summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Palimaka <kensington@gentoo.org>2016-10-08 02:51:13 +1100
committerMichael Palimaka <kensington@gentoo.org>2016-10-08 02:53:48 +1100
commitd370ca0f6eb6fe7fcbe2978fd1b0cc9036c1c651 (patch)
tree11778386e6e865fed0953803b06dfca181957a92
parentx11-misc/xscreensaver: Remove unused patch. (diff)
downloadgentoo-d370ca0f6eb6fe7fcbe2978fd1b0cc9036c1c651.tar.gz
gentoo-d370ca0f6eb6fe7fcbe2978fd1b0cc9036c1c651.tar.bz2
gentoo-d370ca0f6eb6fe7fcbe2978fd1b0cc9036c1c651.zip
kde-frameworks/kcoreaddons: backport patch from upstream to resolve CVE-2016-7966
This also backports an unrelated bugfix patch (1be7272) as it is required for the CVE patch (96e562d) to apply cleanly. Gentoo-bug: 596224 Package-Manager: portage-2.3.1
-rw-r--r--kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch225
-rw-r--r--kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild (renamed from kde-frameworks/kcoreaddons/kcoreaddons-5.26.0.ebuild)2
2 files changed, 227 insertions, 0 deletions
diff --git a/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch
new file mode 100644
index 000000000000..71dc769c7a81
--- /dev/null
+++ b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch
@@ -0,0 +1,225 @@
+From 2a5142fecf8615ccfa3e7c1f9c088fa6ae5cc2a1 Mon Sep 17 00:00:00 2001
+From: Montel Laurent <montel@kde.org>
+Date: Wed, 21 Sep 2016 07:24:30 +0200
+Subject: [PATCH 1/2] Fix very old bug when we remove space in url as "foo
+ <<url> <url>>"
+
+---
+ autotests/ktexttohtmltest.cpp | 14 ++++++++++++++
+ src/lib/text/ktexttohtml.cpp | 14 ++++++++++++--
+ 2 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index 474f0ca..8fc0c56 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest)
+
+ Q_DECLARE_METATYPE(KTextToHTML::Options)
+
++#ifndef Q_OS_WIN
++void initLocale()
++{
++ setenv("LC_ALL", "en_US.utf-8", 1);
++}
++Q_CONSTRUCTOR_FUNCTION(initLocale)
++#endif
++
++
+ void KTextToHTMLTest::testGetEmailAddress()
+ {
+ // empty input
+@@ -372,6 +381,11 @@ void KTextToHTMLTest::testHtmlConvert_data()
+ QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)"
+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+ << "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)";
++
++ // Fix url as foo <<url> <url>> when we concatened them.
++ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>"
++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++ << "foo &lt;<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a>&lt;<a href=\"http://www.kde.org/\">http://www.kde.org/</a>&gt;&gt;";
+ }
+
+
+diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
+index 8ed923d..b181f56 100644
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -228,11 +228,19 @@ QString KTextToHTMLHelper::getUrl()
+
+ url.reserve(mMaxUrlLen); // avoid allocs
+ int start = mPos;
++ bool previousCharIsSpace = false;
+ while ((mPos < mText.length()) &&
+ (mText[mPos].isPrint() || mText[mPos].isSpace()) &&
+ ((afterUrl.isNull() && !mText[mPos].isSpace()) ||
+ (!afterUrl.isNull() && mText[mPos] != afterUrl))) {
+- if (!mText[mPos].isSpace()) { // skip whitespace
++ if (mText[mPos].isSpace()) {
++ previousCharIsSpace = true;
++ } else { // skip whitespace
++ if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) {
++ url.append(QLatin1Char(' '));
++ break;
++ }
++ previousCharIsSpace = false;
+ url.append(mText[mPos]);
+ if (url.length() > mMaxUrlLen) {
+ break;
+@@ -267,7 +275,6 @@ QString KTextToHTMLHelper::getUrl()
+ }
+ } while (url.length() > 1);
+ }
+-
+ return url;
+ }
+
+@@ -334,6 +341,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
+ QChar ch;
+ int x;
+ bool startOfLine = true;
++ //qDebug()<<" plainText"<<plainText;
+
+ for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length();
+ ++helper.mPos, ++x) {
+@@ -402,6 +410,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
+ const int start = helper.mPos;
+ if (!(flags & IgnoreUrls)) {
+ str = helper.getUrl();
++ //qDebug()<<" str"<<str;
+ if (!str.isEmpty()) {
+ QString hyperlink;
+ if (str.left(4) == QLatin1String("www.")) {
+@@ -455,6 +464,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
+
+ result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude);
+ }
++ //qDebug()<<" result "<<result;
+
+ return result;
+ }
+--
+2.7.3
+
+From aa9281b7f95ce970603645d79f6f275d1ae7d2ed Mon Sep 17 00:00:00 2001
+From: Montel Laurent <montel@kde.org>
+Date: Fri, 30 Sep 2016 13:21:45 +0200
+Subject: [PATCH 2/2] Don't convert as url an url which has a "
+
+---
+ autotests/ktexttohtmltest.cpp | 6 ++++++
+ src/lib/text/ktexttohtml.cpp | 25 +++++++++++++++++++------
+ src/lib/text/ktexttohtml_p.h | 2 +-
+ 3 files changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index 8fc0c56..c5690e8 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data()
+ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>"
+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+ << "foo &lt;<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a>&lt;<a href=\"http://www.kde.org/\">http://www.kde.org/</a>&gt;&gt;";
++
++ //Fix url exploit
++ QTest::newRow("url-exec-html") << "https://\"><!--"
++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++ << "https://\"><!--";
++
+ }
+
+
+diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
+index b181f56..09b2483 100644
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl()
+ (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) {
+ return false;
+ }
+-
+ QChar ch = mText[mPos];
+ return
+ (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") ||
+@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url)
+ url == QLatin1String("news://");
+ }
+
+-QString KTextToHTMLHelper::getUrl()
++QString KTextToHTMLHelper::getUrl(bool *badurl)
+ {
+ QString url;
+ if (atUrl()) {
+@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl()
+ url.reserve(mMaxUrlLen); // avoid allocs
+ int start = mPos;
+ bool previousCharIsSpace = false;
++ bool previousCharIsADoubleQuote = false;
+ while ((mPos < mText.length()) &&
+ (mText[mPos].isPrint() || mText[mPos].isSpace()) &&
+ ((afterUrl.isNull() && !mText[mPos].isSpace()) ||
+@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl()
+ break;
+ }
+ previousCharIsSpace = false;
++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++ //it's an invalid url
++ if (badurl) {
++ *badurl = true;
++ }
++ return QString();
++ }
++ if (mText[mPos] == QLatin1Char('"')) {
++ previousCharIsADoubleQuote = true;
++ } else {
++ previousCharIsADoubleQuote = false;
++ }
+ url.append(mText[mPos]);
+ if (url.length() > mMaxUrlLen) {
+ break;
+@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
+ QChar ch;
+ int x;
+ bool startOfLine = true;
+- //qDebug()<<" plainText"<<plainText;
+
+ for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length();
+ ++helper.mPos, ++x) {
+@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
+ } else {
+ const int start = helper.mPos;
+ if (!(flags & IgnoreUrls)) {
+- str = helper.getUrl();
+- //qDebug()<<" str"<<str;
++ bool badUrl = false;
++ str = helper.getUrl(&badUrl);
++ if (badUrl) {
++ return helper.mText;
++ }
+ if (!str.isEmpty()) {
+ QString hyperlink;
+ if (str.left(4) == QLatin1String("www.")) {
+@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
+
+ result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude);
+ }
+- //qDebug()<<" result "<<result;
+
+ return result;
+ }
+diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h
+index 74ad7a0..fc43613 100644
+--- a/src/lib/text/ktexttohtml_p.h
++++ b/src/lib/text/ktexttohtml_p.h
+@@ -49,7 +49,7 @@ public:
+ QString getEmailAddress();
+ bool atUrl();
+ bool isEmptyUrl(const QString &url);
+- QString getUrl();
++ QString getUrl(bool *badurl = Q_NULLPTR);
+ QString pngToDataUrl(const QString &pngPath);
+ QString highlightedText();
+
+--
+2.7.3
+
diff --git a/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0.ebuild b/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild
index 037dde3f7feb..ebb5cd8d7bf5 100644
--- a/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0.ebuild
+++ b/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild
@@ -21,6 +21,8 @@ DEPEND="${RDEPEND}
nls? ( $(add_qt_dep linguist-tools) )
"
+PATCHES=( "${FILESDIR}/${P}-CVE-2016-7966.patch" )
+
src_configure() {
local mycmakeargs=(
-D_KDE4_DEFAULT_HOME_POSTFIX=4