1 |
commit: acad49edefd0e0f7b5cb5272806875749441a303 |
2 |
Author: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Nov 2 12:04:57 2016 +0000 |
4 |
Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 2 12:05:18 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acad49ed |
7 |
|
8 |
kde-apps/kdepimlibs: backport additional commits from upstream to resolve CVE-2016-7966 |
9 |
|
10 |
Gentoo-bug: 596224 |
11 |
|
12 |
Package-Manager: portage-2.3.2 |
13 |
|
14 |
.../files/kdepimlibs-CVE-2016-7966-r1.patch | 135 +++++++++++++++++++++ |
15 |
kde-apps/kdepimlibs/kdepimlibs-4.14.10-r2.ebuild | 62 ++++++++++ |
16 |
.../kdepimlibs-4.14.11_pre20160211-r2.ebuild | 66 ++++++++++ |
17 |
3 files changed, 263 insertions(+) |
18 |
|
19 |
diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch |
20 |
new file mode 100644 |
21 |
index 00000000..9bea572 |
22 |
--- /dev/null |
23 |
+++ b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch |
24 |
@@ -0,0 +1,135 @@ |
25 |
+From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001 |
26 |
+From: Montel Laurent <montel@×××.org> |
27 |
+Date: Fri, 30 Sep 2016 15:55:35 +0200 |
28 |
+Subject: [PATCH] Backport avoid to transform as a url when we have a quote |
29 |
+ |
30 |
+--- |
31 |
+ kpimutils/linklocator.cpp | 30 +++++++++++++++++++++++++++--- |
32 |
+ kpimutils/linklocator.h | 3 ++- |
33 |
+ 2 files changed, 29 insertions(+), 4 deletions(-) |
34 |
+ |
35 |
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp |
36 |
+index f5d9afd..f30e8fc 100644 |
37 |
+--- a/kpimutils/linklocator.cpp |
38 |
++++ b/kpimutils/linklocator.cpp |
39 |
+@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const |
40 |
+ |
41 |
+ QString LinkLocator::getUrl() |
42 |
+ { |
43 |
++ return getUrlAndCheckValidHref(); |
44 |
++} |
45 |
++ |
46 |
++ |
47 |
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) |
48 |
++{ |
49 |
+ QString url; |
50 |
+ if ( atUrl() ) { |
51 |
+ // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C |
52 |
+@@ -129,13 +135,26 @@ QString LinkLocator::getUrl() |
53 |
+ |
54 |
+ url.reserve( maxUrlLen() ); // avoid allocs |
55 |
+ int start = mPos; |
56 |
++ bool previousCharIsADoubleQuote = false; |
57 |
+ while ( ( mPos < (int)mText.length() ) && |
58 |
+ ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && |
59 |
+ ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || |
60 |
+ ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { |
61 |
+ if ( !mText[mPos].isSpace() ) { // skip whitespace |
62 |
+- url.append( mText[mPos] ); |
63 |
+- if ( url.length() > maxUrlLen() ) { |
64 |
++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { |
65 |
++ //it's an invalid url |
66 |
++ if (badurl) { |
67 |
++ *badurl = true; |
68 |
++ } |
69 |
++ return QString(); |
70 |
++ } |
71 |
++ if (mText[mPos] == QLatin1Char('"')) { |
72 |
++ previousCharIsADoubleQuote = true; |
73 |
++ } else { |
74 |
++ previousCharIsADoubleQuote = false; |
75 |
++ } |
76 |
++ url.append( mText[mPos] ); |
77 |
++ if ( url.length() > maxUrlLen() ) { |
78 |
+ break; |
79 |
+ } |
80 |
+ } |
81 |
+@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags, |
82 |
+ } else { |
83 |
+ const int start = locator.mPos; |
84 |
+ if ( !( flags & IgnoreUrls ) ) { |
85 |
+- str = locator.getUrl(); |
86 |
++ bool badUrl = false; |
87 |
++ str = locator.getUrlAndCheckValidHref(&badUrl); |
88 |
++ if (badUrl) { |
89 |
++ return locator.mText; |
90 |
++ } |
91 |
++ |
92 |
+ if ( !str.isEmpty() ) { |
93 |
+ QString hyperlink; |
94 |
+ if ( str.left( 4 ) == QLatin1String("www.") ) { |
95 |
+diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h |
96 |
+index 3049397..375498d 100644 |
97 |
+--- a/kpimutils/linklocator.h |
98 |
++++ b/kpimutils/linklocator.h |
99 |
+@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator |
100 |
+ @return The URL at the current scan position, or an empty string. |
101 |
+ */ |
102 |
+ QString getUrl(); |
103 |
++ QString getUrlAndCheckValidHref(bool *badurl = 0); |
104 |
+ |
105 |
+ /** |
106 |
+ Attempts to grab an email address. If there is an @ symbol at the |
107 |
+@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator |
108 |
+ */ |
109 |
+ static QString pngToDataUrl( const QString & iconPath ); |
110 |
+ |
111 |
+- protected: |
112 |
++protected: |
113 |
+ /** |
114 |
+ The plaintext string being scanned for URLs and email addresses. |
115 |
+ */ |
116 |
+-- |
117 |
+2.7.3 |
118 |
+ |
119 |
+From 8bbe1bd3fdc55f609340edc667ff154b3d2aaab1 Mon Sep 17 00:00:00 2001 |
120 |
+From: Montel Laurent <montel@×××.org> |
121 |
+Date: Tue, 11 Oct 2016 11:47:41 +0200 |
122 |
+Subject: [PATCH] Backport show bad url text |
123 |
+ |
124 |
+--- |
125 |
+ kpimutils/linklocator.cpp | 18 +++++++++++++++++- |
126 |
+ 1 file changed, 17 insertions(+), 1 deletion(-) |
127 |
+ |
128 |
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp |
129 |
+index f30e8fc..4abe968 100644 |
130 |
+--- a/kpimutils/linklocator.cpp |
131 |
++++ b/kpimutils/linklocator.cpp |
132 |
+@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags, |
133 |
+ bool badUrl = false; |
134 |
+ str = locator.getUrlAndCheckValidHref(&badUrl); |
135 |
+ if (badUrl) { |
136 |
+- return locator.mText; |
137 |
++ QString resultBadUrl; |
138 |
++ const int helperTextSize(locator.mText.count()); |
139 |
++ for (int i = 0; i < helperTextSize; ++i) { |
140 |
++ const QChar chBadUrl = locator.mText[i]; |
141 |
++ if (chBadUrl == QLatin1Char('&')) { |
142 |
++ resultBadUrl += QLatin1String("&"); |
143 |
++ } else if (chBadUrl == QLatin1Char('"')) { |
144 |
++ resultBadUrl += QLatin1String("""); |
145 |
++ } else if (chBadUrl == QLatin1Char('<')) { |
146 |
++ resultBadUrl += QLatin1String("<"); |
147 |
++ } else if (chBadUrl == QLatin1Char('>')) { |
148 |
++ resultBadUrl += QLatin1String(">"); |
149 |
++ } else { |
150 |
++ resultBadUrl += chBadUrl; |
151 |
++ } |
152 |
++ } |
153 |
++ return resultBadUrl; |
154 |
+ } |
155 |
+ |
156 |
+ if ( !str.isEmpty() ) { |
157 |
+-- |
158 |
+2.7.3 |
159 |
+ |
160 |
|
161 |
diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r2.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r2.ebuild |
162 |
new file mode 100644 |
163 |
index 00000000..b9355e7 |
164 |
--- /dev/null |
165 |
+++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r2.ebuild |
166 |
@@ -0,0 +1,62 @@ |
167 |
+# Copyright 1999-2016 Gentoo Foundation |
168 |
+# Distributed under the terms of the GNU General Public License v2 |
169 |
+# $Id$ |
170 |
+ |
171 |
+EAPI=6 |
172 |
+ |
173 |
+KDE_HANDBOOK="optional" |
174 |
+CPPUNIT_REQUIRED="optional" |
175 |
+EGIT_BRANCH="KDE/4.14" |
176 |
+inherit kde4-base |
177 |
+ |
178 |
+DESCRIPTION="Common library for KDE PIM apps" |
179 |
+KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux" |
180 |
+LICENSE="LGPL-2.1" |
181 |
+IUSE="debug ldap prison" |
182 |
+ |
183 |
+# some akonadi tests timeout, that probaly needs more work as its ~700 tests |
184 |
+RESTRICT="test" |
185 |
+ |
186 |
+DEPEND=" |
187 |
+ >=app-crypt/gpgme-1.1.6 |
188 |
+ >=dev-libs/boost-1.35.0-r5:= |
189 |
+ dev-libs/libgpg-error |
190 |
+ >=dev-libs/libical-0.48-r2:= |
191 |
+ dev-libs/cyrus-sasl |
192 |
+ >=dev-libs/qjson-0.8.1 |
193 |
+ kde-apps/akonadi:4 |
194 |
+ media-libs/phonon[qt4] |
195 |
+ x11-misc/shared-mime-info |
196 |
+ prison? ( media-libs/prison:4 ) |
197 |
+ ldap? ( net-nds/openldap ) |
198 |
+" |
199 |
+# boost is not linked to, but headers which include it are installed |
200 |
+# bug #418071 |
201 |
+RDEPEND="${DEPEND} |
202 |
+ !=kde-apps/kdepim-runtime-4.10* |
203 |
+ !=kde-apps/kdepim-runtime-4.11* |
204 |
+ !<kde-apps/kdepim-runtime-4.4.11.1-r2:4 |
205 |
+" |
206 |
+ |
207 |
+PATCHES=( |
208 |
+ "${FILESDIR}/${PN}-4.14.11-boostincludes.patch" |
209 |
+ "${FILESDIR}/${PN}-CVE-2016-7966-r1.patch" |
210 |
+) |
211 |
+ |
212 |
+src_configure() { |
213 |
+ local mycmakeargs=( |
214 |
+ -DBUILD_doc=$(usex handbook) |
215 |
+ $(cmake-utils_use_find_package ldap) |
216 |
+ $(cmake-utils_use_find_package prison) |
217 |
+ ) |
218 |
+ |
219 |
+ kde4-base_src_configure |
220 |
+} |
221 |
+ |
222 |
+src_install() { |
223 |
+ kde4-base_src_install |
224 |
+ rm "${ED}"/usr/share/apps/cmake/modules/FindQtOAuth.cmake #Collides with net-im/choqok |
225 |
+ |
226 |
+ # contains constants/defines only |
227 |
+ QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')" |
228 |
+} |
229 |
|
230 |
diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r2.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r2.ebuild |
231 |
new file mode 100644 |
232 |
index 00000000..222a8be |
233 |
--- /dev/null |
234 |
+++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r2.ebuild |
235 |
@@ -0,0 +1,66 @@ |
236 |
+# Copyright 1999-2016 Gentoo Foundation |
237 |
+# Distributed under the terms of the GNU General Public License v2 |
238 |
+# $Id$ |
239 |
+ |
240 |
+EAPI=6 |
241 |
+ |
242 |
+KDE_HANDBOOK="optional" |
243 |
+CPPUNIT_REQUIRED="optional" |
244 |
+EGIT_BRANCH="KDE/4.14" |
245 |
+inherit kde4-base |
246 |
+ |
247 |
+DESCRIPTION="Common library for KDE PIM apps" |
248 |
+COMMIT_ID="a791b69599c3571ff2f4b1cc9033d8fb30f1bc33" |
249 |
+SRC_URI="https://quickgit.kde.org/?p=kdepimlibs.git&a=snapshot&h=${COMMIT_ID}&fmt=tgz -> ${P}.tar.gz" |
250 |
+S=${WORKDIR}/${PN} |
251 |
+ |
252 |
+KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux" |
253 |
+LICENSE="LGPL-2.1" |
254 |
+IUSE="debug ldap prison" |
255 |
+ |
256 |
+# some akonadi tests timeout, that probaly needs more work as its ~700 tests |
257 |
+RESTRICT="test" |
258 |
+ |
259 |
+DEPEND=" |
260 |
+ >=app-crypt/gpgme-1.1.6 |
261 |
+ >=dev-libs/boost-1.35.0-r5:= |
262 |
+ dev-libs/libgpg-error |
263 |
+ >=dev-libs/libical-0.48-r2:= |
264 |
+ dev-libs/cyrus-sasl |
265 |
+ >=dev-libs/qjson-0.8.1 |
266 |
+ kde-apps/akonadi:4 |
267 |
+ media-libs/phonon[qt4] |
268 |
+ x11-misc/shared-mime-info |
269 |
+ prison? ( media-libs/prison:4 ) |
270 |
+ ldap? ( net-nds/openldap ) |
271 |
+" |
272 |
+# boost is not linked to, but headers which include it are installed |
273 |
+# bug #418071 |
274 |
+RDEPEND="${DEPEND} |
275 |
+ !<kde-apps/kdepim-runtime-4.4.11.1-r2:4 |
276 |
+" |
277 |
+ |
278 |
+PATCHES=( |
279 |
+ "${FILESDIR}/${PN}-4.14.11-boostincludes.patch" |
280 |
+ "${FILESDIR}/${PN}-CVE-2016-7966-r1.patch" |
281 |
+) |
282 |
+ |
283 |
+src_configure() { |
284 |
+ local mycmakeargs=( |
285 |
+ -DBUILD_doc=$(usex handbook) |
286 |
+ $(cmake-utils_use_find_package ldap Ldap) |
287 |
+ $(cmake-utils_use_find_package prison Prison) |
288 |
+ ) |
289 |
+ |
290 |
+ kde4-base_src_configure |
291 |
+} |
292 |
+ |
293 |
+src_install() { |
294 |
+ kde4-base_src_install |
295 |
+ |
296 |
+ # Collides with net-im/choqok |
297 |
+ rm "${ED}"usr/share/apps/cmake/modules/FindQtOAuth.cmake || die |
298 |
+ |
299 |
+ # contains constants/defines only |
300 |
+ QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')" |
301 |
+} |