1 |
commit: bc4885e20e781ccef65f90991090df7d79545078 |
2 |
Author: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Oct 6 18:20:46 2016 +0000 |
4 |
Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Oct 6 18:33:27 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc4885e2 |
7 |
|
8 |
kde-apps/kdepimlibs: backport patch from upstream for CVE-2016-7966 |
9 |
|
10 |
Gentoo-bug: 596224 |
11 |
|
12 |
Package-Manager: portage-2.3.1 |
13 |
|
14 |
.../files/kdepimlibs-CVE-2016-7966.patch | 94 ++++++++++++++++++++++ |
15 |
kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild | 63 +++++++++++++++ |
16 |
.../kdepimlibs-4.14.11_pre20160211-r1.ebuild | 67 +++++++++++++++ |
17 |
3 files changed, 224 insertions(+) |
18 |
|
19 |
diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch |
20 |
new file mode 100644 |
21 |
index 00000000..b6f278a |
22 |
--- /dev/null |
23 |
+++ b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch |
24 |
@@ -0,0 +1,94 @@ |
25 |
+From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001 |
26 |
+From: Montel Laurent <montel@×××.org> |
27 |
+Date: Fri, 30 Sep 2016 15:55:35 +0200 |
28 |
+Subject: [PATCH] Backport avoid to transform as a url when we have a quote |
29 |
+ |
30 |
+--- |
31 |
+ kpimutils/linklocator.cpp | 30 +++++++++++++++++++++++++++--- |
32 |
+ kpimutils/linklocator.h | 3 ++- |
33 |
+ 2 files changed, 29 insertions(+), 4 deletions(-) |
34 |
+ |
35 |
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp |
36 |
+index f5d9afd..f30e8fc 100644 |
37 |
+--- a/kpimutils/linklocator.cpp |
38 |
++++ b/kpimutils/linklocator.cpp |
39 |
+@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const |
40 |
+ |
41 |
+ QString LinkLocator::getUrl() |
42 |
+ { |
43 |
++ return getUrlAndCheckValidHref(); |
44 |
++} |
45 |
++ |
46 |
++ |
47 |
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) |
48 |
++{ |
49 |
+ QString url; |
50 |
+ if ( atUrl() ) { |
51 |
+ // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C |
52 |
+@@ -129,13 +135,26 @@ QString LinkLocator::getUrl() |
53 |
+ |
54 |
+ url.reserve( maxUrlLen() ); // avoid allocs |
55 |
+ int start = mPos; |
56 |
++ bool previousCharIsADoubleQuote = false; |
57 |
+ while ( ( mPos < (int)mText.length() ) && |
58 |
+ ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && |
59 |
+ ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || |
60 |
+ ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { |
61 |
+ if ( !mText[mPos].isSpace() ) { // skip whitespace |
62 |
+- url.append( mText[mPos] ); |
63 |
+- if ( url.length() > maxUrlLen() ) { |
64 |
++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { |
65 |
++ //it's an invalid url |
66 |
++ if (badurl) { |
67 |
++ *badurl = true; |
68 |
++ } |
69 |
++ return QString(); |
70 |
++ } |
71 |
++ if (mText[mPos] == QLatin1Char('"')) { |
72 |
++ previousCharIsADoubleQuote = true; |
73 |
++ } else { |
74 |
++ previousCharIsADoubleQuote = false; |
75 |
++ } |
76 |
++ url.append( mText[mPos] ); |
77 |
++ if ( url.length() > maxUrlLen() ) { |
78 |
+ break; |
79 |
+ } |
80 |
+ } |
81 |
+@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags, |
82 |
+ } else { |
83 |
+ const int start = locator.mPos; |
84 |
+ if ( !( flags & IgnoreUrls ) ) { |
85 |
+- str = locator.getUrl(); |
86 |
++ bool badUrl = false; |
87 |
++ str = locator.getUrlAndCheckValidHref(&badUrl); |
88 |
++ if (badUrl) { |
89 |
++ return locator.mText; |
90 |
++ } |
91 |
++ |
92 |
+ if ( !str.isEmpty() ) { |
93 |
+ QString hyperlink; |
94 |
+ if ( str.left( 4 ) == QLatin1String("www.") ) { |
95 |
+diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h |
96 |
+index 3049397..375498d 100644 |
97 |
+--- a/kpimutils/linklocator.h |
98 |
++++ b/kpimutils/linklocator.h |
99 |
+@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator |
100 |
+ @return The URL at the current scan position, or an empty string. |
101 |
+ */ |
102 |
+ QString getUrl(); |
103 |
++ QString getUrlAndCheckValidHref(bool *badurl = 0); |
104 |
+ |
105 |
+ /** |
106 |
+ Attempts to grab an email address. If there is an @ symbol at the |
107 |
+@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator |
108 |
+ */ |
109 |
+ static QString pngToDataUrl( const QString & iconPath ); |
110 |
+ |
111 |
+- protected: |
112 |
++protected: |
113 |
+ /** |
114 |
+ The plaintext string being scanned for URLs and email addresses. |
115 |
+ */ |
116 |
+-- |
117 |
+2.7.3 |
118 |
+ |
119 |
|
120 |
diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild |
121 |
new file mode 100644 |
122 |
index 00000000..4275aaa |
123 |
--- /dev/null |
124 |
+++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild |
125 |
@@ -0,0 +1,63 @@ |
126 |
+# Copyright 1999-2016 Gentoo Foundation |
127 |
+# Distributed under the terms of the GNU General Public License v2 |
128 |
+# $Id$ |
129 |
+ |
130 |
+EAPI=5 |
131 |
+ |
132 |
+KDE_HANDBOOK="optional" |
133 |
+CPPUNIT_REQUIRED="optional" |
134 |
+EGIT_BRANCH="KDE/4.14" |
135 |
+inherit kde4-base |
136 |
+ |
137 |
+DESCRIPTION="Common library for KDE PIM apps" |
138 |
+KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux" |
139 |
+LICENSE="LGPL-2.1" |
140 |
+IUSE="debug ldap prison" |
141 |
+ |
142 |
+# some akonadi tests timeout, that probaly needs more work as its ~700 tests |
143 |
+RESTRICT="test" |
144 |
+ |
145 |
+DEPEND=" |
146 |
+ !kde-misc/akonadi-social-utils |
147 |
+ >=app-crypt/gpgme-1.1.6 |
148 |
+ >=app-office/akonadi-server-1.12.90[qt4(+)] |
149 |
+ >=dev-libs/boost-1.35.0-r5:= |
150 |
+ dev-libs/libgpg-error |
151 |
+ >=dev-libs/libical-0.48-r2:= |
152 |
+ dev-libs/cyrus-sasl |
153 |
+ >=dev-libs/qjson-0.8.1 |
154 |
+ media-libs/phonon[qt4] |
155 |
+ x11-misc/shared-mime-info |
156 |
+ prison? ( media-libs/prison:4 ) |
157 |
+ ldap? ( net-nds/openldap ) |
158 |
+" |
159 |
+# boost is not linked to, but headers which include it are installed |
160 |
+# bug #418071 |
161 |
+RDEPEND="${DEPEND} |
162 |
+ !=kde-apps/kdepim-runtime-4.10* |
163 |
+ !=kde-apps/kdepim-runtime-4.11* |
164 |
+ !<kde-apps/kdepim-runtime-4.4.11.1-r2:4 |
165 |
+" |
166 |
+ |
167 |
+PATCHES=( |
168 |
+ "${FILESDIR}/${PN}-4.9.1-boostincludes.patch" |
169 |
+ "${FILESDIR}/${PN}-CVE-2016-7966.patch" |
170 |
+) |
171 |
+ |
172 |
+src_configure() { |
173 |
+ local mycmakeargs=( |
174 |
+ $(cmake-utils_use_build handbook doc) |
175 |
+ $(cmake-utils_use_find_package ldap) |
176 |
+ $(cmake-utils_use_find_package prison) |
177 |
+ ) |
178 |
+ |
179 |
+ kde4-base_src_configure |
180 |
+} |
181 |
+ |
182 |
+src_install() { |
183 |
+ kde4-base_src_install |
184 |
+ rm "${ED}"/usr/share/apps/cmake/modules/FindQtOAuth.cmake #Collides with net-im/choqok |
185 |
+ |
186 |
+ # contains constants/defines only |
187 |
+ QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')" |
188 |
+} |
189 |
|
190 |
diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r1.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r1.ebuild |
191 |
new file mode 100644 |
192 |
index 00000000..15b49c9 |
193 |
--- /dev/null |
194 |
+++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r1.ebuild |
195 |
@@ -0,0 +1,67 @@ |
196 |
+# Copyright 1999-2016 Gentoo Foundation |
197 |
+# Distributed under the terms of the GNU General Public License v2 |
198 |
+# $Id$ |
199 |
+ |
200 |
+EAPI=6 |
201 |
+ |
202 |
+KDE_HANDBOOK="optional" |
203 |
+CPPUNIT_REQUIRED="optional" |
204 |
+EGIT_BRANCH="KDE/4.14" |
205 |
+inherit kde4-base |
206 |
+ |
207 |
+DESCRIPTION="Common library for KDE PIM apps" |
208 |
+COMMIT_ID="a791b69599c3571ff2f4b1cc9033d8fb30f1bc33" |
209 |
+SRC_URI="https://quickgit.kde.org/?p=kdepimlibs.git&a=snapshot&h=${COMMIT_ID}&fmt=tgz -> ${P}.tar.gz" |
210 |
+S=${WORKDIR}/${PN} |
211 |
+ |
212 |
+KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux" |
213 |
+LICENSE="LGPL-2.1" |
214 |
+IUSE="debug ldap prison" |
215 |
+ |
216 |
+# some akonadi tests timeout, that probaly needs more work as its ~700 tests |
217 |
+RESTRICT="test" |
218 |
+ |
219 |
+DEPEND=" |
220 |
+ >=app-crypt/gpgme-1.1.6 |
221 |
+ >=app-office/akonadi-server-1.12.90[qt4(+)] |
222 |
+ >=dev-libs/boost-1.35.0-r5:= |
223 |
+ dev-libs/libgpg-error |
224 |
+ >=dev-libs/libical-0.48-r2:= |
225 |
+ dev-libs/cyrus-sasl |
226 |
+ >=dev-libs/qjson-0.8.1 |
227 |
+ media-libs/phonon[qt4] |
228 |
+ x11-misc/shared-mime-info |
229 |
+ prison? ( media-libs/prison:4 ) |
230 |
+ ldap? ( net-nds/openldap ) |
231 |
+" |
232 |
+# boost is not linked to, but headers which include it are installed |
233 |
+# bug #418071 |
234 |
+RDEPEND="${DEPEND} |
235 |
+ !<kde-apps/kdepim-runtime-4.4.11.1-r2:4 |
236 |
+ !kde-misc/akonadi-social-utils |
237 |
+" |
238 |
+ |
239 |
+PATCHES=( |
240 |
+ "${FILESDIR}/${PN}-4.14.11-boostincludes.patch" |
241 |
+ "${FILESDIR}/${PN}-CVE-2016-7966.patch" |
242 |
+) |
243 |
+ |
244 |
+src_configure() { |
245 |
+ local mycmakeargs=( |
246 |
+ -DBUILD_doc=$(usex handbook) |
247 |
+ $(cmake-utils_use_find_package ldap Ldap) |
248 |
+ $(cmake-utils_use_find_package prison Prison) |
249 |
+ ) |
250 |
+ |
251 |
+ kde4-base_src_configure |
252 |
+} |
253 |
+ |
254 |
+src_install() { |
255 |
+ kde4-base_src_install |
256 |
+ |
257 |
+ # Collides with net-im/choqok |
258 |
+ rm "${ED}"usr/share/apps/cmake/modules/FindQtOAuth.cmake || die |
259 |
+ |
260 |
+ # contains constants/defines only |
261 |
+ QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')" |
262 |
+} |