diff options
Diffstat (limited to 'patches/source/kdelibs')
-rw-r--r-- | patches/source/kdelibs/KDE.options | 51 | ||||
-rw-r--r-- | patches/source/kdelibs/doinst.sh | 9 | ||||
-rw-r--r-- | patches/source/kdelibs/kdelibs.CVE-2017-8422.diff | 201 | ||||
-rwxr-xr-x | patches/source/kdelibs/kdelibs.SlackBuild | 105 | ||||
-rw-r--r-- | patches/source/kdelibs/kdelibs.docbook.patch | 11 | ||||
-rw-r--r-- | patches/source/kdelibs/kdelibs.khtml.CVE-2011-1168.diff | 14 | ||||
-rw-r--r-- | patches/source/kdelibs/kdesu-allow_NOPASS_in_suauth.patch | 61 | ||||
-rw-r--r-- | patches/source/kdelibs/local.options | 1 | ||||
-rw-r--r-- | patches/source/kdelibs/slack-desc | 19 |
9 files changed, 472 insertions, 0 deletions
diff --git a/patches/source/kdelibs/KDE.options b/patches/source/kdelibs/KDE.options new file mode 100644 index 000000000..16ae672c7 --- /dev/null +++ b/patches/source/kdelibs/KDE.options @@ -0,0 +1,51 @@ +# Set default version/arch/build. You can override these settings +# in the SlackBuild scripts for each package (koffice, for example, +# usually has a different version number), or by setting your own +# environment variables. + +[ -z $VERSION ] && export VERSION=4.5.5 +[ -z $BUILD ] && export BUILD=1 + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i486 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +# Use this as CFLAGS and CXXFLAGS: +if [ -z "$SLKCFLAGS" ]; then + if [ "$ARCH" = "i486" ]; then + export SLKCFLAGS="-O2 -march=i486 -mtune=i686" + export LIBDIRSUFFIX="" + elif [ "$ARCH" = "s390" ]; then + export SLKCFLAGS="-O2" + export LIBDIRSUFFIX="" + elif [ "$ARCH" = "x86_64" ]; then + export SLKCFLAGS="-O2 -fPIC" + export LIBDIRSUFFIX="64" + elif [ "$ARCH" = "arm" ]; then + export SLKCFLAGS="-O2 -march=armv4 -mtune=xscale" + export LIBDIRSUFFIX="" + elif [ "$ARCH" = "armel" ]; then + export SLKCFLAGS="-O2 -march=armv4t" + export LIBDIRSUFFIX="" + else + export SLKCFLAGS="-O2" + export LIBDIRSUFFIX="" + fi +fi + +# Use this to set the number of parallel make jobs: +if [ -z "$NUMJOBS" ]; then + export NUMJOBS="-j7" +fi + +# Additional cmake flags that are spanned across the KDE modules +# Do not use "final build" unless we build an actual release. +#export KDE_OPT_ARGS=" -DKDE4_ENABLE_FINAL=\"ON\" -DSITE=\"slackware.com\" " +export KDE_OPT_ARGS=" -DSITE=\"slackware.com\" " + diff --git a/patches/source/kdelibs/doinst.sh b/patches/source/kdelibs/doinst.sh new file mode 100644 index 000000000..d7006c70a --- /dev/null +++ b/patches/source/kdelibs/doinst.sh @@ -0,0 +1,9 @@ + +if [ -x /usr/bin/update-desktop-database ]; then + /usr/bin/update-desktop-database /usr/share/applications >/dev/null 2>&1 +fi + +if [ -x usr/bin/update-mime-database ]; then + /usr/bin/update-mime-database /usr/share/mime >/dev/null 2>&1 +fi + diff --git a/patches/source/kdelibs/kdelibs.CVE-2017-8422.diff b/patches/source/kdelibs/kdelibs.CVE-2017-8422.diff new file mode 100644 index 000000000..221dc8f98 --- /dev/null +++ b/patches/source/kdelibs/kdelibs.CVE-2017-8422.diff @@ -0,0 +1,201 @@ +From 264e97625abe2e0334f97de17f6ffb52582888ab Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Wed, 10 May 2017 10:06:07 +0200 +Subject: Verify that whoever is calling us is actually who he says he is + +CVE-2017-8422 +--- + kdecore/auth/AuthBackend.cpp | 5 ++++ + kdecore/auth/AuthBackend.h | 7 ++++++ + kdecore/auth/backends/dbus/DBusHelperProxy.cpp | 27 ++++++++++++++++++++-- + kdecore/auth/backends/dbus/DBusHelperProxy.h | 6 ++++- + .../auth/backends/policykit/PolicyKitBackend.cpp | 5 ++++ + kdecore/auth/backends/policykit/PolicyKitBackend.h | 1 + + kdecore/auth/backends/polkit-1/Polkit1Backend.cpp | 5 ++++ + kdecore/auth/backends/polkit-1/Polkit1Backend.h | 1 + + 8 files changed, 54 insertions(+), 3 deletions(-) + +diff --git a/kdecore/auth/AuthBackend.cpp b/kdecore/auth/AuthBackend.cpp +index c953b81..0ba4650 100644 +--- a/kdecore/auth/AuthBackend.cpp ++++ b/kdecore/auth/AuthBackend.cpp +@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities) + d->capabilities = capabilities; + } + ++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const ++{ ++ return NoExtraCallerIDVerificationMethod; ++} ++ + bool AuthBackend::actionExists(const QString& action) + { + Q_UNUSED(action); +diff --git a/kdecore/auth/AuthBackend.h b/kdecore/auth/AuthBackend.h +index a86732e..6f4b1bc 100644 +--- a/kdecore/auth/AuthBackend.h ++++ b/kdecore/auth/AuthBackend.h +@@ -43,6 +43,12 @@ public: + }; + Q_DECLARE_FLAGS(Capabilities, Capability) + ++ enum ExtraCallerIDVerificationMethod { ++ NoExtraCallerIDVerificationMethod, ++ VerifyAgainstDBusServiceName, ++ VerifyAgainstDBusServicePid, ++ }; ++ + AuthBackend(); + virtual ~AuthBackend(); + virtual void setupAction(const QString &action) = 0; +@@ -50,6 +56,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString &action) = 0; + virtual Action::AuthStatus actionStatus(const QString &action) = 0; + virtual QByteArray callerID() const = 0; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0; + virtual bool actionExists(const QString &action); + +diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp +index 9557a0f..ca59f1c 100644 +--- a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp ++++ b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp +@@ -271,6 +271,29 @@ void DBusHelperProxy::performActions(QByteArray blob, const QByteArray &callerID + } + } + ++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID) ++{ ++ // Check the caller is really who it says it is ++ switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) { ++ case AuthBackend::NoExtraCallerIDVerificationMethod: ++ break; ++ ++ case AuthBackend::VerifyAgainstDBusServiceName: ++ if (message().service().toUtf8() != callerID) { ++ return false; ++ } ++ break; ++ ++ case AuthBackend::VerifyAgainstDBusServicePid: ++ if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) { ++ return false; ++ } ++ break; ++ } ++ ++ return BackendsManager::authBackend()->isCallerAuthorized(action, callerID); ++} ++ + QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments) + { + if (!responder) { +@@ -295,7 +318,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra + QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>(); + timer->stop(); + +- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) { ++ if (isCallerAuthorized(action, callerID)) { + QString slotname = action; + if (slotname.startsWith(m_name + QLatin1Char('.'))) { + slotname = slotname.right(slotname.length() - m_name.length() - 1); +@@ -338,7 +361,7 @@ uint DBusHelperProxy::authorizeAction(const QString& action, const QByteArray& c + QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>(); + timer->stop(); + +- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) { ++ if (isCallerAuthorized(action, callerID)) { + retVal = static_cast<uint>(Action::Authorized); + } else { + retVal = static_cast<uint>(Action::Denied); +diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.h b/kdecore/auth/backends/dbus/DBusHelperProxy.h +index 455cf51..264f6cc 100644 +--- a/kdecore/auth/backends/dbus/DBusHelperProxy.h ++++ b/kdecore/auth/backends/dbus/DBusHelperProxy.h +@@ -21,6 +21,7 @@ + #ifndef DBUS_HELPER_PROXY_H + #define DBUS_HELPER_PROXY_H + ++#include <QDBusContext> + #include <QVariant> + #include "HelperProxy.h" + #include "kauthactionreply.h" +@@ -28,7 +29,7 @@ + namespace KAuth + { + +-class DBusHelperProxy : public HelperProxy ++class DBusHelperProxy : public HelperProxy, protected QDBusContext + { + Q_OBJECT + Q_INTERFACES(KAuth::HelperProxy) +@@ -73,6 +74,9 @@ signals: + + private slots: + void remoteSignalReceived(int type, const QString &action, QByteArray blob); ++ ++private: ++ bool isCallerAuthorized(const QString &action, const QByteArray &callerID); + }; + + } // namespace Auth +diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp +index 3be97f2..9d041d1 100644 +--- a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp ++++ b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp +@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const + return a; + } + ++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const ++{ ++ return VerifyAgainstDBusServicePid; ++} ++ + bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID) + { + QDataStream s(&callerID, QIODevice::ReadOnly); +diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.h b/kdecore/auth/backends/policykit/PolicyKitBackend.h +index 7154e93..0d3d8f9 100644 +--- a/kdecore/auth/backends/policykit/PolicyKitBackend.h ++++ b/kdecore/auth/backends/policykit/PolicyKitBackend.h +@@ -40,6 +40,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString&); + virtual Action::AuthStatus actionStatus(const QString&); + virtual QByteArray callerID() const; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID); + + private Q_SLOTS: +diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp +index 732d2cb..63c0e1e 100644 +--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp ++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp +@@ -163,6 +163,11 @@ QByteArray Polkit1Backend::callerID() const + return QDBusConnection::systemBus().baseService().toUtf8(); + } + ++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const ++{ ++ return VerifyAgainstDBusServiceName; ++} ++ + bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID) + { + PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID)); +diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.h b/kdecore/auth/backends/polkit-1/Polkit1Backend.h +index 18ed1a2..d579da2 100644 +--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.h ++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.h +@@ -48,6 +48,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString&); + virtual Action::AuthStatus actionStatus(const QString&); + virtual QByteArray callerID() const; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID); + virtual bool actionExists(const QString& action); + +-- +cgit v0.11.2 + + diff --git a/patches/source/kdelibs/kdelibs.SlackBuild b/patches/source/kdelibs/kdelibs.SlackBuild new file mode 100755 index 000000000..06a222dfe --- /dev/null +++ b/patches/source/kdelibs/kdelibs.SlackBuild @@ -0,0 +1,105 @@ +#!/bin/sh + +# Copyright 2009, 2010 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +CWD=$(pwd) +TMP=${TMP:-/tmp} +PKG=$TMP/package-kdelibs + +# Set the config option variables if they are not already set: +if [ -r ./KDE.options ]; then + . ./KDE.options +fi + +# The global options may be overridden here (if needed): +if [ -r ./local.options ]; then + . ./local.options +fi + +# Avoid a version number in .la files: +if [ -d /usr/lib${LIBDIRSUFFIX}/qt ]; then + QTDIR=/usr/lib${LIBDIRSUFFIX}/qt +fi + +rm -rf $PKG +mkdir -p $PKG/usr +cd $TMP +echo "Building kdelibs-$VERSION..." +tar xvf $CWD/kdelibs-$VERSION.tar.?z* || exit 1 +cd kdelibs-$VERSION + +# Slackware ships a different version of XML DTDs: +zcat $CWD/kdelibs.docbook.patch.gz | patch -p1 --verbose || exit 1 + +# Security fix: +zcat $CWD/kdelibs.khtml.CVE-2011-1168.diff.gz | patch -p1 --verbose || exit 1 + +# KAuth security issue: +zcat $CWD/kdelibs.CVE-2017-8422.diff.gz | patch -p1 --verbose || exit 1 + +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +mkdir -p build +cd build + cmake \ + $KDE_OPT_ARGS \ + -DCMAKE_C_FLAGS:STRING="$SLKCFLAGS" \ + -DCMAKE_CXX_FLAGS:STRING="$SLKCFLAGS" \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DMAN_INSTALL_DIR=/usr/man \ + -DSYSCONF_INSTALL_DIR=/etc/kde \ + -DLIB_SUFFIX=${LIBDIRSUFFIX} \ + -DKDE_DISTRIBUTION_TEXT="volkerdi@slackware.com" \ + .. + make $NUMJOBS || make || exit 1 + make install DESTDIR=$PKG || exit 1 +cd - + +# Move the polkit dbus configuration files to the proper place: +mv $PKG/etc/kde/dbus-1 $PKG/etc/ + +if [ -d $PKG/usr/man ]; then + gzip -9 $PKG/usr/man/man?/* +fi + +mkdir -p $PKG/usr/doc/kdelibs-$VERSION +cp -a AUTHORS COPYING* DEBUG INSTALL README TODO \ + $PKG/usr/doc/kdelibs-$VERSION + +( cd $PKG + find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null +) + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $TMP/kdelibs-$VERSION-$ARCH-$BUILD.txz + diff --git a/patches/source/kdelibs/kdelibs.docbook.patch b/patches/source/kdelibs/kdelibs.docbook.patch new file mode 100644 index 000000000..6a20cd279 --- /dev/null +++ b/patches/source/kdelibs/kdelibs.docbook.patch @@ -0,0 +1,11 @@ +--- kdelibs-4.4.85/cmake/modules/FindDocBookXML.cmake.orig 2010-05-27 19:25:00.000000000 +0200 ++++ kdelibs-4.4.85/cmake/modules/FindDocBookXML.cmake 2010-06-07 16:18:35.000000000 +0200 +@@ -12,7 +12,7 @@ + # Redistribution and use is allowed according to the terms of the BSD license. + # For details see the accompanying COPYING-CMAKE-SCRIPTS file. + +-set (DOCBOOKXML_CURRENTDTD_VERSION "4.2" ++set (DOCBOOKXML_CURRENTDTD_VERSION "4.5" + CACHE INTERNAL "Required version of XML DTDs") + + set (DTD_PATH_LIST diff --git a/patches/source/kdelibs/kdelibs.khtml.CVE-2011-1168.diff b/patches/source/kdelibs/kdelibs.khtml.CVE-2011-1168.diff new file mode 100644 index 000000000..356f30a61 --- /dev/null +++ b/patches/source/kdelibs/kdelibs.khtml.CVE-2011-1168.diff @@ -0,0 +1,14 @@ +--- a/khtml/khtml_part.cpp ++++ b/khtml/khtml_part.cpp +@@ -1803,7 +1803,10 @@ void KHTMLPart::htmlError( int errorCode + stream >> errorName >> techName >> description >> causes >> solutions; + + QString url, protocol, datetime; +- url = Qt::escape( reqUrl.prettyUrl() ); ++ ++ // This is somewhat confusing, but we have to escape the externally- ++ // controlled URL twice: once for i18n, and once for HTML. ++ url = Qt::escape( Qt::escape( reqUrl.prettyUrl() ) ); + protocol = reqUrl.protocol(); + datetime = KGlobal::locale()->formatDateTime( QDateTime::currentDateTime(), + KLocale::LongDate ); diff --git a/patches/source/kdelibs/kdesu-allow_NOPASS_in_suauth.patch b/patches/source/kdelibs/kdesu-allow_NOPASS_in_suauth.patch new file mode 100644 index 000000000..64b4d5af2 --- /dev/null +++ b/patches/source/kdelibs/kdesu-allow_NOPASS_in_suauth.patch @@ -0,0 +1,61 @@ +diff -Naur kdesu/stub.cpp kdesu.new/stub.cpp +--- kdesu/stub.cpp 2008-05-21 08:08:55.000000000 -0300 ++++ kdesu.new/stub.cpp 2009-10-13 01:32:10.000000000 -0300 +@@ -105,6 +105,7 @@ + int StubProcess::ConverseStub(int check) + { + QByteArray line, tmp; ++ + while (1) + { + line = readLine(); +@@ -117,7 +118,17 @@ + enableLocalEcho(false); + if (check) writeLine("stop"); + else writeLine("ok"); +- } else if (line == "display") { ++ break; ++ } ++ } ++ ++ while (1) ++ { ++ line = readLine(); ++ if (line.isNull()) ++ return -1; ++ ++ if (line == "display") { + writeLine(display()); + } else if (line == "display_auth") { + #ifdef Q_WS_X11 +diff -Naur kdesu/su.cpp kdesu.new/su.cpp +--- kdesu/su.cpp 2008-05-21 08:08:55.000000000 -0300 ++++ kdesu.new/su.cpp 2009-10-19 00:21:31.000000000 -0200 +@@ -258,13 +258,6 @@ + ////////////////////////////////////////////////////////////////////////// + case WaitForPrompt: + { +- // In case no password is needed. +- if (line == "kdesu_stub") +- { +- unreadLine(line); +- return ok; +- } +- + while(waitMS(fd(),100)>0) + { + // There is more output available, so the previous line +@@ -279,6 +272,13 @@ + kDebug(900) << k_lineinfo << "Read line <" << more << ">"; + } + ++ // In case no password is needed. ++ if (line == "kdesu_stub") ++ { ++ unreadLine(line); ++ return ok; ++ } ++ + // Match "Password: " with the regex ^[^:]+:[\w]*$. + const uint len = line.length(); + for (i=0,j=0,colon=0; i<len; i++) diff --git a/patches/source/kdelibs/local.options b/patches/source/kdelibs/local.options new file mode 100644 index 000000000..b4b0045ba --- /dev/null +++ b/patches/source/kdelibs/local.options @@ -0,0 +1 @@ +BUILD=3_slack13.37 diff --git a/patches/source/kdelibs/slack-desc b/patches/source/kdelibs/slack-desc new file mode 100644 index 000000000..a89ea3c8a --- /dev/null +++ b/patches/source/kdelibs/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' on +# the right side marks the last column you can put a character in. You must make +# exactly 11 lines for the formatting to be correct. It's also customary to +# leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +kdelibs: kdelibs (KDE libraries) +kdelibs: +kdelibs: System libraries and other resources required for the KDE Platform. +kdelibs: +kdelibs: +kdelibs: +kdelibs: +kdelibs: +kdelibs: +kdelibs: +kdelibs: |