Gentoo Archives: gentoo-commits

From: Andreas Sturmlechner <asturm@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: kde-frameworks/ktexteditor/, kde-frameworks/ktexteditor/files/
Date: Mon, 31 Jan 2022 20:06:17
Message-Id: 1643659343.e4477d2d7f49b2c48ae89e34e860b103e215d748.asturm@gentoo
1 commit: e4477d2d7f49b2c48ae89e34e860b103e215d748
2 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
3 AuthorDate: Mon Jan 31 20:00:06 2022 +0000
4 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
5 CommitDate: Mon Jan 31 20:02:23 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4477d2d
7
8 kde-frameworks/ktexteditor: Fix CVE-2022-23853
9
10 See also:
11 https://kde.org/info/security/advisory-20220131-1.txt
12 https://mail.kde.org/pipermail/kde-devel/2022-January/000943.html
13
14 Package-Manager: Portage-3.0.30, Repoman-3.0.3
15 Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>
16
17 .../ktexteditor-5.90.0-CVE-2022-23853-1.patch | 104 +++++++++++++++++++++
18 .../ktexteditor-5.90.0-CVE-2022-23853-2.patch | 55 +++++++++++
19 .../ktexteditor/ktexteditor-5.90.0-r2.ebuild | 61 ++++++++++++
20 3 files changed, 220 insertions(+)
21
22 diff --git a/kde-frameworks/ktexteditor/files/ktexteditor-5.90.0-CVE-2022-23853-1.patch b/kde-frameworks/ktexteditor/files/ktexteditor-5.90.0-CVE-2022-23853-1.patch
23 new file mode 100644
24 index 000000000000..854cf0da4b2e
25 --- /dev/null
26 +++ b/kde-frameworks/ktexteditor/files/ktexteditor-5.90.0-CVE-2022-23853-1.patch
27 @@ -0,0 +1,104 @@
28 +From 804e49444c093fe58ec0df2ab436565e50dc147e Mon Sep 17 00:00:00 2001
29 +From: Christoph Cullmann <cullmann@×××.org>
30 +Date: Thu, 20 Jan 2022 09:46:34 +0100
31 +Subject: [PATCH] only start programs in user's path
32 +
33 +don't use QProcess with just program name
34 +first search the right program in the user's path
35 +---
36 + src/document/katedocument.cpp | 29 ++++++++++++++++------------
37 + src/swapfile/kateswapdiffcreator.cpp | 17 ++++++++++++----
38 + 2 files changed, 30 insertions(+), 16 deletions(-)
39 +
40 +diff --git a/src/document/katedocument.cpp b/src/document/katedocument.cpp
41 +index 01f74da1..05d0e91b 100644
42 +--- a/src/document/katedocument.cpp
43 ++++ b/src/document/katedocument.cpp
44 +@@ -72,6 +72,7 @@
45 + #include <QMimeDatabase>
46 + #include <QProcess>
47 + #include <QRegularExpression>
48 ++#include <QStandardPaths>
49 + #include <QTemporaryFile>
50 + #include <QTextCodec>
51 + #include <QTextStream>
52 +@@ -5054,18 +5055,22 @@ void KTextEditor::DocumentPrivate::slotDelayedHandleModOnHd()
53 + // skip that, if document is modified!
54 + // only do that, if the file is still there, else reload makes no sense!
55 + if (m_modOnHd && !isModified() && QFile::exists(url().toLocalFile())) {
56 +- QProcess git;
57 +- const QStringList args{QStringLiteral("cat-file"), QStringLiteral("-e"), QString::fromUtf8(oldDigest)};
58 +- git.start(QStringLiteral("git"), args);
59 +- if (git.waitForStarted()) {
60 +- git.closeWriteChannel();
61 +- if (git.waitForFinished()) {
62 +- if (git.exitCode() == 0) {
63 +- // this hash exists still in git => just reload
64 +- m_modOnHd = false;
65 +- m_modOnHdReason = OnDiskUnmodified;
66 +- m_prevModOnHdReason = OnDiskUnmodified;
67 +- documentReload();
68 ++ // we only want to use git from PATH, cache this
69 ++ static const QString fullGitPath = QStandardPaths::findExecutable(QStringLiteral("git"));
70 ++ if (!fullGitPath.isEmpty()) {
71 ++ QProcess git;
72 ++ const QStringList args{QStringLiteral("cat-file"), QStringLiteral("-e"), QString::fromUtf8(oldDigest)};
73 ++ git.start(fullGitPath, args);
74 ++ if (git.waitForStarted()) {
75 ++ git.closeWriteChannel();
76 ++ if (git.waitForFinished()) {
77 ++ if (git.exitCode() == 0) {
78 ++ // this hash exists still in git => just reload
79 ++ m_modOnHd = false;
80 ++ m_modOnHdReason = OnDiskUnmodified;
81 ++ m_prevModOnHdReason = OnDiskUnmodified;
82 ++ documentReload();
83 ++ }
84 + }
85 + }
86 + }
87 +diff --git a/src/swapfile/kateswapdiffcreator.cpp b/src/swapfile/kateswapdiffcreator.cpp
88 +index 5c515c45..a185123a 100644
89 +--- a/src/swapfile/kateswapdiffcreator.cpp
90 ++++ b/src/swapfile/kateswapdiffcreator.cpp
91 +@@ -14,6 +14,7 @@
92 + #include <KMessageBox>
93 +
94 + #include <QDir>
95 ++#include <QStandardPaths>
96 + #include <QTextCodec>
97 +
98 + // BEGIN SwapDiffCreator
99 +@@ -85,17 +86,25 @@ void SwapDiffCreator::viewDiff()
100 + connect(&m_proc, &QProcess::readyRead, this, &SwapDiffCreator::slotDataAvailable, Qt::UniqueConnection);
101 + connect(&m_proc, &QProcess::finished, this, &SwapDiffCreator::slotDiffFinished, Qt::UniqueConnection);
102 +
103 +- // try to start diff process, if we can't be started be done with error
104 +- m_proc.start(QStringLiteral("diff"), QStringList() << QStringLiteral("-u") << m_originalFile.fileName() << m_recoveredFile.fileName());
105 +- if (!m_proc.waitForStarted()) {
106 ++ // use diff from PATH only => inform if not found at all
107 ++ const QString fullDiffPath = QStandardPaths::findExecutable(QStringLiteral("diff"));
108 ++ if (fullDiffPath.isEmpty()) {
109 + KMessageBox::sorry(nullptr,
110 +- i18n("The diff command could not be started. Please make sure that "
111 ++ i18n("The diff command could not be found. Please make sure that "
112 + "diff(1) is installed and in your PATH."),
113 + i18n("Error Creating Diff"));
114 + deleteLater();
115 + return;
116 + }
117 +
118 ++ // try to start the diff program, might fail, too
119 ++ m_proc.start(fullDiffPath, QStringList() << QStringLiteral("-u") << m_originalFile.fileName() << m_recoveredFile.fileName());
120 ++ if (!m_proc.waitForStarted()) {
121 ++ KMessageBox::sorry(nullptr, i18n("The diff command '%1' could not be started.").arg(fullDiffPath), i18n("Error Creating Diff"));
122 ++ deleteLater();
123 ++ return;
124 ++ }
125 ++
126 + // process is up and running, we can write data to it
127 + QTextStream ts(&m_proc);
128 + int lineCount = recoverDoc.lines();
129 +--
130 +GitLab
131 +
132
133 diff --git a/kde-frameworks/ktexteditor/files/ktexteditor-5.90.0-CVE-2022-23853-2.patch b/kde-frameworks/ktexteditor/files/ktexteditor-5.90.0-CVE-2022-23853-2.patch
134 new file mode 100644
135 index 000000000000..8cccfe3a95b0
136 --- /dev/null
137 +++ b/kde-frameworks/ktexteditor/files/ktexteditor-5.90.0-CVE-2022-23853-2.patch
138 @@ -0,0 +1,55 @@
139 +From c80f935c345de2e2fb10635202800839ca9697bf Mon Sep 17 00:00:00 2001
140 +From: Christoph Cullmann <cullmann@×××.org>
141 +Date: Thu, 20 Jan 2022 10:30:20 +0100
142 +Subject: [PATCH] only execute diff in path
143 +
144 +---
145 + src/dialogs/katedialogs.cpp | 5 +++--
146 + src/dialogs/katedialogs.h | 1 +
147 + 2 files changed, 4 insertions(+), 2 deletions(-)
148 +
149 +diff --git a/src/dialogs/katedialogs.cpp b/src/dialogs/katedialogs.cpp
150 +index 5b949f36..63a58aee 100644
151 +--- a/src/dialogs/katedialogs.cpp
152 ++++ b/src/dialogs/katedialogs.cpp
153 +@@ -1317,6 +1317,7 @@ KateModOnHdPrompt::KateModOnHdPrompt(KTextEditor::DocumentPrivate *doc, KTextEdi
154 + : QObject(doc)
155 + , m_doc(doc)
156 + , m_modtype(modtype)
157 ++ , m_fullDiffPath(QStandardPaths::findExecutable(QStringLiteral("diff")))
158 + , m_proc(nullptr)
159 + , m_diffFile(nullptr)
160 + , m_diffAction(nullptr)
161 +@@ -1334,7 +1335,7 @@ KateModOnHdPrompt::KateModOnHdPrompt(KTextEditor::DocumentPrivate *doc, KTextEdi
162 + m_message->addAction(aAutoReload, false);
163 + connect(aAutoReload, &QAction::triggered, this, &KateModOnHdPrompt::autoReloadTriggered);
164 +
165 +- if (!QStandardPaths::findExecutable(QStringLiteral("diff")).isEmpty()) {
166 ++ if (!m_fullDiffPath.isEmpty()) {
167 + m_diffAction = new QAction(i18n("View &Difference"), this);
168 + m_diffAction->setIcon(QIcon::fromTheme(QStringLiteral("document-multiple")));
169 + m_diffAction->setToolTip(i18n("Shows a diff of the changes"));
170 +@@ -1394,7 +1395,7 @@ void KateModOnHdPrompt::slotDiff()
171 + // Start a KProcess that creates a diff
172 + m_proc = new KProcess(this);
173 + m_proc->setOutputChannelMode(KProcess::MergedChannels);
174 +- *m_proc << QStringLiteral("diff") << QStringLiteral("-u") << QStringLiteral("-") << m_doc->url().toLocalFile();
175 ++ *m_proc << m_fullDiffPath << QStringLiteral("-u") << QStringLiteral("-") << m_doc->url().toLocalFile();
176 + connect(m_proc, &KProcess::readyRead, this, &KateModOnHdPrompt::slotDataAvailable);
177 + connect(m_proc, &KProcess::finished, this, &KateModOnHdPrompt::slotPDone);
178 +
179 +diff --git a/src/dialogs/katedialogs.h b/src/dialogs/katedialogs.h
180 +index 80b611d9..e5574023 100644
181 +--- a/src/dialogs/katedialogs.h
182 ++++ b/src/dialogs/katedialogs.h
183 +@@ -376,6 +376,7 @@ private:
184 + KTextEditor::DocumentPrivate *m_doc;
185 + QPointer<KTextEditor::Message> m_message;
186 + KTextEditor::ModificationInterface::ModifiedOnDiskReason m_modtype;
187 ++ QString m_fullDiffPath;
188 + KProcess *m_proc;
189 + QTemporaryFile *m_diffFile;
190 + QAction *m_diffAction;
191 +--
192 +GitLab
193 +
194
195 diff --git a/kde-frameworks/ktexteditor/ktexteditor-5.90.0-r2.ebuild b/kde-frameworks/ktexteditor/ktexteditor-5.90.0-r2.ebuild
196 new file mode 100644
197 index 000000000000..4b7520cf0d9f
198 --- /dev/null
199 +++ b/kde-frameworks/ktexteditor/ktexteditor-5.90.0-r2.ebuild
200 @@ -0,0 +1,61 @@
201 +# Copyright 1999-2022 Gentoo Authors
202 +# Distributed under the terms of the GNU General Public License v2
203 +
204 +EAPI=8
205 +
206 +PVCUT=$(ver_cut 1-2)
207 +QTMIN=5.15.2
208 +VIRTUALX_REQUIRED="test"
209 +inherit ecm kde.org
210 +
211 +DESCRIPTION="Framework providing a full text editor component"
212 +
213 +LICENSE="LGPL-2+"
214 +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
215 +IUSE="+editorconfig"
216 +
217 +RESTRICT="test"
218 +
219 +DEPEND="
220 + >=dev-qt/qtdeclarative-${QTMIN}:5
221 + >=dev-qt/qtgui-${QTMIN}:5
222 + >=dev-qt/qtprintsupport-${QTMIN}:5
223 + >=dev-qt/qtwidgets-${QTMIN}:5
224 + >=dev-qt/qtxml-${QTMIN}:5
225 + =kde-frameworks/karchive-${PVCUT}*:5
226 + =kde-frameworks/kauth-${PVCUT}*:5
227 + =kde-frameworks/kcodecs-${PVCUT}*:5
228 + =kde-frameworks/kcompletion-${PVCUT}*:5
229 + =kde-frameworks/kconfig-${PVCUT}*:5
230 + =kde-frameworks/kconfigwidgets-${PVCUT}*:5
231 + =kde-frameworks/kcoreaddons-${PVCUT}*:5
232 + =kde-frameworks/kguiaddons-${PVCUT}*:5
233 + =kde-frameworks/ki18n-${PVCUT}*:5
234 + =kde-frameworks/kiconthemes-${PVCUT}*:5
235 + =kde-frameworks/kio-${PVCUT}*:5
236 + =kde-frameworks/kitemviews-${PVCUT}*:5
237 + =kde-frameworks/kjobwidgets-${PVCUT}*:5
238 + =kde-frameworks/kparts-${PVCUT}*:5
239 + =kde-frameworks/ktextwidgets-${PVCUT}*:5
240 + =kde-frameworks/kwidgetsaddons-${PVCUT}*:5
241 + =kde-frameworks/kxmlgui-${PVCUT}*:5
242 + =kde-frameworks/sonnet-${PVCUT}*:5
243 + =kde-frameworks/syntax-highlighting-${PVCUT}*:5
244 + editorconfig? ( app-text/editorconfig-core-c )
245 +"
246 +RDEPEND="${DEPEND}"
247 +BDEPEND="test? ( >=kde-frameworks/kservice-${PVCUT}:5 )"
248 +
249 +PATCHES=(
250 + "${FILESDIR}"/${P}-revert-5dce70a9.patch # KDE-bugs 446189, 447525
251 + "${FILESDIR}"/${P}-KDEBUG-447972.patch
252 + "${FILESDIR}"/${P}-CVE-2022-23853-{1,2}.patch
253 +)
254 +
255 +src_configure() {
256 + local mycmakeargs=(
257 + $(cmake_use_find_package editorconfig EditorConfig)
258 + )
259 +
260 + ecm_src_configure
261 +}