1 |
commit: 9805f9685e3de42755d769ab31e73e30416cc1ef |
2 |
Author: Johannes Huber <johu <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Nov 4 08:41:49 2016 +0000 |
4 |
Commit: Johannes Huber <johu <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Nov 4 08:43:02 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9805f968 |
7 |
|
8 |
kde-frameworks/kcoreaddons: Remove vulnerable version |
9 |
|
10 |
Gentoo-bug: 596224 |
11 |
|
12 |
Package-Manager: portage-2.3.2 |
13 |
|
14 |
.../files/kcoreaddons-5.26.0-CVE-2016-7966.patch | 225 --------------------- |
15 |
.../kcoreaddons/kcoreaddons-5.26.0-r1.ebuild | 33 --- |
16 |
2 files changed, 258 deletions(-) |
17 |
|
18 |
diff --git a/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch |
19 |
deleted file mode 100644 |
20 |
index 71dc769..00000000 |
21 |
--- a/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch |
22 |
+++ /dev/null |
23 |
@@ -1,225 +0,0 @@ |
24 |
-From 2a5142fecf8615ccfa3e7c1f9c088fa6ae5cc2a1 Mon Sep 17 00:00:00 2001 |
25 |
-From: Montel Laurent <montel@×××.org> |
26 |
-Date: Wed, 21 Sep 2016 07:24:30 +0200 |
27 |
-Subject: [PATCH 1/2] Fix very old bug when we remove space in url as "foo |
28 |
- <<url> <url>>" |
29 |
- |
30 |
---- |
31 |
- autotests/ktexttohtmltest.cpp | 14 ++++++++++++++ |
32 |
- src/lib/text/ktexttohtml.cpp | 14 ++++++++++++-- |
33 |
- 2 files changed, 26 insertions(+), 2 deletions(-) |
34 |
- |
35 |
-diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp |
36 |
-index 474f0ca..8fc0c56 100644 |
37 |
---- a/autotests/ktexttohtmltest.cpp |
38 |
-+++ b/autotests/ktexttohtmltest.cpp |
39 |
-@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest) |
40 |
- |
41 |
- Q_DECLARE_METATYPE(KTextToHTML::Options) |
42 |
- |
43 |
-+#ifndef Q_OS_WIN |
44 |
-+void initLocale() |
45 |
-+{ |
46 |
-+ setenv("LC_ALL", "en_US.utf-8", 1); |
47 |
-+} |
48 |
-+Q_CONSTRUCTOR_FUNCTION(initLocale) |
49 |
-+#endif |
50 |
-+ |
51 |
-+ |
52 |
- void KTextToHTMLTest::testGetEmailAddress() |
53 |
- { |
54 |
- // empty input |
55 |
-@@ -372,6 +381,11 @@ void KTextToHTMLTest::testHtmlConvert_data() |
56 |
- QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)" |
57 |
- << KTextToHTML::Options(KTextToHTML::PreserveSpaces) |
58 |
- << "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)"; |
59 |
-+ |
60 |
-+ // Fix url as foo <<url> <url>> when we concatened them. |
61 |
-+ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" |
62 |
-+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) |
63 |
-+ << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; |
64 |
- } |
65 |
- |
66 |
- |
67 |
-diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp |
68 |
-index 8ed923d..b181f56 100644 |
69 |
---- a/src/lib/text/ktexttohtml.cpp |
70 |
-+++ b/src/lib/text/ktexttohtml.cpp |
71 |
-@@ -228,11 +228,19 @@ QString KTextToHTMLHelper::getUrl() |
72 |
- |
73 |
- url.reserve(mMaxUrlLen); // avoid allocs |
74 |
- int start = mPos; |
75 |
-+ bool previousCharIsSpace = false; |
76 |
- while ((mPos < mText.length()) && |
77 |
- (mText[mPos].isPrint() || mText[mPos].isSpace()) && |
78 |
- ((afterUrl.isNull() && !mText[mPos].isSpace()) || |
79 |
- (!afterUrl.isNull() && mText[mPos] != afterUrl))) { |
80 |
-- if (!mText[mPos].isSpace()) { // skip whitespace |
81 |
-+ if (mText[mPos].isSpace()) { |
82 |
-+ previousCharIsSpace = true; |
83 |
-+ } else { // skip whitespace |
84 |
-+ if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) { |
85 |
-+ url.append(QLatin1Char(' ')); |
86 |
-+ break; |
87 |
-+ } |
88 |
-+ previousCharIsSpace = false; |
89 |
- url.append(mText[mPos]); |
90 |
- if (url.length() > mMaxUrlLen) { |
91 |
- break; |
92 |
-@@ -267,7 +275,6 @@ QString KTextToHTMLHelper::getUrl() |
93 |
- } |
94 |
- } while (url.length() > 1); |
95 |
- } |
96 |
-- |
97 |
- return url; |
98 |
- } |
99 |
- |
100 |
-@@ -334,6 +341,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
101 |
- QChar ch; |
102 |
- int x; |
103 |
- bool startOfLine = true; |
104 |
-+ //qDebug()<<" plainText"<<plainText; |
105 |
- |
106 |
- for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); |
107 |
- ++helper.mPos, ++x) { |
108 |
-@@ -402,6 +410,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
109 |
- const int start = helper.mPos; |
110 |
- if (!(flags & IgnoreUrls)) { |
111 |
- str = helper.getUrl(); |
112 |
-+ //qDebug()<<" str"<<str; |
113 |
- if (!str.isEmpty()) { |
114 |
- QString hyperlink; |
115 |
- if (str.left(4) == QLatin1String("www.")) { |
116 |
-@@ -455,6 +464,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
117 |
- |
118 |
- result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); |
119 |
- } |
120 |
-+ //qDebug()<<" result "<<result; |
121 |
- |
122 |
- return result; |
123 |
- } |
124 |
--- |
125 |
-2.7.3 |
126 |
- |
127 |
-From aa9281b7f95ce970603645d79f6f275d1ae7d2ed Mon Sep 17 00:00:00 2001 |
128 |
-From: Montel Laurent <montel@×××.org> |
129 |
-Date: Fri, 30 Sep 2016 13:21:45 +0200 |
130 |
-Subject: [PATCH 2/2] Don't convert as url an url which has a " |
131 |
- |
132 |
---- |
133 |
- autotests/ktexttohtmltest.cpp | 6 ++++++ |
134 |
- src/lib/text/ktexttohtml.cpp | 25 +++++++++++++++++++------ |
135 |
- src/lib/text/ktexttohtml_p.h | 2 +- |
136 |
- 3 files changed, 26 insertions(+), 7 deletions(-) |
137 |
- |
138 |
-diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp |
139 |
-index 8fc0c56..c5690e8 100644 |
140 |
---- a/autotests/ktexttohtmltest.cpp |
141 |
-+++ b/autotests/ktexttohtmltest.cpp |
142 |
-@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data() |
143 |
- QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" |
144 |
- << KTextToHTML::Options(KTextToHTML::PreserveSpaces) |
145 |
- << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; |
146 |
-+ |
147 |
-+ //Fix url exploit |
148 |
-+ QTest::newRow("url-exec-html") << "https://\"><!--" |
149 |
-+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) |
150 |
-+ << "https://\"><!--"; |
151 |
-+ |
152 |
- } |
153 |
- |
154 |
- |
155 |
-diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp |
156 |
-index b181f56..09b2483 100644 |
157 |
---- a/src/lib/text/ktexttohtml.cpp |
158 |
-+++ b/src/lib/text/ktexttohtml.cpp |
159 |
-@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl() |
160 |
- (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) { |
161 |
- return false; |
162 |
- } |
163 |
-- |
164 |
- QChar ch = mText[mPos]; |
165 |
- return |
166 |
- (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") || |
167 |
-@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url) |
168 |
- url == QLatin1String("news://"); |
169 |
- } |
170 |
- |
171 |
--QString KTextToHTMLHelper::getUrl() |
172 |
-+QString KTextToHTMLHelper::getUrl(bool *badurl) |
173 |
- { |
174 |
- QString url; |
175 |
- if (atUrl()) { |
176 |
-@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl() |
177 |
- url.reserve(mMaxUrlLen); // avoid allocs |
178 |
- int start = mPos; |
179 |
- bool previousCharIsSpace = false; |
180 |
-+ bool previousCharIsADoubleQuote = false; |
181 |
- while ((mPos < mText.length()) && |
182 |
- (mText[mPos].isPrint() || mText[mPos].isSpace()) && |
183 |
- ((afterUrl.isNull() && !mText[mPos].isSpace()) || |
184 |
-@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl() |
185 |
- break; |
186 |
- } |
187 |
- previousCharIsSpace = false; |
188 |
-+ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { |
189 |
-+ //it's an invalid url |
190 |
-+ if (badurl) { |
191 |
-+ *badurl = true; |
192 |
-+ } |
193 |
-+ return QString(); |
194 |
-+ } |
195 |
-+ if (mText[mPos] == QLatin1Char('"')) { |
196 |
-+ previousCharIsADoubleQuote = true; |
197 |
-+ } else { |
198 |
-+ previousCharIsADoubleQuote = false; |
199 |
-+ } |
200 |
- url.append(mText[mPos]); |
201 |
- if (url.length() > mMaxUrlLen) { |
202 |
- break; |
203 |
-@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
204 |
- QChar ch; |
205 |
- int x; |
206 |
- bool startOfLine = true; |
207 |
-- //qDebug()<<" plainText"<<plainText; |
208 |
- |
209 |
- for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); |
210 |
- ++helper.mPos, ++x) { |
211 |
-@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
212 |
- } else { |
213 |
- const int start = helper.mPos; |
214 |
- if (!(flags & IgnoreUrls)) { |
215 |
-- str = helper.getUrl(); |
216 |
-- //qDebug()<<" str"<<str; |
217 |
-+ bool badUrl = false; |
218 |
-+ str = helper.getUrl(&badUrl); |
219 |
-+ if (badUrl) { |
220 |
-+ return helper.mText; |
221 |
-+ } |
222 |
- if (!str.isEmpty()) { |
223 |
- QString hyperlink; |
224 |
- if (str.left(4) == QLatin1String("www.")) { |
225 |
-@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: |
226 |
- |
227 |
- result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); |
228 |
- } |
229 |
-- //qDebug()<<" result "<<result; |
230 |
- |
231 |
- return result; |
232 |
- } |
233 |
-diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h |
234 |
-index 74ad7a0..fc43613 100644 |
235 |
---- a/src/lib/text/ktexttohtml_p.h |
236 |
-+++ b/src/lib/text/ktexttohtml_p.h |
237 |
-@@ -49,7 +49,7 @@ public: |
238 |
- QString getEmailAddress(); |
239 |
- bool atUrl(); |
240 |
- bool isEmptyUrl(const QString &url); |
241 |
-- QString getUrl(); |
242 |
-+ QString getUrl(bool *badurl = Q_NULLPTR); |
243 |
- QString pngToDataUrl(const QString &pngPath); |
244 |
- QString highlightedText(); |
245 |
- |
246 |
--- |
247 |
-2.7.3 |
248 |
- |
249 |
|
250 |
diff --git a/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild b/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild |
251 |
deleted file mode 100644 |
252 |
index 17a05b0..00000000 |
253 |
--- a/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild |
254 |
+++ /dev/null |
255 |
@@ -1,33 +0,0 @@ |
256 |
-# Copyright 1999-2016 Gentoo Foundation |
257 |
-# Distributed under the terms of the GNU General Public License v2 |
258 |
-# $Id$ |
259 |
- |
260 |
-EAPI=6 |
261 |
- |
262 |
-inherit kde5 |
263 |
- |
264 |
-DESCRIPTION="Framework for solving common problems such as caching, randomisation, and more" |
265 |
-LICENSE="LGPL-2+" |
266 |
-KEYWORDS="amd64 ~arm x86" |
267 |
-IUSE="fam nls" |
268 |
- |
269 |
-RDEPEND=" |
270 |
- $(add_qt_dep qtcore 'icu') |
271 |
- fam? ( virtual/fam ) |
272 |
- !<kde-frameworks/kservice-5.2.0:5 |
273 |
-" |
274 |
-DEPEND="${RDEPEND} |
275 |
- x11-misc/shared-mime-info |
276 |
- nls? ( $(add_qt_dep linguist-tools) ) |
277 |
-" |
278 |
- |
279 |
-PATCHES=( "${FILESDIR}/${P}-CVE-2016-7966.patch" ) |
280 |
- |
281 |
-src_configure() { |
282 |
- local mycmakeargs=( |
283 |
- -D_KDE4_DEFAULT_HOME_POSTFIX=4 |
284 |
- $(cmake-utils_use_find_package fam FAM) |
285 |
- ) |
286 |
- |
287 |
- kde5_src_configure |
288 |
-} |