Patch ftp kioslave command injection vulnerability.

References:
http://www.securityfocus.com/bid/11827
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1165

Approved by: portmgr

2 files changed, 19 insertions, 1 deletions

diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index d648e6186e23..ac1cd5c03b6b 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdelibs4/files/patch-post-3.3.2-kdelibs-kioslave b/x11/kdelibs4/files/patch-post-3.3.2-kdelibs-kioslave
new file mode 100644
index 000000000000..18dc66b03367
--- /dev/null
+++ b/x11/kdelibs4/files/patch-post-3.3.2-kdelibs-kioslave
@@ -0,0 +1,18 @@
+diff -b -p -u -r1.213.2.1 -r1.213.2.2
+--- kioslave/ftp/ftp.cc	21 Sep 2004 16:17:56 -0000	1.213.2.1
++++ kioslave/ftp/ftp.cc	26 Dec 2004 00:29:54 -0000	1.213.2.2
+@@ -751,6 +751,14 @@ bool Ftp::ftpSendCmd( const QCString& cm
+ {
+   assert(m_control != NULL);    // must have control connection socket
+ 
++  if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
++  {
++    kdWarning(7102) << "Invalid command received (contains CR or LF): "
++                    << cmd.data() << endl;
++    error( ERR_UNSUPPORTED_ACTION, m_host );
++    return false;
++  }
++
+   // Don't print out the password...
+   bool isPassCmd = (cmd.left(4).lower() == "pass");
+   if ( !isPassCmd )