diff options
author | Michael Palimaka <kensington@gentoo.org> | 2016-11-02 23:04:57 +1100 |
---|---|---|
committer | Michael Palimaka <kensington@gentoo.org> | 2016-11-02 23:05:18 +1100 |
commit | acad49edefd0e0f7b5cb5272806875749441a303 (patch) | |
tree | 23d761b515f8ccb813fc778ac2262988f3dc6fa3 /kde-apps | |
parent | app-doc/zeal: revert 20b8d7f21a2f3de30013699bd88be4bc48911121. (diff) | |
download | gentoo-acad49edefd0e0f7b5cb5272806875749441a303.tar.gz gentoo-acad49edefd0e0f7b5cb5272806875749441a303.tar.bz2 gentoo-acad49edefd0e0f7b5cb5272806875749441a303.zip |
kde-apps/kdepimlibs: backport additional commits from upstream to resolve CVE-2016-7966
Gentoo-bug: 596224
Package-Manager: portage-2.3.2
Diffstat (limited to 'kde-apps')
3 files changed, 263 insertions, 0 deletions
diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch new file mode 100644 index 000000000000..9bea5726d037 --- /dev/null +++ b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch @@ -0,0 +1,135 @@ +From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001 +From: Montel Laurent <montel@kde.org> +Date: Fri, 30 Sep 2016 15:55:35 +0200 +Subject: [PATCH] Backport avoid to transform as a url when we have a quote + +--- + kpimutils/linklocator.cpp | 30 +++++++++++++++++++++++++++--- + kpimutils/linklocator.h | 3 ++- + 2 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +index f5d9afd..f30e8fc 100644 +--- a/kpimutils/linklocator.cpp ++++ b/kpimutils/linklocator.cpp +@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const + + QString LinkLocator::getUrl() + { ++ return getUrlAndCheckValidHref(); ++} ++ ++ ++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) ++{ + QString url; + if ( atUrl() ) { + // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C +@@ -129,13 +135,26 @@ QString LinkLocator::getUrl() + + url.reserve( maxUrlLen() ); // avoid allocs + int start = mPos; ++ bool previousCharIsADoubleQuote = false; + while ( ( mPos < (int)mText.length() ) && + ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && + ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || + ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { + if ( !mText[mPos].isSpace() ) { // skip whitespace +- url.append( mText[mPos] ); +- if ( url.length() > maxUrlLen() ) { ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } ++ url.append( mText[mPos] ); ++ if ( url.length() > maxUrlLen() ) { + break; + } + } +@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags, + } else { + const int start = locator.mPos; + if ( !( flags & IgnoreUrls ) ) { +- str = locator.getUrl(); ++ bool badUrl = false; ++ str = locator.getUrlAndCheckValidHref(&badUrl); ++ if (badUrl) { ++ return locator.mText; ++ } ++ + if ( !str.isEmpty() ) { + QString hyperlink; + if ( str.left( 4 ) == QLatin1String("www.") ) { +diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h +index 3049397..375498d 100644 +--- a/kpimutils/linklocator.h ++++ b/kpimutils/linklocator.h +@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator + @return The URL at the current scan position, or an empty string. + */ + QString getUrl(); ++ QString getUrlAndCheckValidHref(bool *badurl = 0); + + /** + Attempts to grab an email address. If there is an @ symbol at the +@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator + */ + static QString pngToDataUrl( const QString & iconPath ); + +- protected: ++protected: + /** + The plaintext string being scanned for URLs and email addresses. + */ +-- +2.7.3 + +From 8bbe1bd3fdc55f609340edc667ff154b3d2aaab1 Mon Sep 17 00:00:00 2001 +From: Montel Laurent <montel@kde.org> +Date: Tue, 11 Oct 2016 11:47:41 +0200 +Subject: [PATCH] Backport show bad url text + +--- + kpimutils/linklocator.cpp | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +index f30e8fc..4abe968 100644 +--- a/kpimutils/linklocator.cpp ++++ b/kpimutils/linklocator.cpp +@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags, + bool badUrl = false; + str = locator.getUrlAndCheckValidHref(&badUrl); + if (badUrl) { +- return locator.mText; ++ QString resultBadUrl; ++ const int helperTextSize(locator.mText.count()); ++ for (int i = 0; i < helperTextSize; ++i) { ++ const QChar chBadUrl = locator.mText[i]; ++ if (chBadUrl == QLatin1Char('&')) { ++ resultBadUrl += QLatin1String("&"); ++ } else if (chBadUrl == QLatin1Char('"')) { ++ resultBadUrl += QLatin1String("""); ++ } else if (chBadUrl == QLatin1Char('<')) { ++ resultBadUrl += QLatin1String("<"); ++ } else if (chBadUrl == QLatin1Char('>')) { ++ resultBadUrl += QLatin1String(">"); ++ } else { ++ resultBadUrl += chBadUrl; ++ } ++ } ++ return resultBadUrl; + } + + if ( !str.isEmpty() ) { +-- +2.7.3 + diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r2.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r2.ebuild new file mode 100644 index 000000000000..b9355e7c55e1 --- /dev/null +++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r2.ebuild @@ -0,0 +1,62 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 + +KDE_HANDBOOK="optional" +CPPUNIT_REQUIRED="optional" +EGIT_BRANCH="KDE/4.14" +inherit kde4-base + +DESCRIPTION="Common library for KDE PIM apps" +KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux" +LICENSE="LGPL-2.1" +IUSE="debug ldap prison" + +# some akonadi tests timeout, that probaly needs more work as its ~700 tests +RESTRICT="test" + +DEPEND=" + >=app-crypt/gpgme-1.1.6 + >=dev-libs/boost-1.35.0-r5:= + dev-libs/libgpg-error + >=dev-libs/libical-0.48-r2:= + dev-libs/cyrus-sasl + >=dev-libs/qjson-0.8.1 + kde-apps/akonadi:4 + media-libs/phonon[qt4] + x11-misc/shared-mime-info + prison? ( media-libs/prison:4 ) + ldap? ( net-nds/openldap ) +" +# boost is not linked to, but headers which include it are installed +# bug #418071 +RDEPEND="${DEPEND} + !=kde-apps/kdepim-runtime-4.10* + !=kde-apps/kdepim-runtime-4.11* + !<kde-apps/kdepim-runtime-4.4.11.1-r2:4 +" + +PATCHES=( + "${FILESDIR}/${PN}-4.14.11-boostincludes.patch" + "${FILESDIR}/${PN}-CVE-2016-7966-r1.patch" +) + +src_configure() { + local mycmakeargs=( + -DBUILD_doc=$(usex handbook) + $(cmake-utils_use_find_package ldap) + $(cmake-utils_use_find_package prison) + ) + + kde4-base_src_configure +} + +src_install() { + kde4-base_src_install + rm "${ED}"/usr/share/apps/cmake/modules/FindQtOAuth.cmake #Collides with net-im/choqok + + # contains constants/defines only + QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')" +} diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r2.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r2.ebuild new file mode 100644 index 000000000000..222a8be31fad --- /dev/null +++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r2.ebuild @@ -0,0 +1,66 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 + +KDE_HANDBOOK="optional" +CPPUNIT_REQUIRED="optional" +EGIT_BRANCH="KDE/4.14" +inherit kde4-base + +DESCRIPTION="Common library for KDE PIM apps" +COMMIT_ID="a791b69599c3571ff2f4b1cc9033d8fb30f1bc33" +SRC_URI="https://quickgit.kde.org/?p=kdepimlibs.git&a=snapshot&h=${COMMIT_ID}&fmt=tgz -> ${P}.tar.gz" +S=${WORKDIR}/${PN} + +KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux" +LICENSE="LGPL-2.1" +IUSE="debug ldap prison" + +# some akonadi tests timeout, that probaly needs more work as its ~700 tests +RESTRICT="test" + +DEPEND=" + >=app-crypt/gpgme-1.1.6 + >=dev-libs/boost-1.35.0-r5:= + dev-libs/libgpg-error + >=dev-libs/libical-0.48-r2:= + dev-libs/cyrus-sasl + >=dev-libs/qjson-0.8.1 + kde-apps/akonadi:4 + media-libs/phonon[qt4] + x11-misc/shared-mime-info + prison? ( media-libs/prison:4 ) + ldap? ( net-nds/openldap ) +" +# boost is not linked to, but headers which include it are installed +# bug #418071 +RDEPEND="${DEPEND} + !<kde-apps/kdepim-runtime-4.4.11.1-r2:4 +" + +PATCHES=( + "${FILESDIR}/${PN}-4.14.11-boostincludes.patch" + "${FILESDIR}/${PN}-CVE-2016-7966-r1.patch" +) + +src_configure() { + local mycmakeargs=( + -DBUILD_doc=$(usex handbook) + $(cmake-utils_use_find_package ldap Ldap) + $(cmake-utils_use_find_package prison Prison) + ) + + kde4-base_src_configure +} + +src_install() { + kde4-base_src_install + + # Collides with net-im/choqok + rm "${ED}"usr/share/apps/cmake/modules/FindQtOAuth.cmake || die + + # contains constants/defines only + QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')" +} |