Add upstream security patch, CVE-2010-1000

(Portage version: 2.1.9.49/cvs/Linux x86_64)

3 files changed, 75 insertions, 1 deletions

diff --git a/kde-base/kget/ChangeLog b/kde-base/kget/ChangeLog
index 1b77d8902c5e..d0665bbac23b 100644
--- a/kde-base/kget/ChangeLog
+++ b/kde-base/kget/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for kde-base/kget
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/kde-base/kget/ChangeLog,v 1.185 2011/05/09 22:55:10 hwoarang Exp $
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kget/ChangeLog,v 1.186 2011/05/14 13:43:34 dilfridge Exp $
+
+*kget-4.6.2-r1 (14 May 2011)
+
+  14 May 2011; Andreas K. Huettel <dilfridge@gentoo.org> +kget-4.6.2-r1.ebuild,
+  +files/kget-4.6.2-metalinker.patch:
+  Add upstream security patch, CVE-2010-1000
 
   09 May 2011; Markos Chandras <hwoarang@gentoo.org> kget-4.6.2.ebuild:
   Stable on amd64 wrt bug #354033
diff --git a/kde-base/kget/files/kget-4.6.2-metalinker.patch b/kde-base/kget/files/kget-4.6.2-metalinker.patch
new file mode 100644
index 000000000000..872d9650479b
--- /dev/null
+++ b/kde-base/kget/files/kget-4.6.2-metalinker.patch
@@ -0,0 +1,17 @@
+--- branches/KDE/4.6/kdenetwork/kget/ui/metalinkcreator/metalinker.cpp	2010/12/22 13:31:19	1208598
++++ branches/KDE/4.6/kdenetwork/kget/ui/metalinkcreator/metalinker.cpp	2011/04/09 09:26:37	1227471
+@@ -583,7 +583,13 @@
+         return false;
+     }
+ 
+-    if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) {
++    if (name.endsWith('/')) {
++        kError(5001) << "Name attribute of Metalink::File does not contain a file name:" << name;
++        return false;
++    }
++
++    const QStringList components = name.split('/');
++    if (name.startsWith('/') || components.contains("..") || components.contains(".")) {
+         kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name;
+         return false;
+     }
diff --git a/kde-base/kget/kget-4.6.2-r1.ebuild b/kde-base/kget/kget-4.6.2-r1.ebuild
new file mode 100644
index 000000000000..cf77f9b08969
--- /dev/null
+++ b/kde-base/kget/kget-4.6.2-r1.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kget/kget-4.6.2-r1.ebuild,v 1.1 2011/05/14 13:43:34 dilfridge Exp $
+
+EAPI=3
+
+KDE_HANDBOOK="optional"
+KMNAME="kdenetwork"
+WEBKIT_REQUIRED="optional"
+inherit kde4-meta
+
+DESCRIPTION="An advanced download manager for KDE"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux"
+IUSE="debug bittorrent semantic-desktop sqlite"
+
+RDEPEND="
+	app-crypt/qca:2
+	$(add_kdebase_dep kdelibs 'semantic-desktop?')
+	$(add_kdebase_dep kdepimlibs)
+	$(add_kdebase_dep libkonq)
+	$(add_kdebase_dep libkworkspace)
+	$(add_kdebase_dep solid)
+	bittorrent? ( >=net-libs/libktorrent-1.0.3 )
+	sqlite? ( dev-db/sqlite:3 )
+	webkit? ( >=kde-misc/kwebkitpart-0.9.6 )
+"
+DEPEND="${RDEPEND}
+	dev-libs/boost
+"
+
+PATCHES=( "${FILESDIR}/${PN}-4.6.2-metalinker.patch" )
+
+src_prepare() {
+	kde4-meta_src_prepare
+	# Disable bittorrent as supported mimetype
+	if ! use bittorrent; then
+		sed -e '/MimeType=/s|application/x-bittorrent;||' \
+			-i kget/desktop/kget.desktop || die
+	fi
+}
+
+src_configure() {
+	mycmakeargs=(
+		$(cmake-utils_use_with bittorrent KTorrent)
+		$(cmake-utils_use_with semantic-desktop Nepomuk)
+		$(cmake-utils_use_with semantic-desktop Soprano)
+		$(cmake-utils_use_with sqlite)
+		$(cmake-utils_use_with webkit KWebKitPart)
+	)
+	kde4-meta_src_configure
+}