1 |
commit: d370ca0f6eb6fe7fcbe2978fd1b0cc9036c1c651 |
2 |
Author: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Oct 7 15:51:13 2016 +0000 |
4 |
Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Oct 7 15:53:48 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d370ca0f |
7 |
|
8 |
kde-frameworks/kcoreaddons: backport patch from upstream to resolve CVE-2016-7966 |
9 |
|
10 |
This also backports an unrelated bugfix patch (1be7272) as it is required for |
11 |
the CVE patch (96e562d) to apply cleanly. |
12 |
|
13 |
Gentoo-bug: 596224 |
14 |
|
15 |
Package-Manager: portage-2.3.1 |
16 |
|
17 |
.../files/kcoreaddons-5.26.0-CVE-2016-7966.patch | 225 +++++++++++++++++++++ |
18 |
...-5.26.0.ebuild => kcoreaddons-5.26.0-r1.ebuild} | 2 + |
19 |
2 files changed, 227 insertions(+) |
20 |
|
21 |
diff --git a/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch |
22 |
new file mode 100644 |
23 |
index 00000000..71dc769 |
24 |
--- /dev/null |
25 |
+++ b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch |
26 |
@@ -0,0 +1,225 @@ |
27 |
+From 2a5142fecf8615ccfa3e7c1f9c088fa6ae5cc2a1 Mon Sep 17 00:00:00 2001 |
28 |
+From: Montel Laurent <montel@×××.org> |
29 |
+Date: Wed, 21 Sep 2016 07:24:30 +0200 |
30 |
+Subject: [PATCH 1/2] Fix very old bug when we remove space in url as "foo |
31 |
+ <<url> <url>>" |
32 |
+ |
33 |
+--- |
34 |
+ autotests/ktexttohtmltest.cpp | 14 ++++++++++++++ |
35 |
+ src/lib/text/ktexttohtml.cpp | 14 ++++++++++++-- |
36 |
+ 2 files changed, 26 insertions(+), 2 deletions(-) |
37 |
+ |
38 |
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp |
39 |
+index 474f0ca..8fc0c56 100644 |
40 |
+--- a/autotests/ktexttohtmltest.cpp |
41 |
++++ b/autotests/ktexttohtmltest.cpp |
42 |
+@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest) |
43 |
+ |
44 |
+ Q_DECLARE_METATYPE(KTextToHTML::Options) |
45 |
+ |
46 |
++#ifndef Q_OS_WIN |
47 |
++void initLocale() |
48 |
++{ |
49 |
++ setenv("LC_ALL", "en_US.utf-8", 1); |
50 |
++} |
51 |
++Q_CONSTRUCTOR_FUNCTION(initLocale) |
52 |
++#endif |
53 |
++ |
54 |
++ |
55 |
+ void KTextToHTMLTest::testGetEmailAddress() |
56 |
+ { |
57 |
+ // empty input |
58 |
+@@ -372,6 +381,11 @@ void KTextToHTMLTest::testHtmlConvert_data() |
59 |
+ QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)" |
60 |
+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) |
61 |
+ << "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)"; |
62 |
++ |
63 |
++ // Fix url as foo <<url> <url>> when we concatened them. |
64 |
++ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" |
65 |
++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) |
66 |
++ << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; |
67 |
+ } |
68 |
+ |
69 |
+ |
70 |
+diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp |
71 |
+index 8ed923d..b181f56 100644 |
72 |
+--- a/src/lib/text/ktexttohtml.cpp |
73 |
++++ b/src/lib/text/ktexttohtml.cpp |
74 |
+@@ -228,11 +228,19 @@ QString KTextToHTMLHelper::getUrl() |
75 |
+ |
76 |
+ url.reserve(mMaxUrlLen); // avoid allocs |
77 |
+ int start = mPos; |
78 |
++ bool previousCharIsSpace = false; |
79 |
+ while ((mPos < mText.length()) && |
80 |
+ (mText[mPos].isPrint() || mText[mPos].isSpace()) && |
81 |
+ ((afterUrl.isNull() && !mText[mPos].isSpace()) || |
82 |
+ (!afterUrl.isNull() && mText[mPos] != afterUrl))) { |
83 |
+- if (!mText[mPos].isSpace()) { // skip whitespace |
84 |
++ if (mText[mPos].isSpace()) { |
85 |
++ previousCharIsSpace = true; |
86 |
++ } else { // skip whitespace |
87 |
++ if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) { |
88 |
++ url.append(QLatin1Char(' ')); |
89 |
++ break; |
90 |
++ } |
91 |
++ previousCharIsSpace = false; |
92 |
+ url.append(mText[mPos]); |
93 |
+ if (url.length() > mMaxUrlLen) { |
94 |
+ break; |
95 |
+@@ -267,7 +275,6 @@ QString KTextToHTMLHelper::getUrl() |
96 |
+ } |
97 |
+ } while (url.length() > 1); |
98 |
+ } |
99 |
+- |
100 |
+ return url; |
101 |
+ } |
102 |
+ |
103 |
+@@ -334,6 +341,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
104 |
+ QChar ch; |
105 |
+ int x; |
106 |
+ bool startOfLine = true; |
107 |
++ //qDebug()<<" plainText"<<plainText; |
108 |
+ |
109 |
+ for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); |
110 |
+ ++helper.mPos, ++x) { |
111 |
+@@ -402,6 +410,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
112 |
+ const int start = helper.mPos; |
113 |
+ if (!(flags & IgnoreUrls)) { |
114 |
+ str = helper.getUrl(); |
115 |
++ //qDebug()<<" str"<<str; |
116 |
+ if (!str.isEmpty()) { |
117 |
+ QString hyperlink; |
118 |
+ if (str.left(4) == QLatin1String("www.")) { |
119 |
+@@ -455,6 +464,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
120 |
+ |
121 |
+ result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); |
122 |
+ } |
123 |
++ //qDebug()<<" result "<<result; |
124 |
+ |
125 |
+ return result; |
126 |
+ } |
127 |
+-- |
128 |
+2.7.3 |
129 |
+ |
130 |
+From aa9281b7f95ce970603645d79f6f275d1ae7d2ed Mon Sep 17 00:00:00 2001 |
131 |
+From: Montel Laurent <montel@×××.org> |
132 |
+Date: Fri, 30 Sep 2016 13:21:45 +0200 |
133 |
+Subject: [PATCH 2/2] Don't convert as url an url which has a " |
134 |
+ |
135 |
+--- |
136 |
+ autotests/ktexttohtmltest.cpp | 6 ++++++ |
137 |
+ src/lib/text/ktexttohtml.cpp | 25 +++++++++++++++++++------ |
138 |
+ src/lib/text/ktexttohtml_p.h | 2 +- |
139 |
+ 3 files changed, 26 insertions(+), 7 deletions(-) |
140 |
+ |
141 |
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp |
142 |
+index 8fc0c56..c5690e8 100644 |
143 |
+--- a/autotests/ktexttohtmltest.cpp |
144 |
++++ b/autotests/ktexttohtmltest.cpp |
145 |
+@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data() |
146 |
+ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" |
147 |
+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) |
148 |
+ << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; |
149 |
++ |
150 |
++ //Fix url exploit |
151 |
++ QTest::newRow("url-exec-html") << "https://\"><!--" |
152 |
++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) |
153 |
++ << "https://\"><!--"; |
154 |
++ |
155 |
+ } |
156 |
+ |
157 |
+ |
158 |
+diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp |
159 |
+index b181f56..09b2483 100644 |
160 |
+--- a/src/lib/text/ktexttohtml.cpp |
161 |
++++ b/src/lib/text/ktexttohtml.cpp |
162 |
+@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl() |
163 |
+ (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) { |
164 |
+ return false; |
165 |
+ } |
166 |
+- |
167 |
+ QChar ch = mText[mPos]; |
168 |
+ return |
169 |
+ (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") || |
170 |
+@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url) |
171 |
+ url == QLatin1String("news://"); |
172 |
+ } |
173 |
+ |
174 |
+-QString KTextToHTMLHelper::getUrl() |
175 |
++QString KTextToHTMLHelper::getUrl(bool *badurl) |
176 |
+ { |
177 |
+ QString url; |
178 |
+ if (atUrl()) { |
179 |
+@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl() |
180 |
+ url.reserve(mMaxUrlLen); // avoid allocs |
181 |
+ int start = mPos; |
182 |
+ bool previousCharIsSpace = false; |
183 |
++ bool previousCharIsADoubleQuote = false; |
184 |
+ while ((mPos < mText.length()) && |
185 |
+ (mText[mPos].isPrint() || mText[mPos].isSpace()) && |
186 |
+ ((afterUrl.isNull() && !mText[mPos].isSpace()) || |
187 |
+@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl() |
188 |
+ break; |
189 |
+ } |
190 |
+ previousCharIsSpace = false; |
191 |
++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { |
192 |
++ //it's an invalid url |
193 |
++ if (badurl) { |
194 |
++ *badurl = true; |
195 |
++ } |
196 |
++ return QString(); |
197 |
++ } |
198 |
++ if (mText[mPos] == QLatin1Char('"')) { |
199 |
++ previousCharIsADoubleQuote = true; |
200 |
++ } else { |
201 |
++ previousCharIsADoubleQuote = false; |
202 |
++ } |
203 |
+ url.append(mText[mPos]); |
204 |
+ if (url.length() > mMaxUrlLen) { |
205 |
+ break; |
206 |
+@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
207 |
+ QChar ch; |
208 |
+ int x; |
209 |
+ bool startOfLine = true; |
210 |
+- //qDebug()<<" plainText"<<plainText; |
211 |
+ |
212 |
+ for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); |
213 |
+ ++helper.mPos, ++x) { |
214 |
+@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
215 |
+ } else { |
216 |
+ const int start = helper.mPos; |
217 |
+ if (!(flags & IgnoreUrls)) { |
218 |
+- str = helper.getUrl(); |
219 |
+- //qDebug()<<" str"<<str; |
220 |
++ bool badUrl = false; |
221 |
++ str = helper.getUrl(&badUrl); |
222 |
++ if (badUrl) { |
223 |
++ return helper.mText; |
224 |
++ } |
225 |
+ if (!str.isEmpty()) { |
226 |
+ QString hyperlink; |
227 |
+ if (str.left(4) == QLatin1String("www.")) { |
228 |
+@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
229 |
+ |
230 |
+ result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); |
231 |
+ } |
232 |
+- //qDebug()<<" result "<<result; |
233 |
+ |
234 |
+ return result; |
235 |
+ } |
236 |
+diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h |
237 |
+index 74ad7a0..fc43613 100644 |
238 |
+--- a/src/lib/text/ktexttohtml_p.h |
239 |
++++ b/src/lib/text/ktexttohtml_p.h |
240 |
+@@ -49,7 +49,7 @@ public: |
241 |
+ QString getEmailAddress(); |
242 |
+ bool atUrl(); |
243 |
+ bool isEmptyUrl(const QString &url); |
244 |
+- QString getUrl(); |
245 |
++ QString getUrl(bool *badurl = Q_NULLPTR); |
246 |
+ QString pngToDataUrl(const QString &pngPath); |
247 |
+ QString highlightedText(); |
248 |
+ |
249 |
+-- |
250 |
+2.7.3 |
251 |
+ |
252 |
|
253 |
diff --git a/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0.ebuild b/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild |
254 |
similarity index 92% |
255 |
rename from kde-frameworks/kcoreaddons/kcoreaddons-5.26.0.ebuild |
256 |
rename to kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild |
257 |
index 037dde3..ebb5cd8 100644 |
258 |
--- a/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0.ebuild |
259 |
+++ b/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild |
260 |
@@ -21,6 +21,8 @@ DEPEND="${RDEPEND} |
261 |
nls? ( $(add_qt_dep linguist-tools) ) |
262 |
" |
263 |
|
264 |
+PATCHES=( "${FILESDIR}/${P}-CVE-2016-7966.patch" ) |
265 |
+ |
266 |
src_configure() { |
267 |
local mycmakeargs=( |
268 |
-D_KDE4_DEFAULT_HOME_POSTFIX=4 |