Thu Aug 8 05:25:56 UTC 2019

kde/kdelibs-4.14.38-x86_64-4.txz: Rebuilt. kconfig: malicious .desktop files (and others) would execute code. For more information, see: https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744 (* Security fix *)
2025-01-28 08:02:25 +01:00 · 2019-08-08 05:25:56 +00:00 · 2019-08-08 05:25:56 +00:00 · 850107940f
commit 850107940f
parent 527faada86
7 changed files with 169 additions and 28 deletions
--- a/ChangeLog.rss
+++ b/ChangeLog.rss
@ -11,9 +11,25 @@
      <description>Tracking Slackware development in git.</description>
      <language>en-us</language>
      <id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id>
-      <pubDate>Wed,  7 Aug 2019 05:27:04 GMT</pubDate>
+      <pubDate>Thu,  8 Aug 2019 05:25:56 GMT</pubDate>
-      <lastBuildDate>Wed,  7 Aug 2019 15:59:43 GMT</lastBuildDate>
+      <lastBuildDate>Thu,  8 Aug 2019 15:59:41 GMT</lastBuildDate>
      <generator>maintain_current_git.sh v 1.11</generator>
      <item>
         <title>Thu,  8 Aug 2019 05:25:56 GMT</title>
         <pubDate>Thu,  8 Aug 2019 05:25:56 GMT</pubDate>
         <link>https://git.slackware.nl/current/tag/?h=20190808052556</link>
         <guid isPermaLink="false">20190808052556</guid>
         <description>
           <![CDATA[<pre>
 kde/kdelibs-4.14.38-x86_64-4.txz:  Rebuilt.
  kconfig: malicious .desktop files (and others) would execute code.
  For more information, see:
    https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
  (* Security fix *)
           </pre>]]>
         </description>
      </item>
      <item>
         <title>Wed,  7 Aug 2019 05:27:04 GMT</title>
         <pubDate>Wed,  7 Aug 2019 05:27:04 GMT</pubDate>
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -1,3 +1,11 @@
 Thu Aug  8 05:25:56 UTC 2019
 kde/kdelibs-4.14.38-x86_64-4.txz:  Rebuilt.
  kconfig: malicious .desktop files (and others) would execute code.
  For more information, see:
    https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
  (* Security fix *)
 +--------------------------+
 Wed Aug  7 05:27:04 UTC 2019
 a/kernel-generic-4.19.65-x86_64-1.txz:  Upgraded.
 a/kernel-huge-4.19.65-x86_64-1.txz:  Upgraded.
--- a/FILELIST.TXT
+++ b/FILELIST.TXT
@ -1,20 +1,20 @@
-Wed Aug  7 05:40:43 UTC 2019
+Thu Aug  8 05:41:25 UTC 2019
 Here is the file list for this directory.  If you are using a 
 mirror site and find missing or extra files in the disk 
 subdirectories, please have the archive administrator refresh
 the mirror.
-drwxr-xr-x 12 root root      4096 2019-08-07 05:39 .
+drwxr-xr-x 12 root root      4096 2019-08-08 05:25 .
 -rw-r--r--  1 root root     10064 2016-06-30 18:39 ./ANNOUNCE.14_2
 -rw-r--r--  1 root root     14341 2018-11-29 05:40 ./CHANGES_AND_HINTS.TXT
-rw-r--r--  1 root root    923361 2019-08-07 05:39 ./CHECKSUMS.md5
+-rw-r--r--  1 root root    923361 2019-08-07 05:41 ./CHECKSUMS.md5
-rw-r--r--  1 root root       163 2019-08-07 05:39 ./CHECKSUMS.md5.asc
+-rw-r--r--  1 root root       163 2019-08-07 05:41 ./CHECKSUMS.md5.asc
 -rw-r--r--  1 root root     17976 1994-06-10 02:28 ./COPYING
 -rw-r--r--  1 root root     35147 2007-06-30 04:21 ./COPYING3
 -rw-r--r--  1 root root     19573 2016-06-23 20:08 ./COPYRIGHT.TXT
 -rw-r--r--  1 root root       616 2006-10-02 04:37 ./CRYPTO_NOTICE.TXT
-rw-r--r--  1 root root    672944 2019-08-07 05:27 ./ChangeLog.txt
+-rw-r--r--  1 root root    673303 2019-08-08 05:25 ./ChangeLog.txt
 drwxr-xr-x  3 root root      4096 2013-03-20 22:17 ./EFI
 drwxr-xr-x  2 root root      4096 2019-08-07 05:40 ./EFI/BOOT
 -rw-r--r--  1 root root   1417216 2019-07-05 18:54 ./EFI/BOOT/bootx64.efi
@ -27,7 +27,7 @@ drwxr-xr-x  2 root root      4096 2019-08-07 05:40 ./EFI/BOOT
 -rw-r--r--  1 root root      1273 2013-08-12 21:08 ./EFI/BOOT/tools.cfg
 -rw-r--r--  1 root root   1213861 2019-08-07 05:40 ./FILELIST.TXT
 -rw-r--r--  1 root root      1572 2012-08-29 18:27 ./GPG-KEY
-rw-r--r--  1 root root    733428 2019-08-07 05:37 ./PACKAGES.TXT
+-rw-r--r--  1 root root    733428 2019-08-08 05:39 ./PACKAGES.TXT
 -rw-r--r--  1 root root      8564 2016-06-28 21:33 ./README.TXT
 -rw-r--r--  1 root root      3635 2019-08-07 04:40 ./README.initrd
 -rw-r--r--  1 root root     34412 2017-12-01 17:44 ./README_CRYPT.TXT
@ -786,11 +786,11 @@ drwxr-xr-x  2 root root      4096 2012-09-20 18:06 ./patches
 -rw-r--r--  1 root root       575 2012-09-20 18:06 ./patches/FILE_LIST
 -rw-r--r--  1 root root        14 2012-09-20 18:06 ./patches/MANIFEST.bz2
 -rw-r--r--  1 root root       224 2012-09-20 18:06 ./patches/PACKAGES.TXT
-drwxr-xr-x 18 root root      4096 2019-08-07 05:37 ./slackware64
+drwxr-xr-x 18 root root      4096 2019-08-08 05:40 ./slackware64
-rw-r--r--  1 root root    290991 2019-08-07 05:37 ./slackware64/CHECKSUMS.md5
+-rw-r--r--  1 root root    290991 2019-08-08 05:40 ./slackware64/CHECKSUMS.md5
-rw-r--r--  1 root root       163 2019-08-07 05:37 ./slackware64/CHECKSUMS.md5.asc
+-rw-r--r--  1 root root       163 2019-08-08 05:40 ./slackware64/CHECKSUMS.md5.asc
-rw-r--r--  1 root root    362456 2019-08-07 05:34 ./slackware64/FILE_LIST
+-rw-r--r--  1 root root    362456 2019-08-08 05:37 ./slackware64/FILE_LIST
-rw-r--r--  1 root root   3693078 2019-08-07 05:35 ./slackware64/MANIFEST.bz2
+-rw-r--r--  1 root root   3693011 2019-08-08 05:38 ./slackware64/MANIFEST.bz2
 lrwxrwxrwx  1 root root        15 2009-08-23 23:34 ./slackware64/PACKAGES.TXT -> ../PACKAGES.TXT
 drwxr-xr-x  2 root root     28672 2019-08-07 05:34 ./slackware64/a
 -rw-r--r--  1 root root       327 2018-06-24 18:44 ./slackware64/a/aaa_base-14.2-x86_64-5.txt
@ -1617,7 +1617,7 @@ drwxr-xr-x  2 root root      4096 2019-08-07 05:34 ./slackware64/k
 -rw-r--r--  1 root root      1171 2019-08-07 04:40 ./slackware64/k/maketag
 -rw-r--r--  1 root root      1171 2019-08-07 04:40 ./slackware64/k/maketag.ez
 -rw-r--r--  1 root root        18 2019-08-07 04:40 ./slackware64/k/tagfile
-drwxr-xr-x  2 root root     45056 2019-08-01 21:37 ./slackware64/kde
+drwxr-xr-x  2 root root     45056 2019-08-08 05:37 ./slackware64/kde
 -rw-r--r--  1 root root       319 2018-06-02 22:05 ./slackware64/kde/amarok-2.9.0-x86_64-3.txt
 -rw-r--r--  1 root root  47003780 2018-06-02 22:05 ./slackware64/kde/amarok-2.9.0-x86_64-3.txz
 -rw-r--r--  1 root root       163 2018-06-02 22:05 ./slackware64/kde/amarok-2.9.0-x86_64-3.txz.asc
@ -1788,9 +1788,9 @@ drwxr-xr-x  2 root root     45056 2019-08-01 21:37 ./slackware64/kde
 -rw-r--r--  1 root root       452 2018-04-17 10:20 ./slackware64/kde/kdegraphics-thumbnailers-4.14.3-x86_64-3.txt
 -rw-r--r--  1 root root     38232 2018-04-17 10:20 ./slackware64/kde/kdegraphics-thumbnailers-4.14.3-x86_64-3.txz
 -rw-r--r--  1 root root       163 2018-04-17 10:20 ./slackware64/kde/kdegraphics-thumbnailers-4.14.3-x86_64-3.txz.asc
-rw-r--r--  1 root root       191 2018-06-18 02:55 ./slackware64/kde/kdelibs-4.14.38-x86_64-3.txt
+-rw-r--r--  1 root root       191 2019-08-08 04:08 ./slackware64/kde/kdelibs-4.14.38-x86_64-4.txt
-rw-r--r--  1 root root  12813280 2018-06-18 02:55 ./slackware64/kde/kdelibs-4.14.38-x86_64-3.txz
+-rw-r--r--  1 root root  12970056 2019-08-08 04:08 ./slackware64/kde/kdelibs-4.14.38-x86_64-4.txz
-rw-r--r--  1 root root       163 2018-06-18 02:55 ./slackware64/kde/kdelibs-4.14.38-x86_64-3.txz.asc
+-rw-r--r--  1 root root       163 2019-08-08 04:08 ./slackware64/kde/kdelibs-4.14.38-x86_64-4.txz.asc
 -rw-r--r--  1 root root       410 2018-04-17 10:57 ./slackware64/kde/kdenetwork-filesharing-4.14.3-x86_64-3.txt
 -rw-r--r--  1 root root     38376 2018-04-17 10:57 ./slackware64/kde/kdenetwork-filesharing-4.14.3-x86_64-3.txz
 -rw-r--r--  1 root root       163 2018-04-17 10:57 ./slackware64/kde/kdenetwork-filesharing-4.14.3-x86_64-3.txz.asc
@ -5007,11 +5007,11 @@ drwxr-xr-x   2 root root     4096 2019-02-17 23:51 ./slackware64/y
 -rw-r--r--   1 root root     1147 2018-03-01 07:55 ./slackware64/y/maketag
 -rw-r--r--   1 root root     1147 2018-03-01 07:55 ./slackware64/y/maketag.ez
 -rw-r--r--   1 root root       14 2018-03-01 07:55 ./slackware64/y/tagfile
-drwxr-xr-x  19 root root     4096 2019-08-07 05:38 ./source
+drwxr-xr-x  19 root root     4096 2019-08-08 05:41 ./source
-rw-r--r--   1 root root   469883 2019-08-07 05:38 ./source/CHECKSUMS.md5
+-rw-r--r--   1 root root   469995 2019-08-08 05:41 ./source/CHECKSUMS.md5
-rw-r--r--   1 root root      163 2019-08-07 05:38 ./source/CHECKSUMS.md5.asc
+-rw-r--r--   1 root root      163 2019-08-08 05:41 ./source/CHECKSUMS.md5.asc
-rw-r--r--   1 root root   662845 2019-08-07 05:38 ./source/FILE_LIST
+-rw-r--r--   1 root root   662975 2019-08-08 05:40 ./source/FILE_LIST
-rw-r--r--   1 root root 17319210 2019-08-07 05:38 ./source/MANIFEST.bz2
+-rw-r--r--   1 root root 17314467 2019-08-08 05:40 ./source/MANIFEST.bz2
 -rw-r--r--   1 root root     1314 2006-10-02 04:40 ./source/README.TXT
 drwxr-xr-x 111 root root     4096 2019-07-29 23:10 ./source/a
 -rw-r--r--   1 root root     1034 2019-05-04 17:56 ./source/a/FTBFSlog
@ -6998,7 +6998,7 @@ drwxr-xr-x   2 root root      4096 2019-06-14 18:50 ./source/kde/build
 -rw-r--r--   1 root root         2 2018-04-13 02:43 ./source/kde/build/kdegraphics-mobipocket
 -rw-r--r--   1 root root         2 2018-04-13 02:43 ./source/kde/build/kdegraphics-strigi-analyzer
 -rw-r--r--   1 root root         2 2018-04-13 02:43 ./source/kde/build/kdegraphics-thumbnailers
-rw-r--r--   1 root root         2 2018-06-17 17:32 ./source/kde/build/kdelibs
+-rw-r--r--   1 root root         2 2019-08-08 03:56 ./source/kde/build/kdelibs
 -rw-r--r--   1 root root         2 2018-04-13 02:43 ./source/kde/build/kdenetwork-filesharing
 -rw-r--r--   1 root root         2 2018-04-13 02:43 ./source/kde/build/kdenetwork-strigi-analyzers
 -rw-r--r--   1 root root         2 2018-04-19 23:13 ./source/kde/build/kdepim
@ -7315,10 +7315,11 @@ drwxr-xr-x   2 root root      4096 2018-01-30 20:00 ./source/kde/patch/kdeartwor
 drwxr-xr-x   2 root root      4096 2015-11-19 23:23 ./source/kde/patch/kdeconnect-kde
 -rw-r--r--   1 root root       153 2015-11-19 23:19 ./source/kde/patch/kdeconnect-kde.patch
 -rw-r--r--   1 root root       470 2015-11-19 23:23 ./source/kde/patch/kdeconnect-kde/kdeconnect-kde.openssh7.diff.gz
-drwxr-xr-x   2 root root      4096 2018-06-17 17:32 ./source/kde/patch/kdelibs
+drwxr-xr-x   2 root root      4096 2019-08-08 03:53 ./source/kde/patch/kdelibs
-rw-r--r--   1 root root      1250 2018-06-17 17:33 ./source/kde/patch/kdelibs.patch
+-rw-r--r--   1 root root      1510 2019-08-08 03:56 ./source/kde/patch/kdelibs.patch
 -rw-r--r--   1 root root       916 2013-10-20 23:21 ./source/kde/patch/kdelibs/coding-style-fixes.patch.gz
 -rw-r--r--   1 root root     22009 2018-06-17 17:31 ./source/kde/patch/kdelibs/kdelibs-openssl-1.1.patch.gz
 -rw-r--r--   1 root root      2041 2019-08-08 03:52 ./source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch.gz
 -rw-r--r--   1 root root       361 2010-06-07 15:19 ./source/kde/patch/kdelibs/kdelibs.docbook.patch.gz
 -rw-r--r--   1 root root       347 2012-01-26 08:18 ./source/kde/patch/kdelibs/kdelibs.upnp_conditional.patch.gz
 -rw-r--r--   1 root root       955 2013-10-20 23:22 ./source/kde/patch/kdelibs/return-application-icons-properly.patch.gz
@ -12420,8 +12421,8 @@ drwxr-xr-x   2 root root      4096 2019-04-03 20:41 ./source/xap/gnuchess
 -rw-r--r--   1 root root       224 2004-10-27 06:07 ./source/xap/gnuchess/eboard.desktop
 -rw-r--r--   1 root root       221 2013-03-20 01:49 ./source/xap/gnuchess/eboard.ldl.diff.gz
 -rw-r--r--   1 root root       336 2015-03-23 16:11 ./source/xap/gnuchess/eboard.png16.diff.gz
-rw-r--r--   1 root root    518760 2017-07-24 23:16 ./source/xap/gnuchess/gnuchess-6.2.5.tar.xz
+-rw-r--r--  1 root root    518760 2017-07-24 23:16 ./source/xap/gnuchess/gnuchess-6.2.5.tar.xz
-rwxr-xr-x   1 root root      6366 2019-04-03 20:41 ./source/xap/gnuchess/gnuchess.SlackBuild
+-rwxr-xr-x  1 root root      6366 2019-04-03 20:41 ./source/xap/gnuchess/gnuchess.SlackBuild
 -rw-r--r--  1 root root       792 2018-02-27 06:13 ./source/xap/gnuchess/slack-desc
 -rw-r--r--  1 root root   2731760 2016-08-01 03:55 ./source/xap/gnuchess/xboard-4.9.1.tar.xz
 -rw-r--r--  1 root root       269 2015-03-20 18:35 ./source/xap/gnuchess/xboard.conf.diff.gz
--- a/recompress.sh
+++ b/recompress.sh
@ -324,6 +324,7 @@ gzip ./source/kde/patch/kdelibs/coding-style-fixes.patch
 gzip ./source/kde/patch/kdelibs/kdelibs.docbook.patch
 gzip ./source/kde/patch/kdelibs/kdelibs-openssl-1.1.patch
 gzip ./source/kde/patch/kdelibs/kdelibs.upnp_conditional.patch
 gzip ./source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch
 gzip ./source/kde/patch/ktouch/ktouch.performance.diff
 gzip ./source/kde/patch/krdc/krdc_freerdp-1.1.0.patch
 gzip ./source/kde/patch/kdevelop-pg-qt/0011-fix-some-warnings.patch
--- a/source/kde/build/kdelibs
+++ b/source/kde/build/kdelibs
@ -1 +1 @@
-3
+4
--- a/source/kde/patch/kdelibs.patch
+++ b/source/kde/patch/kdelibs.patch
@ -15,3 +15,6 @@ zcat $CWD/patch/kdelibs/return-application-icons-properly.patch.gz | patch -R -p
 # Support OpenSSL-1.1.x:
 zcat $CWD/patch/kdelibs/kdelibs-openssl-1.1.patch.gz | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
 # Security: remove support for $(...) in config keys with [$e] marker. (CVE-2019-14744)
 zcat $CWD/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch.gz | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; }
--- a/source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch
+++ b/source/kde/patch/kdelibs/kdelibs.2c3762feddf7e66cf6b64d9058f625a715694a00.patch
@ -0,0 +1,112 @@
 From 2c3762feddf7e66cf6b64d9058f625a715694a00 Mon Sep 17 00:00:00 2001
 From: Kai Uwe Broulik <kde@privat.broulik.de>
 Date: Wed, 7 Aug 2019 09:47:46 +0200
 Subject: Security: remove support for $(...) in config keys with [$e] marker.
 It is very unclear at this point what a valid use case for this feature
 would possibly be. The old documentation only mentions $(hostname) as
 an example, which can be done with $HOSTNAME instead.
 Note that $(...) is still supported in Exec lines of desktop files,
 this does not require [$e] anyway (and actually works better without it,
 otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...).
 Thanks to Fabian Vogt for testing.
 (This is a backport of KDE Frameworks 5 kconfig patch to kdelibs)
 Differential Revision: https://phabricator.kde.org/D22989
 ---
 kdecore/config/kconfig.cpp    | 32 +-------------------------------
 kdecore/doc/README.kiosk      | 12 ------------
 kdecore/tests/kconfigtest.cpp |  6 +-----
 3 files changed, 2 insertions(+), 48 deletions(-)
 diff --git a/kdecore/config/kconfig.cpp b/kdecore/config/kconfig.cpp
 index 7ea26a5..b30584b 100644
 --- a/kdecore/config/kconfig.cpp
 +++ b/kdecore/config/kconfig.cpp
@@ -160,37 +160,7 @@ QString KConfigPrivate::expandString(const QString& value)
     int nDollarPos = aValue.indexOf( QLatin1Char('$') );
     while( nDollarPos != -1 && nDollarPos+1 < aValue.length()) {
         // there is at least one $
 -        if( aValue[nDollarPos+1] == QLatin1Char('(') ) {
 -            int nEndPos = nDollarPos+1;
 -            // the next character is not $
 -            while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=QLatin1Char(')')) )
 -                nEndPos++;
 -            nEndPos++;
 -            QString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
 -
 -            QString result;
 -            QByteArray oldpath = qgetenv( "PATH" );
 -            QByteArray newpath;
 -            if (KGlobal::hasMainComponent()) {
 -                newpath = QFile::encodeName(KGlobal::dirs()->resourceDirs("exe").join(QChar::fromLatin1(KPATH_SEPARATOR)));
 -                if (!newpath.isEmpty() && !oldpath.isEmpty())
 -                    newpath += KPATH_SEPARATOR;
 -            }
 -            newpath += oldpath;
 -            setenv( "PATH", newpath, 1/*overwrite*/ );
 -// FIXME: wince does not have pipes
 -#ifndef _WIN32_WCE
 -            FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
 -            if (fs) {
 -                QTextStream ts(fs, QIODevice::ReadOnly);
 -                result = ts.readAll().trimmed();
 -                pclose(fs);
 -            }
 -#endif
 -            setenv( "PATH", oldpath, 1/*overwrite*/ );
 -            aValue.replace( nDollarPos, nEndPos-nDollarPos, result );
 -            nDollarPos += result.length();
 -        } else if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
 +        if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
             int nEndPos = nDollarPos+1;
             // the next character is not $
             QString aVarName;
 diff --git a/kdecore/doc/README.kiosk b/kdecore/doc/README.kiosk
 index b95002d..d902c61 100644
 --- a/kdecore/doc/README.kiosk
 +++ b/kdecore/doc/README.kiosk
@@ -640,18 +640,6 @@ The following syntax is also supported:
 Name[$ei]=${USER}
 -Shell Commands in KDE config files.
 -===================================
 -
 -Since KDE-3.1 arbitrary entries in configuration files can contain shell 
 -commands. This way the value of a configuration entry can be determined
 -dynamically at runtime. In order to use this the entry must be marked 
 -with [$e]. 
 -
 -Example:
 -Host[$e]=$(hostname)
 -
 -
 KDE Kiosk Application API
 ==========================
 diff --git a/kdecore/tests/kconfigtest.cpp b/kdecore/tests/kconfigtest.cpp
 index 78e6ad1..37ea3c2 100644
 --- a/kdecore/tests/kconfigtest.cpp
 +++ b/kdecore/tests/kconfigtest.cpp
@@ -479,12 +479,8 @@ void KConfigTest::testPath()
   QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH) );
   QVERIFY(group.hasKey("URL"));
   QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH) );
 -#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
 -  // I don't know if this will work on windows
 -  // This test hangs on OS X
   QVERIFY(group.hasKey("hostname"));
 -  QCOMPARE(group.readEntry("hostname", QString()), QHostInfo::localHostName());
 -#endif
 +  QCOMPARE(group.readEntry("hostname", QString()), QString("(hostname)")); // the $ got removed because empty var name
   QVERIFY(group.hasKey("noeol"));
   QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
 }
 -- 
 cgit v1.1