rpms/konversation/devel konversation-1.0.1-dcop-newline-removal.patch, NONE, 1.1 konversation.spec, 1.14, 1.15

[Dennis Gilmore (ausil)]

Author: ausil

Update of /cvs/extras/rpms/konversation/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12114

Modified Files:
	konversation.spec 
Added Files:
	konversation-1.0.1-dcop-newline-removal.patch 
Log Message:
apply patch from upstream for CVE


konversation-1.0.1-dcop-newline-removal.patch:

--- NEW FILE konversation-1.0.1-dcop-newline-removal.patch ---
diff -ru konversation-old/konversation/src/konvdcop.cpp konversation-new/konversation/src/konvdcop.cpp
--- konversation-old/konversation/src/konvdcop.cpp	2006-10-06 18:43:29.000000000 +0200
+++ konversation-new/konversation/src/konvdcop.cpp	2008-04-09 17:36:38.000000000 +0200
@@ -82,15 +82,23 @@
     emit dcopMultiServerRaw("me " + message);
 }
 
-void KonvDCOP::say(const QString& server,const QString& target,const QString& command)
+void KonvDCOP::say(const QString& _server,const QString& _target,const QString& _command)
 {
+    //Sadly, copy on write doesn't exist with QString::replace
+    QString server(_server), target(_target), command(_command);
+
     // TODO: this just masks a greater problem - Server::addQuery will return a query for '' --argonel
     // TODO: other DCOP calls need argument checking too --argonel
     if (server.isEmpty() || target.isEmpty() || command.isEmpty())
         kdDebug() <<  "KonvDCOP::say() requires 3 arguments." << endl;
     else
     {
-        kdDebug() << "KonvDCOP::say()" << endl;
+        command.replace('\n',"\\n");
+        command.replace('\r',"\\r");
+        target.remove('\n');
+        target.remove('\r');
+        server.remove('\n');
+        server.remove('\r');
         // Act as if the user typed it
         emit dcopSay(server,target,command);
     }


Index: konversation.spec
===================================================================
RCS file: /cvs/extras/rpms/konversation/devel/konversation.spec,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- konversation.spec	10 Mar 2008 12:41:52 -0000	1.14
+++ konversation.spec	9 Apr 2008 17:01:56 -0000	1.15
@@ -1,6 +1,6 @@
 Name:           konversation
 Version:        1.0.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Konversation is a user friendly IRC client for KDE
 
 Group:          Applications/Internet
@@ -8,6 +8,7 @@
 URL:            http://konversation.kde.org
 Source0:        http://download.berlios.de/konversation/konversation-%{version}.tar.bz2
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Patch0:         konversation-1.0.1-dcop-newline-removal.patch
 
 
 BuildRequires:  desktop-file-utils
@@ -31,6 +32,7 @@
 
 %prep
 %setup -q
+%patch0 -p1 -b .dcop
 
 %build
 unset QTDIR || : ; . /etc/profile.d/qt.sh
@@ -54,9 +56,6 @@
 --delete-original \
 $RPM_BUILD_ROOT%{_datadir}/applications/kde/konversation.desktop
 
-# CVE-2007-4400
-rm -f $RPM_BUILD_ROOT%{_datadir}/apps/konversation/scripts/media
-
 ## File lists
 # locale's
 %find_lang %{name} || touch %{name}.lang
@@ -99,6 +98,10 @@
 
 
 %changelog
+* Wed Apr 09 2008 Dennis Gilmore <dennis at ausil.us> - 1.0.1-6
+- apply patch from upstream handling CVE-2007-4400 correctly
+- reenable media script
+
 * Mon Mar 10 2008 Rex Dieter <rdieter at fedoraproject.org> - 1.0.1-5
 - drop Requires: kdebase3 (#435873)
 - f9+: dfi vendor fedora -> kde