Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2025-01-27 07:59:56 +01:00
Code Issues Projects Releases Packages Wiki Activity

Thu Aug 8 05:25:56 UTC 2019

Browse source 
kde/kdelibs-4.14.38-x86_64-4.txz:  Rebuilt.
  kconfig: malicious .desktop files (and others) would execute code.
  For more information, see:
    https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
  (* Security fix *)
This commit is contained in:
Patrick J Volkerding 2019-08-08 05:25:56 +00:00 committed by Eric Hameleers
parent 527faada86
commit 850107940f
7 changed files with 169 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
ChangeLog.rss
View file

@ -11,9 +11,25 @@
<description>Tracking Slackware development in git.</description>
<language>en-us</language>
<id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id>
<pubDate>Wed, 7 Aug 2019 05:27:04 GMT</pubDate>
<lastBuildDate>Wed, 7 Aug 2019 15:59:43 GMT</lastBuildDate>
<pubDate>Thu, 8 Aug 2019 05:25:56 GMT</pubDate>
<lastBuildDate>Thu, 8 Aug 2019 15:59:41 GMT</lastBuildDate>
<generator>maintain_current_git.sh v 1.11</generator>
<item>
<title>Thu, 8 Aug 2019 05:25:56 GMT</title>
<pubDate>Thu, 8 Aug 2019 05:25:56 GMT</pubDate>
<link>https://git.slackware.nl/current/tag/?h=20190808052556</link>
<guid isPermaLink="false">20190808052556</guid>
<description>
<![CDATA[<pre>
kde/kdelibs-4.14.38-x86_64-4.txz: Rebuilt.
kconfig: malicious .desktop files (and others) would execute code.
For more information, see:
https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
(* Security fix *)
</pre>]]>
</description>
</item>
<item>
<title>Wed, 7 Aug 2019 05:27:04 GMT</title>
<pubDate>Wed, 7 Aug 2019 05:27:04 GMT</pubDate>

8
ChangeLog.txt
View file

@ -1,3 +1,11 @@
Thu Aug 8 05:25:56 UTC 2019
kde/kdelibs-4.14.38-x86_64-4.txz: Rebuilt.
kconfig: malicious .desktop files (and others) would execute code.
For more information, see:
https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
(* Security fix *)
+--------------------------+
Wed Aug 7 05:27:04 UTC 2019
a/kernel-generic-4.19.65-x86_64-1.txz: Upgraded.
a/kernel-huge-4.19.65-x86_64-1.txz: Upgraded.

51
FILELIST.TXT
View file

@ -1,20 +1,20 @@
Wed Aug 7 05:40:43 UTC 2019
Thu Aug 8 05:41:25 UTC 2019
Here is the file list for this directory. If you are using a
mirror site and find missing or extra files in the disk
subdirectories, please have the archive administrator refresh
the mirror.
drwxr-xr-x 12 root root 4096 2019-08-07 05:39 .
drwxr-xr-x 12 root root 4096 2019-08-08 05:25 .
-rw-r--r-- 1 root root 10064 2016-06-30 18:39 ./ANNOUNCE.14_2
-rw-r--r-- 1 root root 14341 2018-11-29 05:40 ./CHANGES_AND_HINTS.TXT
-rw-r--r-- 1 root root 923361 2019-08-07 05:39 ./CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2019-08-07 05:39 ./CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 923361 2019-08-07 05:41 ./CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2019-08-07 05:41 ./CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 17976 1994-06-10 02:28 ./COPYING
-rw-r--r-- 1 root root 35147 2007-06-30 04:21 ./COPYING3
-rw-r--r-- 1 root root 19573 2016-06-23 20:08 ./COPYRIGHT.TXT
-rw-r--r-- 1 root root 616 2006-10-02 04:37 ./CRYPTO_NOTICE.TXT
-rw-r--r-- 1 root root 672944 2019-08-07 05:27 ./ChangeLog.txt
-rw-r--r-- 1 root root 673303 2019-08-08 05:25 ./ChangeLog.txt
drwxr-xr-x 3 root root 4096 2013-03-20 22:17 ./EFI
drwxr-xr-x 2 root root 4096 2019-08-07 05:40 ./EFI/BOOT
-rw-r--r-- 1 root root 1417216 2019-07-05 18:54 ./EFI/BOOT/bootx64.efi
@ -27,7 +27,7 @@ drwxr-xr-x 2 root root 4096 2019-08-07 05:40 ./EFI/BOOT
-rw-r--r-- 1 root root 1273 2013-08-12 21:08 ./EFI/BOOT/tools.cfg
-rw-r--r-- 1 root root 1213861 2019-08-07 05:40 ./FILELIST.TXT
-rw-r--r-- 1 root root 1572 2012-08-29 18:27 ./GPG-KEY
-rw-r--r-- 1 root root 733428 2019-08-07 05:37 ./PACKAGES.TXT
-rw-r--r-- 1 root root 733428 2019-08-08 05:39 ./PACKAGES.TXT
-rw-r--r-- 1 root root 8564 2016-06-28 21:33 ./README.TXT
-rw-r--r-- 1 root root 3635 2019-08-07 04:40 ./README.initrd
-rw-r--r-- 1 root root 34412 2017-12-01 17:44 ./README_CRYPT.TXT
@ -786,11 +786,11 @@ drwxr-xr-x 2 root root 4096 2012-09-20 18:06 ./patches
-rw-r--r-- 1 root root 575 2012-09-20 18:06 ./patches/FILE_LIST
-rw-r--r-- 1 root root 14 2012-09-20 18:06 ./patches/MANIFEST.bz2
-rw-r--r-- 1 root root 224 2012-09-20 18:06 ./patches/PACKAGES.TXT
drwxr-xr-x 18 root root 4096 2019-08-07 05:37 ./slackware64
-rw-r--r-- 1 root root 290991 2019-08-07 05:37 ./slackware64/CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2019-08-07 05:37 ./slackware64/CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 362456 2019-08-07 05:34 ./slackware64/FILE_LIST
-rw-r--r-- 1 root root 3693078 2019-08-07 05:35 ./slackware64/MANIFEST.bz2
drwxr-xr-x 18 root root 4096 2019-08-08 05:40 ./slackware64
-rw-r--r-- 1 root root 290991 2019-08-08 05:40 ./slackware64/CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2019-08-08 05:40 ./slackware64/CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 362456 2019-08-08 05:37 ./slackware64/FILE_LIST
-rw-r--r-- 1 root root 3693011 2019-08-08 05:38 ./slackware64/MANIFEST.bz2
lrwxrwxrwx 1 root root 15 2009-08-23 23:34 ./slackware64/PACKAGES.TXT -> ../PACKAGES.TXT
drwxr-xr-x 2 root root 28672 2019-08-07 05:34 ./slackware64/a
-rw-r--r-- 1 root root 327 2018-06-24 18:44 ./slackware64/a/aaa_base-14.2-x86_64-5.txt
@ -1617,7 +1617,7 @@ drwxr-xr-x 2 root root 4096 2019-08-07 05:34 ./slackware64/k
-rw-r--r-- 1 root root 1171 2019-08-07 04:40 ./slackware64/k/maketag
-rw-r--r-- 1 root root 1171 2019-08-07 04:40 ./slackware64/k/maketag.ez
-rw-r--r-- 1 root root 18 2019-08-07 04:40 ./slackware64/k/tagfile
drwxr-xr-x 2 root root 45056 2019-08-01 21:37 ./slackware64/kde
drwxr-xr-x 2 root root 45056 2019-08-08 05:37 ./slackware64/kde
-rw-r--r-- 1 root root 319 2018-06-02 22:05 ./slackware64/kde/amarok-2.9.0-x86_64-3.txt
-rw-r--r-- 1 root root 47003780 2018-06-02 22:05 ./slackware64/kde/amarok-2.9.0-x86_64-3.txz
-rw-r--r-- 1 root root 163 2018-06-02 22:05 ./slackware64/kde/amarok-2.9.0-x86_64-3.txz.asc
@ -1788,9 +1788,9 @@ drwxr-xr-x 2 root root 45056 2019-08-01 21:37 ./slackware64/kde
-rw-r--r-- 1 root root 452 2018-04-17 10:20 ./slackware64/kde/kdegraphics-thumbnailers-4.14.3-x86_64-3.txt
-rw-r--r-- 1 root root 38232 2018-04-17 10:20 ./slackware64/kde/kdegraphics-thumbnailers-4.14.3-x86_64-3.txz
-rw-r--r-- 1 root root 163 2018-04-17 10:20 ./slackware64/kde/kdegraphics-thumbnailers-4.14.3-x86_64-3.txz.asc
-rw-r--r-- 1 root root 191 2018-06-18 02:55 ./slackware64/kde/kdelibs-4.14.38-x86_64-3.txt
-rw-r--r-- 1 root root 12813280 2018-06-18 02:55 ./slackware64/kde/kdelibs-4.14.38-x86_64-3.txz
-rw-r--r-- 1 root root 163 2018-06-18 02:55 ./slackware64/kde/kdelibs-4.14.38-x86_64-3.txz.asc
-rw-r--r-- 1 root root 191 2019-08-08 04:08 ./slackware64/kde/kdelibs-4.14.38-x86_64-4.txt
-rw-r--r-- 1 root root 12970056 2019-08-08 04:08 ./slackware64/kde/kdelibs-4.14.38-x86_64-4.txz
-rw-r--r-- 1 root root 163 2019-08-08 04:08 ./slackware64/kde/kdelibs-4.14.38-x86_64-4.txz.asc
-rw-r--r-- 1 root root 410 2018-04-17 10:57 ./slackware64/kde/kdenetwork-filesharing-4.14.3-x86_64-3.txt
-rw-r--r-- 1 root root 38376 2018-04-17 10:57 ./slackware64/kde/kdenetwork-filesharing-4.14.3-x86_64-3.txz
-rw-r--r-- 1 root root 163 2018-04-17 10:57 ./slackware64/kde/kdenetwork-filesharing-4.14.3-x86_64-3.txz.asc
@ -5007,11 +5007,11 @@ drwxr-xr-x 2 root root 4096 2019-02-17 23:51 ./slackware64/y
-rw-r--r-- 1 root root 1147 2018-03-01 07:55 ./slackware64/y/maketag
-rw-r--r-- 1 root root 1147 2018-03-01 07:55 ./slackware64/y/maketag.ez
-rw-r--r-- 1 root root 14 2018-03-01 07:55 ./slackware64/y/tagfile
drwxr-xr-x 19 root root 4096 2019-08-07 05:38 ./source
-rw-r--r-- 1 root root 469883 2019-08-07 05:38 ./source/CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2019-08-07 05:38 ./source/CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 662845 2019-08-07 05:38 ./source/FILE_LIST
-rw-r--r-- 1 root root 17319210 2019-08-07 05:38 ./source/MANIFEST.bz2
drwxr-xr-x 19 root root 4096 2019-08-08 05:41 ./source
-rw-r--r-- 1 root root 469995 2019-08-08 05:41 ./source/CHECKSUMS.md5
-rw-r--r-- 1 root root 163 2019-08-08 05:41 ./source/CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 662975 2019-08-08 05:40 ./source/FILE_LIST
-rw-r--r-- 1 root root 17314467 2019-08-08 05:40 ./source/MANIFEST.bz2
-rw-r--r-- 1 root root 1314 2006-10-02 04:40 ./source/README.TXT
drwxr-xr-x 111 root root 4096 2019-07-29 23:10 ./source/a
-rw-r--r-- 1 root root 1034 2019-05-04 17:56 ./source/a/FTBFSlog
@ -6998,7 +6998,7 @@ drwxr-xr-x 2 root root 4096 2019-06-14 18:50 ./source/kde/build
-rw-r--r-- 1 root root 2 2018-04-13 02:43 ./source/kde/build/kdegraphics-mobipocket
-rw-r--r-- 1 root root 2 2018-04-13 02:43 ./source/kde/build/kdegraphics-strigi-analyzer
-rw-r--r-- 1 root root 2 2018-04-13 02:43 ./source/kde/build/kdegraphics-thumbnailers
-rw-r--r-- 1 root root 2 2018-06-17 17:32 ./source/kde/build/kdelibs
-rw-r--r-- 1 root root 2 2019-08-08 03:56 ./source/kde/build/kdelibs
-rw-r--r-- 1 root root 2 2018-04-13 02:43 ./source/kde/build/kdenetwork-filesharing
-rw-r--r-- 1 root root 2 2018-04-13 02:43 ./source/kde/build/kdenetwork-strigi-analyzers
-rw-r--r-- 1 root root 2 2018-04-19 23:13 ./source/kde/build/kdepim
@ -7315,10 +7315,11 @@ drwxr-xr-x 2 root root 4096 2018-01-30 20:00 ./source/kde/patch/kdeartwor
drwxr-xr-x 2 root root 4096 2015-11-19 23:23 ./source/kde/patch/kdeconnect-kde
-rw-r--r-- 1 root root 153 2015-11-19 23:19 ./source/kde/patch/kdeconnect-kde.patch
-rw-r--r-- 1 root root 470 2015-11-19 23:23 ./source/kde/patch/kdeconnect-kde/kdeconnect-kde.openssh7.diff.gz
drwxr-xr-x 2 root root 4096 2018-06-17 17:32 ./source/kde/patch/kdelibs
-rw-r--r-- 1 root root 1250 2018-06-17 17:33 ./source/kde/patch/kdelibs.patch
drwxr-xr-x 2 root root 4096 2019-08-08 03:53 ./source/kde/patch/kdelibs
-rw-r--r-- 1 root root 1510 2019-08-08 03:56 ./source/kde/patch/kdelibs.patch
-rw-r--r-- 1 root root 916 2013-10-20 23:21 ./source/kde/patch/kdelibs/coding-style-fixes.patch.gz
-rw-r--r-- 1 root root 22009 2018-06-17 17:31 ./source/kde/patch/kdelibs/kdelibs-openssl-1.1.patch.gz
-rw-r--r-- 1 root root 2041 2019-08-08 03:52 ./source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch.gz
-rw-r--r-- 1 root root 361 2010-06-07 15:19 ./source/kde/patch/kdelibs/kdelibs.docbook.patch.gz
-rw-r--r-- 1 root root 347 2012-01-26 08:18 ./source/kde/patch/kdelibs/kdelibs.upnp_conditional.patch.gz
-rw-r--r-- 1 root root 955 2013-10-20 23:22 ./source/kde/patch/kdelibs/return-application-icons-properly.patch.gz
@ -12420,8 +12421,8 @@ drwxr-xr-x 2 root root 4096 2019-04-03 20:41 ./source/xap/gnuchess
-rw-r--r-- 1 root root 224 2004-10-27 06:07 ./source/xap/gnuchess/eboard.desktop
-rw-r--r-- 1 root root 221 2013-03-20 01:49 ./source/xap/gnuchess/eboard.ldl.diff.gz
-rw-r--r-- 1 root root 336 2015-03-23 16:11 ./source/xap/gnuchess/eboard.png16.diff.gz
-rw-r--r-- 1 root root 518760 2017-07-24 23:16 ./source/xap/gnuchess/gnuchess-6.2.5.tar.xz
-rwxr-xr-x 1 root root 6366 2019-04-03 20:41 ./source/xap/gnuchess/gnuchess.SlackBuild
-rw-r--r-- 1 root root 518760 2017-07-24 23:16 ./source/xap/gnuchess/gnuchess-6.2.5.tar.xz
-rwxr-xr-x 1 root root 6366 2019-04-03 20:41 ./source/xap/gnuchess/gnuchess.SlackBuild
-rw-r--r-- 1 root root 792 2018-02-27 06:13 ./source/xap/gnuchess/slack-desc
-rw-r--r-- 1 root root 2731760 2016-08-01 03:55 ./source/xap/gnuchess/xboard-4.9.1.tar.xz
-rw-r--r-- 1 root root 269 2015-03-20 18:35 ./source/xap/gnuchess/xboard.conf.diff.gz

1
recompress.sh
View file

@ -324,6 +324,7 @@ gzip ./source/kde/patch/kdelibs/coding-style-fixes.patch
gzip ./source/kde/patch/kdelibs/kdelibs.docbook.patch
gzip ./source/kde/patch/kdelibs/kdelibs-openssl-1.1.patch
gzip ./source/kde/patch/kdelibs/kdelibs.upnp_conditional.patch
gzip ./source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch
gzip ./source/kde/patch/ktouch/ktouch.performance.diff
gzip ./source/kde/patch/krdc/krdc_freerdp-1.1.0.patch
gzip ./source/kde/patch/kdevelop-pg-qt/0011-fix-some-warnings.patch

2
source/kde/build/kdelibs
View file

@ -1 +1 @@
3
4

3
source/kde/patch/kdelibs.patch
View file

@ -15,3 +15,6 @@ zcat $CWD/patch/kdelibs/return-application-icons-properly.patch.gz | patch -R -p
# Support OpenSSL-1.1.x:
zcat $CWD/patch/kdelibs/kdelibs-openssl-1.1.patch.gz | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
# Security: remove support for $(...) in config keys with [$e] marker. (CVE-2019-14744)
zcat $CWD/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch.gz | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; }

112
source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch Normal file
View file

@ -0,0 +1,112 @@
From 2c3762feddf7e66cf6b64d9058f625a715694a00 Mon Sep 17 00:00:00 2001
From: Kai Uwe Broulik <kde@privat.broulik.de>
Date: Wed, 7 Aug 2019 09:47:46 +0200
Subject: Security: remove support for $(...) in config keys with [$e] marker.
It is very unclear at this point what a valid use case for this feature
would possibly be. The old documentation only mentions $(hostname) as
an example, which can be done with $HOSTNAME instead.
Note that $(...) is still supported in Exec lines of desktop files,
this does not require [$e] anyway (and actually works better without it,
otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...).
Thanks to Fabian Vogt for testing.
(This is a backport of KDE Frameworks 5 kconfig patch to kdelibs)
Differential Revision: https://phabricator.kde.org/D22989
---
kdecore/config/kconfig.cpp | 32 +-------------------------------
kdecore/doc/README.kiosk | 12 ------------
kdecore/tests/kconfigtest.cpp | 6 +-----
3 files changed, 2 insertions(+), 48 deletions(-)
diff --git a/kdecore/config/kconfig.cpp b/kdecore/config/kconfig.cpp
index 7ea26a5..b30584b 100644
--- a/kdecore/config/kconfig.cpp
+++ b/kdecore/config/kconfig.cpp
@@ -160,37 +160,7 @@ QString KConfigPrivate::expandString(const QString& value)
int nDollarPos = aValue.indexOf( QLatin1Char('$') );
while( nDollarPos != -1 && nDollarPos+1 < aValue.length()) {
// there is at least one $
- if( aValue[nDollarPos+1] == QLatin1Char('(') ) {
- int nEndPos = nDollarPos+1;
- // the next character is not $
- while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=QLatin1Char(')')) )
- nEndPos++;
- nEndPos++;
- QString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
-
- QString result;
- QByteArray oldpath = qgetenv( "PATH" );
- QByteArray newpath;
- if (KGlobal::hasMainComponent()) {
- newpath = QFile::encodeName(KGlobal::dirs()->resourceDirs("exe").join(QChar::fromLatin1(KPATH_SEPARATOR)));
- if (!newpath.isEmpty() && !oldpath.isEmpty())
- newpath += KPATH_SEPARATOR;
- }
- newpath += oldpath;
- setenv( "PATH", newpath, 1/*overwrite*/ );
-// FIXME: wince does not have pipes
-#ifndef _WIN32_WCE
- FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
- if (fs) {
- QTextStream ts(fs, QIODevice::ReadOnly);
- result = ts.readAll().trimmed();
- pclose(fs);
- }
-#endif
- setenv( "PATH", oldpath, 1/*overwrite*/ );
- aValue.replace( nDollarPos, nEndPos-nDollarPos, result );
- nDollarPos += result.length();
- } else if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
+ if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
int nEndPos = nDollarPos+1;
// the next character is not $
QString aVarName;
diff --git a/kdecore/doc/README.kiosk b/kdecore/doc/README.kiosk
index b95002d..d902c61 100644
--- a/kdecore/doc/README.kiosk
+++ b/kdecore/doc/README.kiosk
@@ -640,18 +640,6 @@ The following syntax is also supported:
Name[$ei]=${USER}
-Shell Commands in KDE config files.
-===================================
-
-Since KDE-3.1 arbitrary entries in configuration files can contain shell
-commands. This way the value of a configuration entry can be determined
-dynamically at runtime. In order to use this the entry must be marked
-with [$e].
-
-Example:
-Host[$e]=$(hostname)
-
-
KDE Kiosk Application API
==========================
diff --git a/kdecore/tests/kconfigtest.cpp b/kdecore/tests/kconfigtest.cpp
index 78e6ad1..37ea3c2 100644
--- a/kdecore/tests/kconfigtest.cpp
+++ b/kdecore/tests/kconfigtest.cpp
@@ -479,12 +479,8 @@ void KConfigTest::testPath()
QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH) );
QVERIFY(group.hasKey("URL"));
QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH) );
-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
- // I don't know if this will work on windows
- // This test hangs on OS X
QVERIFY(group.hasKey("hostname"));
- QCOMPARE(group.readEntry("hostname", QString()), QHostInfo::localHostName());
-#endif
+ QCOMPARE(group.readEntry("hostname", QString()), QString("(hostname)")); // the $ got removed because empty var name
QVERIFY(group.hasKey("noeol"));
QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
}
--
cgit v1.1