mrueg 14/11/06 18:29:06 Added: systemsettings-4.11.13-kcm-dateandtime.patch Log: Fix security vulnerability. (Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key )
Revision Changes Path 1.1 kde-base/systemsettings/files/systemsettings-4.11.13-kcm-dateandtime.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/kde-base/systemsettings/files/systemsettings-4.11.13-kcm-dateandtime.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/kde-base/systemsettings/files/systemsettings-4.11.13-kcm-dateandtime.patch?rev=1.1&content-type=text/plain Index: systemsettings-4.11.13-kcm-dateandtime.patch =================================================================== diff --git a/kcontrol/dateandtime/dtime.cpp b/kcontrol/dateandtime/dtime.cpp index 518afe5..68485bb 100644 --- a/kcontrol/dateandtime/dtime.cpp +++ b/kcontrol/dateandtime/dtime.cpp @@ -142,27 +142,15 @@ void Dtime::serverTimeCheck() { //kclock->setEnabled(enabled); } -void Dtime::findNTPutility(){ - QByteArray envpath = qgetenv("PATH"); - if (!envpath.isEmpty() && envpath[0] == ':') { - envpath = envpath.mid(1); - } - - QString path = "/sbin:/usr/sbin:"; - if (!envpath.isEmpty()) { - path += QString::fromLocal8Bit(envpath); - } else { - path += QLatin1String("/bin:/usr/bin"); - } - - foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { - if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) { - kDebug() << "ntpUtility = " << ntpUtility; - return; +void Dtime::findNTPutility() +{ + const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin"); + foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { + ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath); + if (!ntpUtility.isEmpty()) { + return; + } } - } - - kDebug() << "ntpUtility not found!"; } void Dtime::set_time() @@ -238,7 +226,6 @@ void Dtime::save( QVariantMap& helperargs ) helperargs["ntp"] = true; helperargs["ntpServers"] = list; helperargs["ntpEnabled"] = setDateTimeAuto->isChecked(); - helperargs["ntpUtility"] = ntpUtility; if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){ // NTP Time setting - done in helper diff --git a/kcontrol/dateandtime/helper.cpp b/kcontrol/dateandtime/helper.cpp index 9168db3..21fc51a 100644 --- a/kcontrol/dateandtime/helper.cpp +++ b/kcontrol/dateandtime/helper.cpp @@ -52,8 +52,18 @@ // clears it. So we have to use a reasonable default. static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin"); -int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled, - const QString& ntpUtility ) +static QString findNtpUtility() +{ + foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { + const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath); + if (!ntpUtility.isEmpty()) { + return ntpUtility; + } + } + return QString(); +} + +int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled ) { int ret = 0; @@ -69,6 +79,8 @@ int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled, config.writeEntry("servers", ntpServers ); config.writeEntry("enabled", ntpEnabled ); + QString ntpUtility(findNtpUtility()); + if ( ntpEnabled && !ntpUtility.isEmpty() ) { // NTP Time setting QString timeServer = ntpServers.first(); @@ -111,6 +123,13 @@ int ClockHelper::date( const QString& newdate, const QString& olddate ) int ClockHelper::tz( const QString& selectedzone ) { int ret = 0; + + //only allow letters, numbers hyphen underscore plus and forward slash + //allowed pattern taken from time-util.c in systemd + if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) { + return ret; + } + #if defined(USE_SOLARIS) // MARCO KTemporaryFile tf; @@ -227,7 +246,7 @@ ActionReply ClockHelper::save(const QVariantMap &args) int ret = 0; // error code // The order here is important if( _ntp ) - ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() ); + ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool()); if( _date ) ret |= date( args.value("newdate").toString(), args.value("olddate").toString() ); if( _tz ) diff --git a/kcontrol/dateandtime/helper.h b/kcontrol/dateandtime/helper.h index 1cbf103..fea71ba 100644 --- a/kcontrol/dateandtime/helper.h +++ b/kcontrol/dateandtime/helper.h @@ -42,8 +42,7 @@ class ClockHelper : public QObject ActionReply save(const QVariantMap &map); private: - int ntp(const QStringList& ntpServers, bool ntpEnabled, - const QString& ntpUtility); + int ntp(const QStringList& ntpServers, bool ntpEnabled); int date(const QString& newdate, const QString& olddate); int tz(const QString& selectedzone); int tzreset();
