[arch-commits] Commit in kdeutils/trunk (CVE-2011-2725.patch PKGBUILD)
Andrea Scarpino
andrea at archlinux.org
Thu Oct 20 07:25:16 UTC 2011
Date: Thursday, October 20, 2011 @ 03:25:16
Author: andrea
Revision: 140970
upgpkg: kdeutils 4.7.2-2
Apply CVE-2011-2725; fix build when python3 is installed
Added:
kdeutils/trunk/CVE-2011-2725.patch
Modified:
kdeutils/trunk/PKGBUILD
---------------------+
CVE-2011-2725.patch | 20 ++++++++++++++++++++
PKGBUILD | 27 +++++++++++++++++++--------
2 files changed, 39 insertions(+), 8 deletions(-)
Added: CVE-2011-2725.patch
===================================================================
--- CVE-2011-2725.patch (rev 0)
+++ CVE-2011-2725.patch 2011-10-20 07:25:16 UTC (rev 140970)
@@ -0,0 +1,20 @@
+--- a/part/part.cpp
++++ b/part/part.cpp
+@@ -558,8 +558,15 @@ void Part::slotPreviewExtracted(KJob *jo
+ if (!job->error()) {
+ const ArchiveEntry& entry =
+ m_model->entryForIndex(m_view->selectionModel()->currentIndex());
+- const QString fullName =
+- m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName ].toString();
++
++ QString fullName =
++ m_previewDir->name() + QLatin1Char('/') + entry[FileName].toString();
++
++ // Make sure a maliciously crafted archive with parent folders named ".." do
++ // not cause the previewed file path to be located outside the temporary
++ // directory, resulting in a directory traversal issue.
++ fullName.remove(QLatin1String("../"));
++
+ ArkViewer::view(fullName, widget());
+ } else {
+ KMessageBox::error(widget(), job->errorString());
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2011-10-20 06:58:10 UTC (rev 140969)
+++ PKGBUILD 2011-10-20 07:25:16 UTC (rev 140970)
@@ -17,7 +17,7 @@
'kdeutils-superkaramba'
'kdeutils-sweeper')
pkgver=4.7.2
-pkgrel=1
+pkgrel=2
arch=('i686' 'x86_64')
url='http://www.kde.org'
license=('GPL' 'LGPL' 'FDL')
@@ -25,17 +25,31 @@
makedepends=('pkgconfig' 'cmake' 'automoc4' 'kdebase-lib' 'kdebase-workspace'
'kdebindings-python' 'system-config-printer-common' 'libarchive' 'qimageblitz'
'qjson')
-source=("http://download.kde.org/stable/${pkgver}/src/${pkgbase}-${pkgver}.tar.bz2")
-sha1sums=('52ce9b6b5f2c20475f46b6f7378ca4c530df37b4')
+source=("http://download.kde.org/stable/${pkgver}/src/${pkgbase}-${pkgver}.tar.bz2"
+ 'CVE-2011-2725.patch')
+sha1sums=('52ce9b6b5f2c20475f46b6f7378ca4c530df37b4'
+ 'bc7428edb6851b4f3dc772bc88ace576379e93f2')
build() {
- cd ${srcdir}
+ cd "${srcdir}"/${pkgbase}-${pkgver}/ark
+ patch -p1 -i "${srcdir}"/CVE-2011-2725.patch
+
+ # Use Python2
+ cd "${srcdir}"/${pkgbase}-${pkgver}
+ sed -i 's|/usr/bin/python|/usr/bin/python2|' \
+ kcharselect/kcharselect-generate-datafile.py \
+ superkaramba/examples/richtext/rtext.py
+ sed -i 's|/usr/bin/env python|/usr/bin/env python2|' \
+ printer-applet/{authconn,debug,monitor,printer-applet,statereason}.py
+
+ cd "${srcdir}"
mkdir build
cd build
cmake ../${pkgbase}-${pkgver} \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_SKIP_RPATH=ON \
- -DCMAKE_INSTALL_PREFIX=/usr
+ -DCMAKE_INSTALL_PREFIX=/usr \
+ -DPYTHON_EXECUTABLE=/usr/bin/python2
make
}
@@ -159,9 +173,6 @@
make DESTDIR=$pkgdir install
cd $srcdir/build/printer-applet/doc
make DESTDIR=$pkgdir install
-
- # Use the python2 executable
- find "${pkgdir}" -name '*.py' | xargs sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python2|'
}
package_kdeutils-superkaramba() {
More information about the arch-commits
mailing list