nEndPos++;
+-            QString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
+-
+-            QString result;
+-            QByteArray oldpath = qgetenv( "PATH" );
+-            QByteArray newpath;
+-            if (KGlobal::hasMainComponent()) {
+-                newpath = QFile::encodeName(KGlobal::dirs()->resourceDirs("exe").join(QChar::fromLatin1(KPATH_SEPARATOR)));
+-                if (!newpath.isEmpty() && !oldpath.isEmpty())
+-                    newpath += KPATH_SEPARATOR;
+-            }
+-            newpath += oldpath;
+-            setenv( "PATH", newpath, 1/*overwrite*/ );
+-// FIXME: wince does not have pipes
+-#ifndef _WIN32_WCE
+-            FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
+-            if (fs) {
+-                QTextStream ts(fs, QIODevice::ReadOnly);
+-                result = ts.readAll().trimmed();
+-                pclose(fs);
+-            }
+-#endif
+-            setenv( "PATH", oldpath, 1/*overwrite*/ );
+-            aValue.replace( nDollarPos, nEndPos-nDollarPos, result );
+-            nDollarPos += result.length();
+-        } else if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
++        if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
+             int nEndPos = nDollarPos+1;
+             // the next character is not $
+             QString aVarName;
+diff --git a/kdecore/doc/README.kiosk b/kdecore/doc/README.kiosk
+index b95002d..d902c61 100644
+--- a/kdecore/doc/README.kiosk
++++ b/kdecore/doc/README.kiosk
+@@ -640,18 +640,6 @@ The following syntax is also supported:
+ Name[$ei]=${USER}
+ 
+ 
+-Shell Commands in KDE config files.
+-===================================
+-
+-Since KDE-3.1 arbitrary entries in configuration files can contain shell 
+-commands. This way the value of a configuration entry can be determined
+-dynamically at runtime. In order to use this the entry must be marked 
+-with [$e]. 
+-
+-Example:
+-Host[$e]=$(hostname)
+-
+-
+ KDE Kiosk Application API
+ ==========================
+ 
+diff --git a/kdecore/tests/kconfigtest.cpp b/kdecore/tests/kconfigtest.cpp
+index 78e6ad1..37ea3c2 100644
+--- a/kdecore/tests/kconfigtest.cpp
++++ b/kdecore/tests/kconfigtest.cpp
+@@ -479,12 +479,8 @@ void KConfigTest::testPath()
+   QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH) );
+   QVERIFY(group.hasKey("URL"));
+   QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH) );
+-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
+-  // I don't know if this will work on windows
+-  // This test hangs on OS X
+   QVERIFY(group.hasKey("hostname"));
+-  QCOMPARE(group.readEntry("hostname", QString()), QHostInfo::localHostName());
+-#endif
++  QCOMPARE(group.readEntry("hostname", QString()), QString("(hostname)")); // the $ got removed because empty var name
+   QVERIFY(group.hasKey("noeol"));
+   QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
+ }
+-- 
+cgit v1.1
+
+
author	Patrick J Volkerding <volkerdi@slackware.com>	2019-08-08 05:25:56 +0000
committer	Eric Hameleers <alien@slackware.com>	2019-08-08 17:59:45 +0200
commit	850107940f28c76e783f86fa9f6a9643e4b49ad1 (patch)
tree	db4ab552f75e57c501d08b6ec52b7b074260ad48 /source/kde
parent	527faada86a6c302b1f9e72da1cb87b70d83141c (diff)
download	current-850107940f28c76e783f86fa9f6a9643e4b49ad1.tar.gz current-850107940f28c76e783f86fa9f6a9643e4b49ad1.tar.xz