From d8e5e6768983958138e20cecd1f00dd3a3c61f5d Mon Sep 17 00:00:00 2001 From: Kevin Kofler Date: May 18 2013 20:12:59 +0000 Subject: fix CVE-2013-2074 (passwords in HTTP URLs in error messages, #962001) * Sat May 18 2013 Kevin Kofler - 3.5.10-53 - fix CVE-2013-2074 (passwords in HTTP URLs in error messages, #962001) --- diff --git a/kdelibs-3.5.10-CVE-2013-2074.patch b/kdelibs-3.5.10-CVE-2013-2074.patch new file mode 100644 index 0000000..cad22ff --- /dev/null +++ b/kdelibs-3.5.10-CVE-2013-2074.patch @@ -0,0 +1,166 @@ +diff -ur kdelibs-3.5.10/kioslave/http/http.cc kdelibs-3.5.10-CVE-2013-2074/kioslave/http/http.cc +--- kdelibs-3.5.10/kioslave/http/http.cc 2008-02-13 10:41:06.000000000 +0100 ++++ kdelibs-3.5.10-CVE-2013-2074/kioslave/http/http.cc 2013-05-14 17:54:42.000000000 +0200 +@@ -288,7 +288,7 @@ + m_bUseProxy = m_proxyURL.isValid(); + + kdDebug(7113) << "(" << m_pid << ") Using proxy: " << m_bUseProxy << +- " URL: " << m_proxyURL.url() << ++ " URL: " << m_proxyURL.prettyURL() << + " Realm: " << m_strProxyRealm << endl; + } + +@@ -458,7 +458,7 @@ + + bool HTTPProtocol::checkRequestURL( const KURL& u ) + { +- kdDebug (7113) << "(" << m_pid << ") HTTPProtocol::checkRequestURL: " << u.url() << endl; ++ kdDebug (7113) << "(" << m_pid << ") HTTPProtocol::checkRequestURL: " << u.prettyURL() << endl; + + m_request.url = u; + +@@ -640,7 +640,7 @@ + + void HTTPProtocol::listDir( const KURL& url ) + { +- kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::listDir " << url.url() ++ kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::listDir " << url.prettyURL() + << endl; + + if ( !checkRequestURL( url ) ) +@@ -807,7 +807,7 @@ + + void HTTPProtocol::davGeneric( const KURL& url, KIO::HTTP_METHOD method ) + { +- kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::davGeneric " << url.url() ++ kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::davGeneric " << url.prettyURL() + << endl; + + if ( !checkRequestURL( url ) ) +@@ -1206,7 +1206,7 @@ + + void HTTPProtocol::mkdir( const KURL& url, int ) + { +- kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::mkdir " << url.url() ++ kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::mkdir " << url.prettyURL() + << endl; + + if ( !checkRequestURL( url ) ) +@@ -1228,7 +1228,7 @@ + + void HTTPProtocol::get( const KURL& url ) + { +- kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::get " << url.url() ++ kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::get " << url.prettyURL() + << endl; + + if ( !checkRequestURL( url ) ) +@@ -1543,8 +1543,10 @@ + callError = true; + } + ++ // Huh? This looks like inverted logic to me (it doesn't make sense to me as ++ // written), but I'm only fixing the CVE now. -- Kevin Kofler + if ( !url.isNull() ) +- url = m_request.url.url(); ++ url = m_request.url.prettyURL(); + + QString action, errorString; + KIO::Error kError; +@@ -1840,7 +1842,7 @@ + if ( !checkRequestURL( url ) ) + continue; + +- kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::multi_get " << url.url() << endl; ++ kdDebug(7113) << "(" << m_pid << ") HTTPProtocol::multi_get " << url.prettyURL() << endl; + + m_request.method = HTTP_GET; + m_request.path = url.path(); +@@ -2212,12 +2214,12 @@ + + if (bCacheOnly) + { +- error( ERR_DOES_NOT_EXIST, m_request.url.url() ); ++ error( ERR_DOES_NOT_EXIST, m_request.url.prettyURL() ); + return false; + } + if (bOffline) + { +- error( ERR_COULD_NOT_CONNECT, m_request.url.url() ); ++ error( ERR_COULD_NOT_CONNECT, m_request.url.prettyURL() ); + return false; + } + } +@@ -2891,7 +2893,7 @@ + errorPage(); + else + { +- error(ERR_INTERNAL_SERVER, m_request.url.url()); ++ error(ERR_INTERNAL_SERVER, m_request.url.prettyURL()); + return false; + } + } +@@ -2931,7 +2933,7 @@ + errorPage(); + else + { +- error(ERR_DOES_NOT_EXIST, m_request.url.url()); ++ error(ERR_DOES_NOT_EXIST, m_request.url.prettyURL()); + return false; + } + m_request.bCachedWrite = false; // Don't put in cache +@@ -3584,7 +3586,7 @@ + KURL u(m_request.url, locationStr); + if(!u.isValid()) + { +- error(ERR_MALFORMED_URL, u.url()); ++ error(ERR_MALFORMED_URL, u.prettyURL()); + return false; + } + if ((u.protocol() != "http") && (u.protocol() != "https") && +@@ -3592,7 +3594,7 @@ + (u.protocol() != "webdavs")) + { + redirection(u); +- error(ERR_ACCESS_DENIED, u.url()); ++ error(ERR_ACCESS_DENIED, u.prettyURL()); + return false; + } + +@@ -3613,10 +3615,10 @@ + sendMetaData(); + } + +- kdDebug(7113) << "(" << m_pid << ") request.url: " << m_request.url.url() ++ kdDebug(7113) << "(" << m_pid << ") request.url: " << m_request.url.prettyURL() + << endl << "LocationStr: " << locationStr.data() << endl; + +- kdDebug(7113) << "(" << m_pid << ") Requesting redirection to: " << u.url() ++ kdDebug(7113) << "(" << m_pid << ") Requesting redirection to: " << u.prettyURL() + << endl; + + // If we're redirected to a http:// url, remember that we're doing webdav... +@@ -3832,7 +3834,7 @@ + if (!m_request.fcache) + { + m_request.bCachedWrite = false; // Error creating cache entry. +- kdDebug(7113) << "(" << m_pid << ") Error creating cache entry for " << m_request.url.url()<<"!\n"; ++ kdDebug(7113) << "(" << m_pid << ") Error creating cache entry for " << m_request.url.prettyURL()<<"!\n"; + } + m_request.expireDate = expireDate; + m_maxCacheSize = config()->readNumEntry("MaxCacheSize", DEFAULT_MAX_CACHE_SIZE) / 2; +@@ -3840,11 +3842,11 @@ + } + + if (m_request.bCachedWrite && !m_strMimeType.isEmpty()) +- kdDebug(7113) << "(" << m_pid << ") Cache, adding \"" << m_request.url.url() << "\"" << endl; ++ kdDebug(7113) << "(" << m_pid << ") Cache, adding \"" << m_request.url.prettyURL() << "\"" << endl; + else if (m_request.bCachedWrite && m_strMimeType.isEmpty()) +- kdDebug(7113) << "(" << m_pid << ") Cache, pending \"" << m_request.url.url() << "\"" << endl; ++ kdDebug(7113) << "(" << m_pid << ") Cache, pending \"" << m_request.url.prettyURL() << "\"" << endl; + else +- kdDebug(7113) << "(" << m_pid << ") Cache, not adding \"" << m_request.url.url() << "\"" << endl; ++ kdDebug(7113) << "(" << m_pid << ") Cache, not adding \"" << m_request.url.prettyURL() << "\"" << endl; + return true; + } + diff --git a/kdelibs3.spec b/kdelibs3.spec index 2d28739..64bf846 100644 --- a/kdelibs3.spec +++ b/kdelibs3.spec @@ -15,7 +15,7 @@ Summary: KDE 3 Libraries Name: kdelibs3 Version: 3.5.10 -Release: 52%{?dist} +Release: 53%{?dist} License: LGPLv2 Url: http://www.kde.org/ @@ -101,6 +101,8 @@ Patch206: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch Patch207: libltdl-CVE-2009-3736.patch # CVE-2011-3365, input validation failure in KSSL Patch208: kdelibs-3.5.x-CVE-2011-3365.patch +# CVE-2013-2074, prints passwords contained in HTTP URLs in error messages +Patch209: kdelibs-3.5.10-CVE-2013-2074.patch ## fixes to common KDE 3 autotools machinery # tweak autoconfigury so that it builds with autoconf 2.64 or 2.65 @@ -261,6 +263,7 @@ format for easy browsing %patch206 -p0 -b .oCERT-2009-015-xmlhttprequest %patch207 -p1 -b .CVE-2009-3736 %patch208 -p1 -b .CVE-2011-3365 +%patch209 -p1 -b .CVE-2013-2074 %patch300 -p1 -b .acinclude %patch301 -p1 -b .automake-version @@ -573,6 +576,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %changelog +* Sat May 18 2013 Kevin Kofler - 3.5.10-53 +- fix CVE-2013-2074 (passwords in HTTP URLs in error messages, #962001) + * Mon Apr 01 2013 Kevin Kofler - 3.5.10-52 - use automake --force-missing to get aarch64 support (#925029/#925627) - also use automake --copy (the default is symlinking)