Bug#984977: marked as done (unblock: plasma-discover/5.20.5-3)

Thu, 11 Mar 2021 06:57:25 -0800 

Your message dated Thu, 11 Mar 2021 14:55:28 +0000
with message-id <[email protected]>
and subject line unblock plasma-discover
has caused the Debian Bug report #984977,
regarding unblock: plasma-discover/5.20.5-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
984977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984977
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]

Please unblock package plasma-discover

[ Reason ]
It fixes CVE-2021-28117 affecting bullseye.
See Security Tracker at [1].

[ Impact ]
URLs other than HTTP like smb:// or nfs:// can be opened from package
descriptions in Discover, which could be used to chain to other attack
vectors.
See KDE security advisory at [2].

[ Tests ]
Manual tests of basic Discover functionality, checking that package
descriptions are not broken by the change.

[ Risks ]
The upstream commit is a one-liner fixing the regexp pattern used to
transform URL text into clickable links in package descriptions in
Discover. I’d qualify it as very low risk.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
KDE Security Advisory:
  [1] https://kde.org/info/security/advisory-20210310-1.txt
Security Tracker:
  [2] https://security-tracker.debian.org/tracker/CVE-2021-28117

unblock plasma-discover/5.20.5-3

diff -Nru plasma-discover-5.20.5/debian/changelog 
plasma-discover-5.20.5/debian/changelog
--- plasma-discover-5.20.5/debian/changelog     2021-01-21 09:02:53.000000000 
+0100
+++ plasma-discover-5.20.5/debian/changelog     2021-03-10 23:53:46.000000000 
+0100
@@ -1,3 +1,10 @@
+plasma-discover (5.20.5-3) unstable; urgency=medium
+
+  [ Patrick Franz ]
+  * Add patch to validate URI scheme (Fixes: CVE-2021-28117).
+
+ -- Patrick Franz <[email protected]>  Wed, 10 Mar 2021 23:53:46 +0100
+
 plasma-discover (5.20.5-2) unstable; urgency=medium
 
   * Add jcat, libjcat-dev, and any of the libcurl*-dev variants to B-D to work
diff -Nru plasma-discover-5.20.5/debian/patches/https_only_links.patch 
plasma-discover-5.20.5/debian/patches/https_only_links.patch
--- plasma-discover-5.20.5/debian/patches/https_only_links.patch        
1970-01-01 01:00:00.000000000 +0100
+++ plasma-discover-5.20.5/debian/patches/https_only_links.patch        
2021-03-10 23:53:46.000000000 +0100
@@ -0,0 +1,23 @@
+Description: Missing URI scheme validation (CVE-2021-28117)
+ Validate to only turn https(s)-links into clickable links.
+Author: upstream
+Forwarded: not-needed
+
+---
+ libdiscover/backends/KNSBackend/KNSResource.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libdiscover/backends/KNSBackend/KNSResource.cpp 
b/libdiscover/backends/KNSBackend/KNSResource.cpp
+index e43b2e48..0ba88032 100644
+--- a/libdiscover/backends/KNSBackend/KNSResource.cpp
++++ b/libdiscover/backends/KNSBackend/KNSResource.cpp
+@@ -87,7 +87,7 @@ QString KNSResource::longDescription()
+     ret.remove(QRegularExpression(QStringLiteral("\\[\\/?[a-z]*\\]")));
+     // Find anything that looks like a link (but which also is not some html
+     // tag value or another already) and make it a link
+-    static const QRegularExpression 
urlRegExp(QStringLiteral("(^|\\s)([-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"),
 QRegularExpression::CaseInsensitiveOption);
++    static const QRegularExpression 
urlRegExp(QStringLiteral("(^|\\s)(http[-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"),
 QRegularExpression::CaseInsensitiveOption);
+     ret.replace(urlRegExp, QStringLiteral("<a href=\"\\2\">\\2</a>"));
+     return ret;
+ }
+
diff -Nru plasma-discover-5.20.5/debian/patches/series 
plasma-discover-5.20.5/debian/patches/series
--- plasma-discover-5.20.5/debian/patches/series        1970-01-01 
01:00:00.000000000 +0100
+++ plasma-discover-5.20.5/debian/patches/series        2021-03-10 
23:53:46.000000000 +0100
@@ -0,0 +1 @@
+https_only_links.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---

Reply via email to