From owner-cvs-ports@FreeBSD.ORG Tue Nov 3 09:45:47 2009 Return-Path: Delivered-To: cvs-ports@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0CBE106566B; Tue, 3 Nov 2009 09:45:47 +0000 (UTC) (envelope-from miwi@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id BEF728FC0C; Tue, 3 Nov 2009 09:45:47 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id nA39jlDn011999; Tue, 3 Nov 2009 09:45:47 GMT (envelope-from miwi@repoman.freebsd.org) Received: (from miwi@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id nA39jlB5011998; Tue, 3 Nov 2009 09:45:47 GMT (envelope-from miwi) Message-Id: <200911030945.nA39jlB5011998@repoman.freebsd.org> From: Martin Wilke Date: Tue, 3 Nov 2009 09:45:47 +0000 (UTC) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: ports/x11/kdelibs4 Makefile ports/x11/kdelibs4/files patch-ocert-2009-015-khtml ports/x11/kdebase4-runtime Makefile ports/x11/kdebase4-runtime/files patch-ocert-2009-015-kioslave X-BeenThere: cvs-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2009 09:45:47 -0000 miwi 2009-11-03 09:45:47 UTC FreeBSD ports repository Modified files: x11/kdelibs4 Makefile x11/kdebase4-runtime Makefile Added files: x11/kdelibs4/files patch-ocert-2009-015-khtml x11/kdebase4-runtime/files patch-ocert-2009-015-kioslave Log: Secuirty Update: Ark input sanitization errors: The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. IO Slaves input sanitization errors: KDE protocol handlers perform insufficient input validation, an attacker can craft malicious URI that would trigger JavaScript execution. Additionally the 'help://' protocol handler suffer from directory traversal. It should be noted that the scope of this issue is limited as the malicious URIs cannot be embedded in Internet hosted content. KMail input sanitization errors: The KDE mail client, KMail, performs insufficient validation which leads to specially crafted email attachments, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. Submitted by: Eygene Ryabinkin (based on) Approved by: secteam (myself), portmgr Security: http://www.vuxml.org/freebsd/6f358f5a-c7ea-11de-a9f3-0030843d3802.html Revision Changes Path 1.227 +1 -1 ports/x11/kdebase4-runtime/Makefile 1.1 +16 -0 ports/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave (new) 1.244 +1 -1 ports/x11/kdelibs4/Makefile 1.1 +117 -0 ports/x11/kdelibs4/files/patch-ocert-2009-015-khtml (new)