Patch ftp kioslave command injection vulnerability.

References: http://www.securityfocus.com/bid/11827 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1165 Approved by: portmgr
2005-01-01 13:36:18 +00:00
parent 29751cfd81
commit 18e5ca604b
4 changed files with 38 additions and 2 deletions
--- a/x11/kdelibs3/Makefile
+++ b/x11/kdelibs3/Makefile
@@ -8,7 +8,7 @@

 PORTNAME=	kdelibs
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
--- a/x11/kdelibs3/files/patch-post-3.3.2-kdelibs-kioslave
+++ b/x11/kdelibs3/files/patch-post-3.3.2-kdelibs-kioslave
@@ -0,0 +1,18 @@
+diff -b -p -u -r1.213.2.1 -r1.213.2.2
+--- kioslave/ftp/ftp.cc	21 Sep 2004 16:17:56 -0000	1.213.2.1
+++ kioslave/ftp/ftp.cc	26 Dec 2004 00:29:54 -0000	1.213.2.2
+@@ -751,6 +751,14 @@ bool Ftp::ftpSendCmd( const QCString& cm
+ {
+   assert(m_control != NULL);    // must have control connection socket
+ 
+  if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
+  {
+    kdWarning(7102) << "Invalid command received (contains CR or LF): "
+                    << cmd.data() << endl;
+    error( ERR_UNSUPPORTED_ACTION, m_host );
+    return false;
+  }
+
+   // Don't print out the password...
+   bool isPassCmd = (cmd.left(4).lower() == "pass");
+   if ( !isPassCmd )
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -8,7 +8,7 @@

 PORTNAME=	kdelibs
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
--- a/x11/kdelibs4/files/patch-post-3.3.2-kdelibs-kioslave
+++ b/x11/kdelibs4/files/patch-post-3.3.2-kdelibs-kioslave
@@ -0,0 +1,18 @@
+diff -b -p -u -r1.213.2.1 -r1.213.2.2
+--- kioslave/ftp/ftp.cc	21 Sep 2004 16:17:56 -0000	1.213.2.1
+++ kioslave/ftp/ftp.cc	26 Dec 2004 00:29:54 -0000	1.213.2.2
+@@ -751,6 +751,14 @@ bool Ftp::ftpSendCmd( const QCString& cm
+ {
+   assert(m_control != NULL);    // must have control connection socket
+ 
+  if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
+  {
+    kdWarning(7102) << "Invalid command received (contains CR or LF): "
+                    << cmd.data() << endl;
+    error( ERR_UNSUPPORTED_ACTION, m_host );
+    return false;
+  }
+
+   // Don't print out the password...
+   bool isPassCmd = (cmd.left(4).lower() == "pass");
+   if ( !isPassCmd )