Secuirty Update:

Ark input sanitization errors:
The KDE archiving tool, Ark, performs insufficient validation
which leads to specially crafted archive files, using unknown
MIME types, to be rendered using a KHTML instance, this can
trigger uncontrolled XMLHTTPRequests to remote sites.

IO Slaves input sanitization errors:
KDE protocol handlers perform insufficient input validation, an
attacker can craft malicious URI that would trigger JavaScript
execution. Additionally the 'help://' protocol handler suffer
from directory traversal. It should be noted that the scope of
this issue is limited as the malicious URIs cannot be embedded
in Internet hosted content.

KMail input sanitization errors:
The KDE mail client, KMail, performs insufficient validation which
leads to specially crafted email attachments, using unknown MIME
types, to be rendered using a KHTML instance, this can trigger
uncontrolled XMLHTTPRequests to remote sites.

Submitted by:	Eygene Ryabinkin <rea-fbsd@codelabs.ru> (based on)
Approved by:	secteam (myself), portmgr
Security:	http://www.vuxml.org/freebsd/6f358f5a-c7ea-11de-a9f3-0030843d3802.html

6 files changed, 152 insertions, 3 deletions

diff --git a/x11/kde4-runtime/Makefile b/x11/kde4-runtime/Makefile
index fd89157e1731..1a7c749095dc 100644
--- a/x11/kde4-runtime/Makefile
+++ b/x11/kde4-runtime/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase-runtime
 PORTVERSION=	${KDE4_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	${KDE4_BRANCH}/${PORTVERSION}/src
diff --git a/x11/kde4-runtime/files/patch-ocert-2009-015-kioslave b/x11/kde4-runtime/files/patch-ocert-2009-015-kioslave
new file mode 100644
index 000000000000..0024b941e34d
--- /dev/null
+++ b/x11/kde4-runtime/files/patch-ocert-2009-015-kioslave
@@ -0,0 +1,16 @@
+--- ./kioslave/info/info.cc	2009/10/02 15:51:26	1030578
++++ ./kioslave/info/info.cc	2009/10/02 15:53:30	1030579
+@@ -89,6 +89,13 @@
+         return;
+     }
+ 
++    // '<' in the path looks suspicious, someone is trying info:/dir/<script>alert('xss')</script>
++    if (url.path().contains('<'))
++    {
++        error(KIO::ERR_DOES_NOT_EXIST, url.url());
++        return;
++    }
++
+     mimeType("text/html");
+     // extract the path and node from url
+     decodeURL( url );
diff --git a/x11/kdebase4-runtime/Makefile b/x11/kdebase4-runtime/Makefile
index fd89157e1731..1a7c749095dc 100644
--- a/x11/kdebase4-runtime/Makefile
+++ b/x11/kdebase4-runtime/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase-runtime
 PORTVERSION=	${KDE4_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	${KDE4_BRANCH}/${PORTVERSION}/src
diff --git a/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave b/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
new file mode 100644
index 000000000000..0024b941e34d
--- /dev/null
+++ b/x11/kdebase4-runtime/files/patch-ocert-2009-015-kioslave
@@ -0,0 +1,16 @@
+--- ./kioslave/info/info.cc	2009/10/02 15:51:26	1030578
++++ ./kioslave/info/info.cc	2009/10/02 15:53:30	1030579
+@@ -89,6 +89,13 @@
+         return;
+     }
+ 
++    // '<' in the path looks suspicious, someone is trying info:/dir/<script>alert('xss')</script>
++    if (url.path().contains('<'))
++    {
++        error(KIO::ERR_DOES_NOT_EXIST, url.url());
++        return;
++    }
++
+     mimeType("text/html");
+     // extract the path and node from url
+     decodeURL( url );
diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index 61a57b3a91bd..5a07de5f6bcc 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE4_VERSION}
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	x11 kde ipv6
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	${KDE4_BRANCH}/${PORTVERSION}/src
diff --git a/x11/kdelibs4/files/patch-ocert-2009-015-khtml b/x11/kdelibs4/files/patch-ocert-2009-015-khtml
new file mode 100644
index 000000000000..8e0e82c3534c
--- /dev/null
+++ b/x11/kdelibs4/files/patch-ocert-2009-015-khtml
@@ -0,0 +1,117 @@
+--- ./khtml/ecma/xmlhttprequest.cpp	2009/10/15 10:13:41	1035538
++++ ./khtml/ecma/xmlhttprequest.cpp	2009/10/15 10:14:38	1035539
+@@ -49,7 +49,7 @@
+ 
+ using namespace KJS;
+ using namespace DOM;
+-// 
++//
+ ////////////////////// XMLHttpRequest Object ////////////////////////
+ 
+ /* Source for XMLHttpRequestProtoTable.
+@@ -269,7 +269,7 @@
+ static bool canSetRequestHeader(const QString& name)
+ {
+     static QSet<CaseInsensitiveString> forbiddenHeaders;
+-    
++
+     if (forbiddenHeaders.isEmpty()) {
+ 	static const char* hdrs[] = {
+ 	    "accept-charset",
+@@ -298,12 +298,12 @@
+ 	    "transfer-encoding",
+ 	    "unlock",
+ 	    "upgrade",
+-	    "via" 
++	    "via"
+ 	};
+ 	for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i)
+ 	    forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i]));
+     }
+-    
++
+     return !forbiddenHeaders.contains(name);
+ }
+ 
+@@ -326,9 +326,9 @@
+ 
+ XMLHttpRequest::~XMLHttpRequest()
+ {
+-  if (onLoadListener) 
++  if (onLoadListener)
+       onLoadListener->deref();
+-  if (onReadyStateChangeListener) 
++  if (onReadyStateChangeListener)
+       onReadyStateChangeListener->deref();
+   delete qObject;
+   qObject = 0;
+@@ -412,17 +412,18 @@
+       return;
+   }
+ 
+-  if (method == "post") {
+-    QString protocol = url.protocol().toLower();
++  const QString protocol = url.protocol().toLower();
++  // Abandon the request when the protocol is other than "http",
++  // instead of blindly doing a KIO::get on other protocols like file:/.
++  if (!protocol.startsWith(QLatin1String("http")) &&
++      !protocol.startsWith(QLatin1String("webdav")))
++  {
++    ec = DOMException::INVALID_ACCESS_ERR;
++    abort();
++    return;
++  }
+ 
+-    // Abondon the request when the protocol is other than "http",
+-    // instead of blindly changing it to a "get" request.
+-    if (!protocol.startsWith(QLatin1String("http")) &&
+-        !protocol.startsWith(QLatin1String("webdav")))
+-    {
+-      abort();
+-      return;
+-    }
++  if (method == "post") {
+ 
+     // FIXME: determine post encoding correctly by looking in headers
+     // for charset.
+@@ -580,7 +581,7 @@
+       ec = DOMException::INVALID_STATE_ERR;
+       return jsString("");
+   }
+-  
++
+   // ### test error flag, return jsNull
+ 
+   if (responseHeaders.isEmpty()) {
+@@ -809,7 +810,7 @@
+       setDOMException(exec, ec);
+       return ret;
+     }
+-  case XMLHttpRequest::GetResponseHeader: 
++  case XMLHttpRequest::GetResponseHeader:
+     {
+       if (args.size() < 1)
+           return throwError(exec, SyntaxError, "Not enough arguments");
+@@ -852,11 +853,11 @@
+         DOM::NodeImpl* docNode = toNode(args[0]);
+         if (docNode && docNode->isDocumentNode()) {
+           DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode);
+-          
++
+           try {
+             body = doc->toString().string();
+             // FIXME: also need to set content type, including encoding!
+-  
++
+           } catch(DOM::DOMException&) {
+             return throwError(exec, GeneralError, "Exception serializing document");
+           }
+@@ -866,7 +867,7 @@
+       }
+ 
+       request->send(body, ec);
+-      setDOMException(exec, ec);  
++      setDOMException(exec, ec);
+       return jsUndefined();
+     }
+   case XMLHttpRequest::SetRequestHeader: