Hey, I now back ported the second part of the fix of the CVE. I updated the version deb8u1 from Scott. Should I create a deb8u2 for the additional patch?
I attached the uptodate debdiff. Regards, sandro Am Donnerstag, 13. Oktober 2016, 18:19:35 CEST schrieb Moritz Mühlenhoff: > On Thu, Oct 13, 2016 at 12:15:01PM +0200, Sandro Knauß wrote: > > Hey, > > > > The description > > https://www.kde.org/info/security/advisory-20161006-1.txt do not describe > > all patches that are needed to fix the CVE (at the moment). > > > > The additional patches are not part of KDE Frameworks 5.27, so they need > > to be applied for KF 5.27: > > 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a (0004-Display-bad-url.patch) > > a06cef31cc4c908bc9b76bd9d103fe9c60e0953f (0003-Add-more-autotests.patch) > > > > (the first two will be included in KF 5.27). > > > > The fixed version is 5.26.0-3 (sid only - already uploaded). I'll test if > > we need these patches also for stable inside kdepimlibs. > > Ok, please let us know once you know more. Scott Kitterman has already sent > an update for kdepimlibs (attached). > > Cheers, > Moritz
diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog
--- kdepimlibs-4.14.2/debian/changelog 2014-11-17 04:38:20.000000000 +0100
+++ kdepimlibs-4.14.2/debian/changelog 2016-10-14 18:09:02.000000000 +0200
@@ -1,3 +1,21 @@
+kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high
+
+ * Team upload.
+ [ Scott Kitterman ]
+ * CVE-2016-7966 KMail: HTML injection in plain text viewer (Closes: #840546)
+ - Avoid transforming as a url in plain text mode when there is a quote
+ - Add debian/patches/CVE-2016-7966.diff from upstream
+
+ [ Sandro Knauß ]
+ * Additional patch to complete the fix for CVE-2016-7966
+ - Replace all scary charactars (", <, > and &) with safe HTML
+ replacements.
+ - Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
+ in debian/patches/CVE-2016-7966_part2.diff
+ * Update symbols files.
+
+ -- Sandro Knauß <he...@debian.org> Fri, 14 Oct 2016 18:09:02 +0200
+
kdepimlibs (4:4.14.2-2) unstable; urgency=medium
* Team upload.
diff -Nru kdepimlibs-4.14.2/debian/libkpimutils4.symbols kdepimlibs-4.14.2/debian/libkpimutils4.symbols
--- kdepimlibs-4.14.2/debian/libkpimutils4.symbols 2014-10-20 17:13:26.000000000 +0200
+++ kdepimlibs-4.14.2/debian/libkpimutils4.symbols 2016-10-14 18:09:02.000000000 +0200
@@ -7,6 +7,7 @@
_ZN9KPIMUtils11LinkLocator15getEmailAddressEv@Base 4:4.3.4
_ZN9KPIMUtils11LinkLocator15highlightedTextEv@Base 4:4.3.4
_ZN9KPIMUtils11LinkLocator16setMaxAddressLenEi@Base 4:4.3.4
+ _ZN9KPIMUtils11LinkLocator23getUrlAndCheckValidHrefEPb@Base 4:4.14.2-2+deb8u1
_ZN9KPIMUtils11LinkLocator6getUrlEv@Base 4:4.3.4
_ZN9KPIMUtils11LinkLocatorC1ERK7QStringi@Base 4:4.3.4
_ZN9KPIMUtils11LinkLocatorC2ERK7QStringi@Base 4:4.3.4
diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff
--- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff 1970-01-01 01:00:00.000000000 +0100
+++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff 2016-10-14 16:59:11.000000000 +0200
@@ -0,0 +1,89 @@
+From: Montel Laurent <mon...@kde.org>
+Date: Fri, 30 Sep 2016 13:55:35 +0000
+Subject: Backport avoid to transform as a url when we have a quote
+X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
+---
+Backport avoid to transform as a url when we have a quote
+---
+
+
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -94,6 +94,12 @@
+ }
+
+ QString LinkLocator::getUrl()
++{
++ return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
+ {
+ QString url;
+ if ( atUrl() ) {
+@@ -129,13 +135,26 @@
+
+ url.reserve( maxUrlLen() ); // avoid allocs
+ int start = mPos;
++ bool previousCharIsADoubleQuote = false;
+ while ( ( mPos < (int)mText.length() ) &&
+ ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+ ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+ ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+ if ( !mText[mPos].isSpace() ) { // skip whitespace
+- url.append( mText[mPos] );
+- if ( url.length() > maxUrlLen() ) {
++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++ //it's an invalid url
++ if (badurl) {
++ *badurl = true;
++ }
++ return QString();
++ }
++ if (mText[mPos] == QLatin1Char('"')) {
++ previousCharIsADoubleQuote = true;
++ } else {
++ previousCharIsADoubleQuote = false;
++ }
++ url.append( mText[mPos] );
++ if ( url.length() > maxUrlLen() ) {
+ break;
+ }
+ }
+@@ -367,7 +386,12 @@
+ } else {
+ const int start = locator.mPos;
+ if ( !( flags & IgnoreUrls ) ) {
+- str = locator.getUrl();
++ bool badUrl = false;
++ str = locator.getUrlAndCheckValidHref(&badUrl);
++ if (badUrl) {
++ return locator.mText;
++ }
++
+ if ( !str.isEmpty() ) {
+ QString hyperlink;
+ if ( str.left( 4 ) == QLatin1String("www.") ) {
+
+--- a/kpimutils/linklocator.h
++++ b/kpimutils/linklocator.h
+@@ -107,6 +107,7 @@
+ @return The URL at the current scan position, or an empty string.
+ */
+ QString getUrl();
++ QString getUrlAndCheckValidHref(bool *badurl = 0);
+
+ /**
+ Attempts to grab an email address. If there is an @ symbol at the
+@@ -155,7 +156,7 @@
+ */
+ static QString pngToDataUrl( const QString & iconPath );
+
+- protected:
++protected:
+ /**
+ The plaintext string being scanned for URLs and email addresses.
+ */
+
+
diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff
--- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 1970-01-01 01:00:00.000000000 +0100
+++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 2016-10-14 17:11:34.000000000 +0200
@@ -0,0 +1,27 @@
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( cons
+ bool badUrl = false;
+ str = locator.getUrlAndCheckValidHref(&badUrl);
+ if (badUrl) {
+- return locator.mText;
++ QString resultBadUrl;
++ const int helperTextSize(locator.mText.count());
++ for (int i = 0; i < helperTextSize; ++i) {
++ const QChar chBadUrl = locator.mText[i];
++ if (chBadUrl == QLatin1Char('&')) {
++ resultBadUrl += QLatin1String("&");
++ } else if (chBadUrl == QLatin1Char('"')) {
++ resultBadUrl += QLatin1String(""");
++ } else if (chBadUrl == QLatin1Char('<')) {
++ resultBadUrl += QLatin1String("<");
++ } else if (chBadUrl == QLatin1Char('>')) {
++ resultBadUrl += QLatin1String(">");
++ } else {
++ resultBadUrl += chBadUrl;
++ }
++ }
++ return resultBadUrl;
+ }
+
+ if ( !str.isEmpty() ) {
diff -Nru kdepimlibs-4.14.2/debian/patches/series kdepimlibs-4.14.2/debian/patches/series
--- kdepimlibs-4.14.2/debian/patches/series 2014-11-17 04:40:13.000000000 +0100
+++ kdepimlibs-4.14.2/debian/patches/series 2016-10-14 17:08:07.000000000 +0200
@@ -1,3 +1,5 @@
add_soname_to_xsd_file
sslv2_disabled.patch
tlscancelled.patch
+CVE-2016-7966.diff
+CVE-2016-7966_part2.diff
signature.asc
Description: This is a digitally signed message part.
