[pkgsrc/trunk]: pkgsrc/x11/kdelibs3 The FTP kioslave can be misused to execut...

[markd <markd%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/82a727eefe4b
branches:  trunk
changeset: 486915:82a727eefe4b
user:      markd <markd%pkgsrc.org@localhost>
date:      Wed Jan 05 10:36:23 2005 +0000

description:
The FTP kioslave can be misused to execute any ftp command on the
server or be a vector for sending out unsolicited email.
http://www.kde.org/info/security/advisory-20050101-1.txt
Bump PKGREVISION.

diffstat:

 x11/kdelibs3/Makefile         |   4 ++--
 x11/kdelibs3/distinfo         |   3 ++-
 x11/kdelibs3/patches/patch-aq |  19 +++++++++++++++++++
 3 files changed, 23 insertions(+), 3 deletions(-)

diffs (53 lines):

diff -r 2c7a20d53640 -r 82a727eefe4b x11/kdelibs3/Makefile
--- a/x11/kdelibs3/Makefile     Wed Jan 05 10:30:44 2005 +0000
+++ b/x11/kdelibs3/Makefile     Wed Jan 05 10:36:23 2005 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.74 2005/01/05 10:27:43 markd Exp $
+# $NetBSD: Makefile,v 1.75 2005/01/05 10:36:23 markd Exp $
 
 DISTNAME=      kdelibs-${_KDE_VERSION}
-PKGREVISION=   5
+PKGREVISION=   6
 CATEGORIES=    x11
 COMMENT=       Support libraries for the KDE integrated X11 desktop
 
diff -r 2c7a20d53640 -r 82a727eefe4b x11/kdelibs3/distinfo
--- a/x11/kdelibs3/distinfo     Wed Jan 05 10:30:44 2005 +0000
+++ b/x11/kdelibs3/distinfo     Wed Jan 05 10:36:23 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.47 2005/01/05 10:27:43 markd Exp $
+$NetBSD: distinfo,v 1.48 2005/01/05 10:36:23 markd Exp $
 
 SHA1 (kdelibs-3.3.2.tar.bz2) = 69325b603375d31d4d537955383f4893e4a7945f
 Size (kdelibs-3.3.2.tar.bz2) = 15623180 bytes
@@ -10,6 +10,7 @@
 SHA1 (patch-an) = 0fccfa014212073f235945732ef3a3329756f9b5
 SHA1 (patch-ao) = 5cc9be57db26a2615ae9c982eb2b894c2c193e6b
 SHA1 (patch-ap) = bd0aa3b4a4b56cd74b674ce191b48268adecc8b9
+SHA1 (patch-aq) = 0cbe989b24378a2f0218f6a32328ce56aa812de4
 SHA1 (patch-bc) = 434a48d290aa9716b8c6e372419460ebd33cf8ea
 SHA1 (patch-bd) = 172e1146d4e1e49a1a61d7ddc415dbfa4e5c4088
 SHA1 (patch-bu) = 65aca46f30be04c0d8177498eac149437b21ba56
diff -r 2c7a20d53640 -r 82a727eefe4b x11/kdelibs3/patches/patch-aq
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/kdelibs3/patches/patch-aq     Wed Jan 05 10:36:23 2005 +0000
@@ -0,0 +1,19 @@
+$NetBSD: patch-aq,v 1.7 2005/01/05 10:36:23 markd Exp $
+
+--- kioslave/ftp/ftp.cc.orig   2004-10-03 20:40:52.000000000 +1300
++++ kioslave/ftp/ftp.cc
+@@ -751,6 +751,14 @@ bool Ftp::ftpSendCmd( const QCString& cm
+ {
+   assert(m_control != NULL);    // must have control connection socket
+ 
++  if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
++  {
++    kdWarning(7102) << "Invalid command received (contains CR or LF): "
++                    << cmd.data() << endl;
++    error( ERR_UNSUPPORTED_ACTION, m_host );
++    return false;
++  }
++
+   // Don't print out the password...
+   bool isPassCmd = (cmd.left(4).lower() == "pass");
+   if ( !isPassCmd )