Secuirty Update:

Ark input sanitization errors: The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. IO Slaves input sanitization errors: KDE protocol handlers perform insufficient input validation, an attacker can craft malicious URI that would trigger JavaScript execution. Additionally the 'help://' protocol handler suffer from directory traversal. It should be noted that the scope of this issue is limited as the malicious URIs cannot be embedded in Internet hosted content. KMail input sanitization errors: The KDE mail client, KMail, performs insufficient validation which leads to specially crafted email attachments, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> (based on) Approved by: secteam (myself), portmgr Security: http://www.vuxml.org/freebsd/6f358f5a-c7ea-11de-a9f3-0030843d3802.html
svn path=/head/; revision=243694
2024-12-28 05:29:48 +00:00 · 2009-11-03 09:45:47 +00:00 · 2009-11-03 09:45:47 +00:00 · 5cc7f243b6 · 2021-03-31 03:12:20 +00:00
commit 5cc7f243b6
parent cf9f01aab4
6 changed files with 152 additions and 3 deletions
--- a/x11/kde4-runtime/Makefile
+++ b/x11/kde4-runtime/Makefile
@ -8,7 +8,7 @@

 PORTNAME=	kdebase-runtime
 PORTVERSION=	${KDE4_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	${KDE4_BRANCH}/${PORTVERSION}/src
--- a/x11/kde4-runtime/files/patch-ocert-2009-015-kioslave
+++ b/x11/kde4-runtime/files/patch-ocert-2009-015-kioslave
@ -0,0 +1,16 @@
+--- ./kioslave/info/info.cc	2009/10/02 15:51:26	1030578
+++ ./kioslave/info/info.cc	2009/10/02 15:53:30	1030579
+@@ -89,6 +89,13 @@
+         return;
+     }
+ 
+    // '<' in the path looks suspicious, someone is trying info:/dir/<script>alert('xss')</script>
+    if (url.path().contains('<'))
+    {
+        error(KIO::ERR_DOES_NOT_EXIST, url.url());
+        return;
+    }
+
+     mimeType("text/html");
+     // extract the path and node from url
+     decodeURL( url );
--- a/x11/kdebase4-runtime/Makefile
+++ b/x11/kdebase4-runtime/Makefile
@ -8,7 +8,7 @@

 PORTNAME=	kdebase-runtime
 PORTVERSION=	${KDE4_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	${KDE4_BRANCH}/${PORTVERSION}/src
--- a/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
+++ b/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
@ -0,0 +1,16 @@
+--- ./kioslave/info/info.cc	2009/10/02 15:51:26	1030578
+++ ./kioslave/info/info.cc	2009/10/02 15:53:30	1030579
+@@ -89,6 +89,13 @@
+         return;
+     }
+ 
+    // '<' in the path looks suspicious, someone is trying info:/dir/<script>alert('xss')</script>
+    if (url.path().contains('<'))
+    {
+        error(KIO::ERR_DOES_NOT_EXIST, url.url());
+        return;
+    }
+
+     mimeType("text/html");
+     // extract the path and node from url
+     decodeURL( url );
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@ -8,7 +8,7 @@

 PORTNAME=	kdelibs
 PORTVERSION=	${KDE4_VERSION}
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	x11 kde ipv6
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	${KDE4_BRANCH}/${PORTVERSION}/src
--- a/x11/kdelibs4/files/patch-ocert-2009-015-khtml
+++ b/x11/kdelibs4/files/patch-ocert-2009-015-khtml
@ -0,0 +1,117 @@
+--- ./khtml/ecma/xmlhttprequest.cpp	2009/10/15 10:13:41	1035538
+++ ./khtml/ecma/xmlhttprequest.cpp	2009/10/15 10:14:38	1035539
+@@ -49,7 +49,7 @@
+ 
+ using namespace KJS;
+ using namespace DOM;
+-// 
+//
+ ////////////////////// XMLHttpRequest Object ////////////////////////
+ 
+ /* Source for XMLHttpRequestProtoTable.
+@@ -269,7 +269,7 @@
+ static bool canSetRequestHeader(const QString& name)
+ {
+     static QSet<CaseInsensitiveString> forbiddenHeaders;
+-    
+
+     if (forbiddenHeaders.isEmpty()) {
+ 	static const char* hdrs[] = {
+ 	    "accept-charset",
+@@ -298,12 +298,12 @@
+ 	    "transfer-encoding",
+ 	    "unlock",
+ 	    "upgrade",
+-	    "via" 
+	    "via"
+ 	};
+ 	for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i)
+ 	    forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i]));
+     }
+-    
+
+     return !forbiddenHeaders.contains(name);
+ }
+ 
+@@ -326,9 +326,9 @@
+ 
+ XMLHttpRequest::~XMLHttpRequest()
+ {
+-  if (onLoadListener) 
+  if (onLoadListener)
+       onLoadListener->deref();
+-  if (onReadyStateChangeListener) 
+  if (onReadyStateChangeListener)
+       onReadyStateChangeListener->deref();
+   delete qObject;
+   qObject = 0;
+@@ -412,17 +412,18 @@
+       return;
+   }
+ 
+-  if (method == "post") {
+-    QString protocol = url.protocol().toLower();
+  const QString protocol = url.protocol().toLower();
+  // Abandon the request when the protocol is other than "http",
+  // instead of blindly doing a KIO::get on other protocols like file:/.
+  if (!protocol.startsWith(QLatin1String("http")) &&
+      !protocol.startsWith(QLatin1String("webdav")))
+  {
+    ec = DOMException::INVALID_ACCESS_ERR;
+    abort();
+    return;
+  }
+ 
+-    // Abondon the request when the protocol is other than "http",
+-    // instead of blindly changing it to a "get" request.
+-    if (!protocol.startsWith(QLatin1String("http")) &&
+-        !protocol.startsWith(QLatin1String("webdav")))
+-    {
+-      abort();
+-      return;
+-    }
+  if (method == "post") {
+ 
+     // FIXME: determine post encoding correctly by looking in headers
+     // for charset.
+@@ -580,7 +581,7 @@
+       ec = DOMException::INVALID_STATE_ERR;
+       return jsString("");
+   }
+-  
+
+   // ### test error flag, return jsNull
+ 
+   if (responseHeaders.isEmpty()) {
+@@ -809,7 +810,7 @@
+       setDOMException(exec, ec);
+       return ret;
+     }
+-  case XMLHttpRequest::GetResponseHeader: 
+  case XMLHttpRequest::GetResponseHeader:
+     {
+       if (args.size() < 1)
+           return throwError(exec, SyntaxError, "Not enough arguments");
+@@ -852,11 +853,11 @@
+         DOM::NodeImpl* docNode = toNode(args[0]);
+         if (docNode && docNode->isDocumentNode()) {
+           DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode);
+-          
+
+           try {
+             body = doc->toString().string();
+             // FIXME: also need to set content type, including encoding!
+-  
+
+           } catch(DOM::DOMException&) {
+             return throwError(exec, GeneralError, "Exception serializing document");
+           }
+@@ -866,7 +867,7 @@
+       }
+ 
+       request->send(body, ec);
+-      setDOMException(exec, ec);  
+      setDOMException(exec, ec);
+       return jsUndefined();
+     }
+   case XMLHttpRequest::SetRequestHeader: