Sat May 7 22:25:09 2011 UTC ()
KGet does not properly sanitise the "name" attribute of the "file" element
of metalink files before using it to download files.
http://secunia.com/advisories/44124/


(markd)
diff -r1.22 -r1.23 pkgsrc/net/kdenetwork4/Makefile
diff -r1.16 -r1.17 pkgsrc/net/kdenetwork4/distinfo
diff -r0 -r1.1 pkgsrc/net/kdenetwork4/patches/patch-kget_ui_metalinkcreator_metalinker.cpp
cvs diff -r1.22 -r1.23 pkgsrc/net/kdenetwork4/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/net/kdenetwork4/Attic/Makefile 2011/04/22 13:44:23 1.22
+++ pkgsrc/net/kdenetwork4/Attic/Makefile 2011/05/07 22:25:08 1.23
@@ -1,17 +1,17 @@ @@ -1,17 +1,17 @@
1# $NetBSD: Makefile,v 1.22 2011/04/22 13:44:23 obache Exp $ 1# $NetBSD: Makefile,v 1.23 2011/05/07 22:25:08 markd Exp $
2 2
3DISTNAME= kdenetwork-${_KDE_VERSION} 3DISTNAME= kdenetwork-${_KDE_VERSION}
4PKGREVISION= 2 4PKGREVISION= 3
5CATEGORIES= net 5CATEGORIES= net
6COMMENT= Network modules for the KDE integrated X11 desktop 6COMMENT= Network modules for the KDE integrated X11 desktop
7 7
8CONFLICTS= kopete-[0-9]* 8CONFLICTS= kopete-[0-9]*
9 9
10.include "../../meta-pkgs/kde4/Makefile.kde4" 10.include "../../meta-pkgs/kde4/Makefile.kde4"
11 11
12# BUILD_MAKE_FLAGS+= VERBOSE=1 12# BUILD_MAKE_FLAGS+= VERBOSE=1
13 13
14# for kded_dnssdwatcher 14# for kded_dnssdwatcher
15UNLIMIT_RESOURCES+= datasize memorysize stacksize 15UNLIMIT_RESOURCES+= datasize memorysize stacksize
16 16
17CMAKE_ARGS+= -DWITH_Xmms:BOOL=OFF 17CMAKE_ARGS+= -DWITH_Xmms:BOOL=OFF
cvs diff -r1.16 -r1.17 pkgsrc/net/kdenetwork4/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/net/kdenetwork4/Attic/distinfo 2011/01/23 07:55:15 1.16
+++ pkgsrc/net/kdenetwork4/Attic/distinfo 2011/05/07 22:25:08 1.17
@@ -1,9 +1,10 @@ @@ -1,9 +1,10 @@
1$NetBSD: distinfo,v 1.16 2011/01/23 07:55:15 markd Exp $ 1$NetBSD: distinfo,v 1.17 2011/05/07 22:25:08 markd Exp $
2 2
3SHA1 (kdenetwork-4.5.5.tar.bz2) = 2c7dd0bc1809ac477f46ddb966f232ca3f60bc0a 3SHA1 (kdenetwork-4.5.5.tar.bz2) = 2c7dd0bc1809ac477f46ddb966f232ca3f60bc0a
4RMD160 (kdenetwork-4.5.5.tar.bz2) = 769829e255830bf360d9796c0ea9dcb12faeac0b 4RMD160 (kdenetwork-4.5.5.tar.bz2) = 769829e255830bf360d9796c0ea9dcb12faeac0b
5Size (kdenetwork-4.5.5.tar.bz2) = 8148708 bytes 5Size (kdenetwork-4.5.5.tar.bz2) = 8148708 bytes
6SHA1 (patch-aa) = 0359cd86501c57197242c398d63c1fc77c60a4d0 6SHA1 (patch-aa) = 0359cd86501c57197242c398d63c1fc77c60a4d0
7SHA1 (patch-ab) = 0743b3b6c994623c507b8bcd52ee01dad31cf56f 7SHA1 (patch-ab) = 0743b3b6c994623c507b8bcd52ee01dad31cf56f
8SHA1 (patch-ae) = 765d48550d2d8b7a59a1593a669b0909fef3bd96 8SHA1 (patch-ae) = 765d48550d2d8b7a59a1593a669b0909fef3bd96
9SHA1 (patch-af) = 5afe11d2691c0f3e9510d2cd1df5b4f736abafbe 9SHA1 (patch-af) = 5afe11d2691c0f3e9510d2cd1df5b4f736abafbe
 10SHA1 (patch-kget_ui_metalinkcreator_metalinker.cpp) = 1c3aaf24097c25120ff95b329e0995bc91843214
File Added: pkgsrc/net/kdenetwork4/patches/Attic/patch-kget_ui_metalinkcreator_metalinker.cpp
$NetBSD: patch-kget_ui_metalinkcreator_metalinker.cpp,v 1.1 2011/05/07 22:25:09 markd Exp $

http://secunia.com/advisories/44124/

--- kget/ui/metalinkcreator/metalinker.cpp	2011/04/09 09:24:33	1227468
+++ kget/ui/metalinkcreator/metalinker.cpp	2011/04/09 09:25:23	1227469
@@ -583,7 +583,13 @@
         return false;
     }
 
-    if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) {
+    if (name.endsWith('/')) {
+        kError(5001) << "Name attribute of Metalink::File does not contain a file name:" << name;
+        return false;
+    }
+
+    const QStringList components = name.split('/');
+    if (name.startsWith('/') || components.contains("..") || components.contains(".")) {
         kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name;
         return false;
     }