[gentoo-commits] repo/gentoo:master commit in: kde-frameworks/kcoreaddons/, kde-frameworks/kcoreaddons/files/

Michael Palimaka Wed, 02 Nov 2016 04:29:35 -0700

commit:     b77bfbf1331d5dfcce3cf6ebe084a76197238767
Author:     Michael Palimaka <kensington <AT> gentoo <DOT> org>
AuthorDate: Wed Nov  2 11:25:46 2016 +0000
Commit:     Michael Palimaka <kensington <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 11:28:38 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b77bfbf1


kde-frameworks/kcoreaddons: backport additional commits from upstream to 
resolve CVE-2016-7966

Gentoo-bug: 596224

Package-Manager: portage-2.3.2

 .../kcoreaddons-5.26.0-CVE-2016-7966-r1.patch      | 342 +++++++++++++++++++++
 .../files/kcoreaddons-5.27.0-CVE-2016-7966.patch   | 117 +++++++
 ...-5.27.0.ebuild => kcoreaddons-5.26.0-r2.ebuild} |   2 +
 ...-5.27.0.ebuild => kcoreaddons-5.27.0-r1.ebuild} |   2 +
 4 files changed, 463 insertions(+)

diff --git 
a/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966-r1.patch 
b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966-r1.patch
new file mode 100644
index 00000000..92e255a
--- /dev/null
+++ b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966-r1.patch
@@ -0,0 +1,342 @@
+From 2a5142fecf8615ccfa3e7c1f9c088fa6ae5cc2a1 Mon Sep 17 00:00:00 2001
+From: Montel Laurent <mon...@kde.org>
+Date: Wed, 21 Sep 2016 07:24:30 +0200
+Subject: [PATCH 1/2] Fix very old bug when we remove space in url as "foo
+ <<url> <url>>"
+
+---
+ autotests/ktexttohtmltest.cpp | 14 ++++++++++++++
+ src/lib/text/ktexttohtml.cpp  | 14 ++++++++++++--
+ 2 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index 474f0ca..8fc0c56 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest)
+ 
+ Q_DECLARE_METATYPE(KTextToHTML::Options)
+ 
++#ifndef Q_OS_WIN
++void initLocale()
++{
++    setenv("LC_ALL", "en_US.utf-8", 1);
++}
++Q_CONSTRUCTOR_FUNCTION(initLocale)
++#endif
++
++
+ void KTextToHTMLTest::testGetEmailAddress()
+ {
+     // empty input
+@@ -372,6 +381,11 @@ void KTextToHTMLTest::testHtmlConvert_data()
+     QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - 
section 5.2)"
+                                           << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+                                           << "bla (<a 
href=\"http://www.kde.org\";>http://www.kde.org</a> - section 5.2)";
++    
++   // Fix url as foo <<url> <url>> when we concatened them.
++   QTest::newRow("url-with-url") << "foo <http://www.kde.org/ 
<http://www.kde.org/>>"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << "foo &lt;<a href=\"http://www.kde.org/ 
\">http://www.kde.org/ </a>&lt;<a 
href=\"http://www.kde.org/\";>http://www.kde.org/</a>&gt;&gt;";
+ }
+ 
+ 
+diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
+index 8ed923d..b181f56 100644
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -228,11 +228,19 @@ QString KTextToHTMLHelper::getUrl()
+ 
+         url.reserve(mMaxUrlLen);    // avoid allocs
+         int start = mPos;
++        bool previousCharIsSpace = false;
+         while ((mPos < mText.length()) &&
+                 (mText[mPos].isPrint() || mText[mPos].isSpace()) &&
+                 ((afterUrl.isNull() && !mText[mPos].isSpace()) ||
+                  (!afterUrl.isNull() && mText[mPos] != afterUrl))) {
+-            if (!mText[mPos].isSpace()) {     // skip whitespace
++            if (mText[mPos].isSpace()) {
++                previousCharIsSpace = true;
++            } else { // skip whitespace
++                if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) {
++                    url.append(QLatin1Char(' '));
++                    break;
++                }
++                previousCharIsSpace = false;
+                 url.append(mText[mPos]);
+                 if (url.length() > mMaxUrlLen) {
+                     break;
+@@ -267,7 +275,6 @@ QString KTextToHTMLHelper::getUrl()
+             }
+         } while (url.length() > 1);
+     }
+-
+     return url;
+ }
+ 
+@@ -334,6 +341,7 @@ QString KTextToHTML::convertToHtml(const QString 
&plainText, const KTextToHTML::
+     QChar ch;
+     int x;
+     bool startOfLine = true;
++    //qDebug()<<" plainText"<<plainText;
+ 
+     for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length();
+             ++helper.mPos, ++x) {
+@@ -402,6 +410,7 @@ QString KTextToHTML::convertToHtml(const QString 
&plainText, const KTextToHTML::
+             const int start = helper.mPos;
+             if (!(flags & IgnoreUrls)) {
+                 str = helper.getUrl();
++                //qDebug()<<" str"<<str;
+                 if (!str.isEmpty()) {
+                     QString hyperlink;
+                     if (str.left(4) == QLatin1String("www.")) {
+@@ -455,6 +464,7 @@ QString KTextToHTML::convertToHtml(const QString 
&plainText, const KTextToHTML::
+ 
+         result = helper.emoticonsInterface()->parseEmoticons(result, true, 
exclude);
+     }
++    //qDebug()<<" result "<<result;
+ 
+     return result;
+ }
+-- 
+2.7.3
+
+From aa9281b7f95ce970603645d79f6f275d1ae7d2ed Mon Sep 17 00:00:00 2001
+From: Montel Laurent <mon...@kde.org>
+Date: Fri, 30 Sep 2016 13:21:45 +0200
+Subject: [PATCH 2/2] Don't convert as url an url which has a "
+
+---
+ autotests/ktexttohtmltest.cpp |  6 ++++++
+ src/lib/text/ktexttohtml.cpp  | 25 +++++++++++++++++++------
+ src/lib/text/ktexttohtml_p.h  |  2 +-
+ 3 files changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index 8fc0c56..c5690e8 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data()
+    QTest::newRow("url-with-url") << "foo <http://www.kde.org/ 
<http://www.kde.org/>>"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+                                << "foo &lt;<a href=\"http://www.kde.org/ 
\">http://www.kde.org/ </a>&lt;<a 
href=\"http://www.kde.org/\";>http://www.kde.org/</a>&gt;&gt;";
++
++   //Fix url exploit
++   QTest::newRow("url-exec-html") << "https://\";><!--"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << "https://\";><!--";
++
+ }
+ 
+ 
+diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
+index b181f56..09b2483 100644
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl()
+              (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) {
+         return false;
+     }
+-
+     QChar ch = mText[mPos];
+     return
+         (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == 
QLatin1String("http://";) ||
+@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url)
+            url == QLatin1String("news://";);
+ }
+ 
+-QString KTextToHTMLHelper::getUrl()
++QString KTextToHTMLHelper::getUrl(bool *badurl)
+ {
+     QString url;
+     if (atUrl()) {
+@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl()
+         url.reserve(mMaxUrlLen);    // avoid allocs
+         int start = mPos;
+         bool previousCharIsSpace = false;
++        bool previousCharIsADoubleQuote = false;
+         while ((mPos < mText.length()) &&
+                 (mText[mPos].isPrint() || mText[mPos].isSpace()) &&
+                 ((afterUrl.isNull() && !mText[mPos].isSpace()) ||
+@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl()
+                     break;
+                 }
+                 previousCharIsSpace = false;
++                if (mText[mPos] == QLatin1Char('>') && 
previousCharIsADoubleQuote) {
++                    //it's an invalid url
++                    if (badurl) {
++                        *badurl = true;
++                    }
++                    return QString();
++                }
++                if (mText[mPos] == QLatin1Char('"')) {
++                    previousCharIsADoubleQuote = true;
++                } else {
++                    previousCharIsADoubleQuote = false;
++                }
+                 url.append(mText[mPos]);
+                 if (url.length() > mMaxUrlLen) {
+                     break;
+@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString 
&plainText, const KTextToHTML::
+     QChar ch;
+     int x;
+     bool startOfLine = true;
+-    //qDebug()<<" plainText"<<plainText;
+ 
+     for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length();
+             ++helper.mPos, ++x) {
+@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString 
&plainText, const KTextToHTML::
+         } else {
+             const int start = helper.mPos;
+             if (!(flags & IgnoreUrls)) {
+-                str = helper.getUrl();
+-                //qDebug()<<" str"<<str;
++                bool badUrl = false;
++                str = helper.getUrl(&badUrl);
++                if (badUrl) {
++                    return helper.mText;
++                }
+                 if (!str.isEmpty()) {
+                     QString hyperlink;
+                     if (str.left(4) == QLatin1String("www.")) {
+@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString 
&plainText, const KTextToHTML::
+ 
+         result = helper.emoticonsInterface()->parseEmoticons(result, true, 
exclude);
+     }
+-    //qDebug()<<" result "<<result;
+ 
+     return result;
+ }
+diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h
+index 74ad7a0..fc43613 100644
+--- a/src/lib/text/ktexttohtml_p.h
++++ b/src/lib/text/ktexttohtml_p.h
+@@ -49,7 +49,7 @@ public:
+     QString getEmailAddress();
+     bool atUrl();
+     bool isEmptyUrl(const QString &url);
+-    QString getUrl();
++    QString getUrl(bool *badurl = Q_NULLPTR);
+     QString pngToDataUrl(const QString &pngPath);
+     QString highlightedText();
+ 
+-- 
+2.7.3
+
+From a06cef31cc4c908bc9b76bd9d103fe9c60e0953f Mon Sep 17 00:00:00 2001
+From: Montel Laurent <mon...@kde.org>
+Date: Tue, 11 Oct 2016 11:11:08 +0200
+Subject: [PATCH] Add more autotests
+
+---
+ autotests/ktexttohtmltest.cpp | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index c5690e8..0179a00 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -392,6 +392,21 @@ void KTextToHTMLTest::testHtmlConvert_data()
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+                                << "https://\";><!--";
+ 
++   QTest::newRow("url-exec-html-2") << "https://192.168.1.1:\";><!--"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << "https://192.168.1.1:\";><!--";
++
++   QTest::newRow("url-exec-html-3") << "https://<IP>:\"><!--"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << "https://<IP>:\"><!--";
++
++   QTest::newRow("url-exec-html-4") << "https://<IP>:/\"><!--"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << "https://<IP>:/\"><!--";
++
++   QTest::newRow("url-exec-html-5") << 
"https://<IP>:/\"><script>alert(1);</script><!--"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << 
"https://<IP>:/\"><script>alert(1);</script><!--";
+ }
+ 
+ 
+-- 
+2.7.3
+
+From 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a Mon Sep 17 00:00:00 2001
+From: Montel Laurent <mon...@kde.org>
+Date: Tue, 11 Oct 2016 11:40:10 +0200
+Subject: [PATCH] Display bad url
+
+---
+ autotests/ktexttohtmltest.cpp | 14 +++++++++-----
+ src/lib/text/ktexttohtml.cpp  | 18 +++++++++++++++++-
+ 2 files changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index 0179a00..ccac29a 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -390,23 +390,27 @@ void KTextToHTMLTest::testHtmlConvert_data()
+    //Fix url exploit
+    QTest::newRow("url-exec-html") << "https://\";><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << "https://\";><!--";
++                               << "https://&quot;&gt;&lt;!--";;
+ 
+    QTest::newRow("url-exec-html-2") << "https://192.168.1.1:\";><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << "https://192.168.1.1:\";><!--";
++                               << "https://192.168.1.1:&quot;&gt;&lt;!--";;
+ 
+    QTest::newRow("url-exec-html-3") << "https://<IP>:\"><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << "https://<IP>:\"><!--";
++                               << "https://&lt;IP&gt;:&quot;&gt;&lt;!--";;
+ 
+    QTest::newRow("url-exec-html-4") << "https://<IP>:/\"><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << "https://<IP>:/\"><!--";
++                               << "https://&lt;IP&gt;:/&quot;&gt;&lt;!--";;
+ 
+    QTest::newRow("url-exec-html-5") << 
"https://<IP>:/\"><script>alert(1);</script><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << 
"https://<IP>:/\"><script>alert(1);</script><!--";
++                               << 
"https://&lt;IP&gt;:/&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;&lt;!--";
++
++   QTest::newRow("url-exec-html-6") << 
"https://<IP>:/\"><script>alert(1);</script><!--\nTest2"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << 
"https://&lt;IP&gt;:/&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;&lt;!--\nTest2";
+ }
+ 
+ 
+diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
+index 97c5eab..30e0b5d 100644
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -423,7 +423,23 @@ QString KTextToHTML::convertToHtml(const QString 
&plainText, const KTextToHTML::
+                 bool badUrl = false;
+                 str = helper.getUrl(&badUrl);
+                 if (badUrl) {
+-                    return helper.mText;
++                    QString resultBadUrl;
++                    const int helperTextSize(helper.mText.count());
++                    for (int i = 0; i < helperTextSize; ++i) {
++                        const QChar chBadUrl = helper.mText[i];
++                        if (chBadUrl == QLatin1Char('&')) {
++                            resultBadUrl += QLatin1String("&amp;");
++                        } else if (chBadUrl == QLatin1Char('"')) {
++                            resultBadUrl += QLatin1String("&quot;");
++                        } else if (chBadUrl == QLatin1Char('<')) {
++                            resultBadUrl += QLatin1String("&lt;");
++                        } else if (chBadUrl == QLatin1Char('>')) {
++                            resultBadUrl += QLatin1String("&gt;");
++                        } else {
++                            resultBadUrl += chBadUrl;
++                        }
++                    }
++                    return resultBadUrl;
+                 }
+                 if (!str.isEmpty()) {
+                     QString hyperlink;
+-- 
+2.7.3
+

diff --git 
a/kde-frameworks/kcoreaddons/files/kcoreaddons-5.27.0-CVE-2016-7966.patch 
b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.27.0-CVE-2016-7966.patch
new file mode 100644
index 00000000..4fbd5e3
--- /dev/null
+++ b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.27.0-CVE-2016-7966.patch
@@ -0,0 +1,117 @@
+From a06cef31cc4c908bc9b76bd9d103fe9c60e0953f Mon Sep 17 00:00:00 2001
+From: Montel Laurent <mon...@kde.org>
+Date: Tue, 11 Oct 2016 11:11:08 +0200
+Subject: [PATCH] Add more autotests
+
+---
+ autotests/ktexttohtmltest.cpp | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index c5690e8..0179a00 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -392,6 +392,21 @@ void KTextToHTMLTest::testHtmlConvert_data()
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+                                << "https://\";><!--";
+ 
++   QTest::newRow("url-exec-html-2") << "https://192.168.1.1:\";><!--"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << "https://192.168.1.1:\";><!--";
++
++   QTest::newRow("url-exec-html-3") << "https://<IP>:\"><!--"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << "https://<IP>:\"><!--";
++
++   QTest::newRow("url-exec-html-4") << "https://<IP>:/\"><!--"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << "https://<IP>:/\"><!--";
++
++   QTest::newRow("url-exec-html-5") << 
"https://<IP>:/\"><script>alert(1);</script><!--"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << 
"https://<IP>:/\"><script>alert(1);</script><!--";
+ }
+ 
+ 
+-- 
+2.7.3
+
+From 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a Mon Sep 17 00:00:00 2001
+From: Montel Laurent <mon...@kde.org>
+Date: Tue, 11 Oct 2016 11:40:10 +0200
+Subject: [PATCH] Display bad url
+
+---
+ autotests/ktexttohtmltest.cpp | 14 +++++++++-----
+ src/lib/text/ktexttohtml.cpp  | 18 +++++++++++++++++-
+ 2 files changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index 0179a00..ccac29a 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -390,23 +390,27 @@ void KTextToHTMLTest::testHtmlConvert_data()
+    //Fix url exploit
+    QTest::newRow("url-exec-html") << "https://\";><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << "https://\";><!--";
++                               << "https://&quot;&gt;&lt;!--";;
+ 
+    QTest::newRow("url-exec-html-2") << "https://192.168.1.1:\";><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << "https://192.168.1.1:\";><!--";
++                               << "https://192.168.1.1:&quot;&gt;&lt;!--";;
+ 
+    QTest::newRow("url-exec-html-3") << "https://<IP>:\"><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << "https://<IP>:\"><!--";
++                               << "https://&lt;IP&gt;:&quot;&gt;&lt;!--";;
+ 
+    QTest::newRow("url-exec-html-4") << "https://<IP>:/\"><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << "https://<IP>:/\"><!--";
++                               << "https://&lt;IP&gt;:/&quot;&gt;&lt;!--";;
+ 
+    QTest::newRow("url-exec-html-5") << 
"https://<IP>:/\"><script>alert(1);</script><!--"
+                                << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                               << 
"https://<IP>:/\"><script>alert(1);</script><!--";
++                               << 
"https://&lt;IP&gt;:/&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;&lt;!--";
++
++   QTest::newRow("url-exec-html-6") << 
"https://<IP>:/\"><script>alert(1);</script><!--\nTest2"
++                               << 
KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << 
"https://&lt;IP&gt;:/&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;&lt;!--\nTest2";
+ }
+ 
+ 
+diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
+index 97c5eab..30e0b5d 100644
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -423,7 +423,23 @@ QString KTextToHTML::convertToHtml(const QString 
&plainText, const KTextToHTML::
+                 bool badUrl = false;
+                 str = helper.getUrl(&badUrl);
+                 if (badUrl) {
+-                    return helper.mText;
++                    QString resultBadUrl;
++                    const int helperTextSize(helper.mText.count());
++                    for (int i = 0; i < helperTextSize; ++i) {
++                        const QChar chBadUrl = helper.mText[i];
++                        if (chBadUrl == QLatin1Char('&')) {
++                            resultBadUrl += QLatin1String("&amp;");
++                        } else if (chBadUrl == QLatin1Char('"')) {
++                            resultBadUrl += QLatin1String("&quot;");
++                        } else if (chBadUrl == QLatin1Char('<')) {
++                            resultBadUrl += QLatin1String("&lt;");
++                        } else if (chBadUrl == QLatin1Char('>')) {
++                            resultBadUrl += QLatin1String("&gt;");
++                        } else {
++                            resultBadUrl += chBadUrl;
++                        }
++                    }
++                    return resultBadUrl;
+                 }
+                 if (!str.isEmpty()) {
+                     QString hyperlink;
+-- 
+2.7.3
+

diff --git a/kde-frameworks/kcoreaddons/kcoreaddons-5.27.0.ebuild 
b/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r2.ebuild
similarity index 91%
copy from kde-frameworks/kcoreaddons/kcoreaddons-5.27.0.ebuild
copy to kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r2.ebuild
index 037dde3..9db44a0 100644
--- a/kde-frameworks/kcoreaddons/kcoreaddons-5.27.0.ebuild
+++ b/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r2.ebuild
@@ -21,6 +21,8 @@ DEPEND="${RDEPEND}
        nls? ( $(add_qt_dep linguist-tools) )
 "
 
+PATCHES=( "${FILESDIR}/${P}-CVE-2016-7966-r1.patch" )
+
 src_configure() {
        local mycmakeargs=(
                -D_KDE4_DEFAULT_HOME_POSTFIX=4

diff --git a/kde-frameworks/kcoreaddons/kcoreaddons-5.27.0.ebuild 
b/kde-frameworks/kcoreaddons/kcoreaddons-5.27.0-r1.ebuild
similarity index 92%
rename from kde-frameworks/kcoreaddons/kcoreaddons-5.27.0.ebuild
rename to kde-frameworks/kcoreaddons/kcoreaddons-5.27.0-r1.ebuild
index 037dde3..ebb5cd8 100644
--- a/kde-frameworks/kcoreaddons/kcoreaddons-5.27.0.ebuild
+++ b/kde-frameworks/kcoreaddons/kcoreaddons-5.27.0-r1.ebuild
@@ -21,6 +21,8 @@ DEPEND="${RDEPEND}
        nls? ( $(add_qt_dep linguist-tools) )
 "
 
+PATCHES=( "${FILESDIR}/${P}-CVE-2016-7966.patch" )
+
 src_configure() {
        local mycmakeargs=(
                -D_KDE4_DEFAULT_HOME_POSTFIX=4

[gentoo-commits] repo/gentoo:master commit in: kde-frameworks/kcoreaddons/, kde-frameworks/kcoreaddons/files/

Reply via email to