From 9dc6a902017d4d75653802729100a4af9f6acc68 Mon Sep 17 00:00:00 2001
From: Michael Nottebrock <lofi@FreeBSD.org>
Date: Thu, 29 Mar 2007 00:30:26 +0000
Subject: Security:
 http://www.kde.org/info/security/advisory-20070326-1.txt Security:
 CVE-2007-1564

---
 x11/kdelibs4/Makefile                              |  1 +
 .../files/patch-CVE-2007-1564-kdelibs-3.5.6        | 81 ++++++++++++++++++++++
 x11/kdelibs4/files/patch-khtml_ecma-kjs_html.cpp   | 36 ----------
 3 files changed, 82 insertions(+), 36 deletions(-)
 create mode 100644 x11/kdelibs4/files/patch-CVE-2007-1564-kdelibs-3.5.6
 delete mode 100644 x11/kdelibs4/files/patch-khtml_ecma-kjs_html.cpp

(limited to 'x11/kdelibs4')

diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index 9b19292a79d8..29e6ba4a6d11 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -8,6 +8,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE_VERSION}
+PORTREVISION=	1
 CATEGORIES=	x11 kde ipv6
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdelibs4/files/patch-CVE-2007-1564-kdelibs-3.5.6 b/x11/kdelibs4/files/patch-CVE-2007-1564-kdelibs-3.5.6
new file mode 100644
index 000000000000..b026d67a3db0
--- /dev/null
+++ b/x11/kdelibs4/files/patch-CVE-2007-1564-kdelibs-3.5.6
@@ -0,0 +1,81 @@
+--- khtml/ecma/kjs_html.cpp
++++ khtml/ecma/kjs_html.cpp
+@@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty
+ 				      getDOMNode(exec, frameElement.contentDocument()) : Undefined();
+     case FrameContentWindow:   {
+         KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart();
+-        if (part)
+-            return Value(Window::retrieveWindow(part));
+-        else
++        if (part) {
++          Window *w = Window::retrieveWindow(part);
++          if (w)
++            return Value(w);
++        }
+             return Undefined();
+     }
+     case FrameFrameBorder:     return String(frameElement.frameBorder());
+@@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty
+ 				       getDOMNode(exec, iFrame.contentDocument()) : Undefined();
+     case IFrameContentWindow:       {
+         KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart();
+-        if (part)
+-            return Value(Window::retrieveWindow(part));
+-        else
++        if (part) {
++          Window *w = Window::retrieveWindow(part);
++          if (w)
++            return Value(w);
++        }
+             return Undefined();
+     }
+     case IFrameFrameBorder:     return String(iFrame.frameBorder());
+--- kioslave/ftp/ftp.cc
++++ kioslave/ftp/ftp.cc
+@@ -58,6 +58,7 @@
+ #include <kmimemagic.h>
+ #include <kmimetype.h>
+ #include <ksockaddr.h>
++#include <ksocketaddress.h>
+ #include <kio/ioslave_defaults.h>
+ #include <kio/slaveconfig.h>
+ #include <kremoteencoding.h>
+@@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm
+   return true;
+ }
+ 
+-
+ /*
+  * ftpOpenPASVDataConnection - set up data connection, using PASV mode
+  *
+@@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection()
+   if (sa != NULL && sa->family() != PF_INET)
+     return ERR_INTERNAL;       // no PASV for non-PF_INET connections
+ 
++  const KInetSocketAddress *sin = static_cast<const KInetSocketAddress*>(sa);
++
+   if (m_extControl & pasvUnknown)
+     return ERR_INTERNAL;       // already tried and got "unknown command"
+ 
+@@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection()
+   }
+ 
+   // Make hostname and port number ...
+-  QString host;
+-  host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]);
+   int port = i[4] << 8 | i[5];
+ 
++  // we ignore the host part on purpose for two reasons
++  // a) it might be wrong anyway
++  // b) it would make us being suceptible to a port scanning attack
++
+   // now connect the data socket ...
+   m_data = new FtpSocket("PASV");
+-  m_data->setAddress(host, port);
+-  kdDebug(7102) << "Connecting to " << host << " on port " << port << endl;
++  m_data->setAddress(sin->nodeName(), port);
++
++  kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl;
+   return m_data->connectSocket(connectTimeout(), false);
+ }
+ 
diff --git a/x11/kdelibs4/files/patch-khtml_ecma-kjs_html.cpp b/x11/kdelibs4/files/patch-khtml_ecma-kjs_html.cpp
deleted file mode 100644
index 57e66a5b95f8..000000000000
--- a/x11/kdelibs4/files/patch-khtml_ecma-kjs_html.cpp
+++ /dev/null
@@ -1,36 +0,0 @@
---- khtml/ecma/kjs_html.cpp	2007/02/26 16:39:44	637497
-+++ khtml/ecma/kjs_html.cpp	2007/03/05 13:15:20	639609
-@@ -1866,10 +1866,12 @@
- 				      getDOMNode(exec, frameElement.contentDocument()) : Undefined();
-     case FrameContentWindow:   {
-         KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart();
--        if (part)
--            return Value(Window::retrieveWindow(part));
--        else
--            return Undefined();
-+        if (part) {
-+          Window *w = Window::retrieveWindow(part);
-+          if (w)
-+            return Value(w);
-+        }
-+        return Undefined();
-     }
-     case FrameFrameBorder:     return String(frameElement.frameBorder());
-     case FrameLongDesc:        return String(frameElement.longDesc());
-@@ -1899,10 +1901,12 @@
- 				       getDOMNode(exec, iFrame.contentDocument()) : Undefined();
-     case IFrameContentWindow:       {
-         KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart();
--        if (part)
--            return Value(Window::retrieveWindow(part));
--        else
--            return Undefined();
-+        if (part) {
-+          Window *w = Window::retrieveWindow(part);
-+          if (w)
-+            return Value(w);
-+        }
-+        return Undefined();
-     }
-     case IFrameFrameBorder:     return String(iFrame.frameBorder());
-     case IFrameHeight:          return String(iFrame.height());
-- 
cgit v1.2.3