[gentoo-commits] repo/gentoo:master commit in: kde-plasma/discover/files/, kde-plasma/discover/

Sun, 04 Apr 2021 06:23:19 -0700 

commit:     ee5b2b3f04e3e3ee919334c251ae26dce7e761d2
Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Sun Apr  4 12:09:16 2021 +0000
Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Sun Apr  4 13:19:36 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee5b2b3f

kde-plasma/discover: Fix CVE-2021-28117

See also: https://kde.org/info/security/advisory-20210310-1.txt

Bug: https://bugs.gentoo.org/777777
Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>

 kde-plasma/discover/discover-5.20.5-r1.ebuild      | 84 ++++++++++++++++++++++
 .../files/discover-5.20.5-CVE-2021-28117.patch     | 28 ++++++++
 2 files changed, 112 insertions(+)

diff --git a/kde-plasma/discover/discover-5.20.5-r1.ebuild 
b/kde-plasma/discover/discover-5.20.5-r1.ebuild
new file mode 100644
index 00000000000..a6b37d443f8
--- /dev/null
+++ b/kde-plasma/discover/discover-5.20.5-r1.ebuild
@@ -0,0 +1,84 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+ECM_TEST="forceoptional"
+KFMIN=5.74.0
+QTMIN=5.15.1
+VIRTUALX_REQUIRED="test"
+inherit ecm kde.org
+
+DESCRIPTION="KDE Plasma resources management GUI"
+HOMEPAGE="https://userbase.kde.org/Discover";
+
+LICENSE="GPL-2" # TODO: CHECK
+SLOT="5"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86"
+IUSE="+firmware flatpak telemetry"
+
+# libmarkdown (app-text/discount) only used in PackageKitBackend
+DEPEND="
+       >=dev-qt/qtconcurrent-${QTMIN}:5
+       >=dev-qt/qtdbus-${QTMIN}:5
+       >=dev-qt/qtdeclarative-${QTMIN}:5
+       >=dev-qt/qtgui-${QTMIN}:5
+       >=dev-qt/qtnetwork-${QTMIN}:5
+       >=dev-qt/qtwidgets-${QTMIN}:5
+       >=dev-qt/qtxml-${QTMIN}:5
+       >=kde-frameworks/attica-${KFMIN}:5
+       >=kde-frameworks/kconfig-${KFMIN}:5
+       >=kde-frameworks/kconfigwidgets-${KFMIN}:5
+       >=kde-frameworks/kcoreaddons-${KFMIN}:5
+       >=kde-frameworks/kcrash-${KFMIN}:5
+       >=kde-frameworks/kdbusaddons-${KFMIN}:5
+       >=kde-frameworks/kdeclarative-${KFMIN}:5
+       >=kde-frameworks/ki18n-${KFMIN}:5
+       >=kde-frameworks/kio-${KFMIN}:5
+       >=kde-frameworks/kirigami-${KFMIN}:5
+       >=kde-frameworks/kitemmodels-${KFMIN}:5
+       >=kde-frameworks/knewstuff-${KFMIN}:5
+       >=kde-frameworks/knotifications-${KFMIN}:5
+       >=kde-frameworks/kwidgetsaddons-${KFMIN}:5
+       >=kde-frameworks/kxmlgui-${KFMIN}:5
+       firmware? ( sys-apps/fwupd )
+       flatpak? (
+               dev-libs/appstream:=
+               sys-apps/flatpak
+       )
+       telemetry? ( dev-libs/kuserfeedback:5 )
+"
+RDEPEND="${DEPEND}
+       >=dev-qt/qtquickcontrols2-${QTMIN}:5
+       >=kde-frameworks/kirigami-${KFMIN}:5
+"
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2021-28117.patch" ) # bug 777777
+
+src_prepare() {
+       ecm_src_prepare
+       # we don't need it with PackageKitBackend off
+       ecm_punt_bogus_dep KF5 Archive
+}
+
+src_configure() {
+       local mycmakeargs=(
+               -DCMAKE_DISABLE_FIND_PACKAGE_packagekitqt5=ON
+               -DCMAKE_DISABLE_FIND_PACKAGE_Snapd=ON
+               -DBUILD_FlatpakBackend=$(usex flatpak)
+               $(cmake_use_find_package flatpak AppStreamQt)
+               -DBUILD_FwupdBackend=$(usex firmware)
+               $(cmake_use_find_package telemetry KUserFeedback)
+       )
+
+       ecm_src_configure
+}
+
+src_test() {
+       # bug 686392: needs network connection
+       local myctestargs=(
+               -E "(knsbackendtest)"
+       )
+
+       ecm_src_test
+}

diff --git a/kde-plasma/discover/files/discover-5.20.5-CVE-2021-28117.patch 
b/kde-plasma/discover/files/discover-5.20.5-CVE-2021-28117.patch
new file mode 100644
index 00000000000..1a2685dbc8d
--- /dev/null
+++ b/kde-plasma/discover/files/discover-5.20.5-CVE-2021-28117.patch
@@ -0,0 +1,28 @@
+From 94478827aab63d2e2321f0ca9ec5553718798e60 Mon Sep 17 00:00:00 2001
+From: Aleix Pol <aleix...@kde.org>
+Date: Wed, 10 Mar 2021 21:48:53 +0100
+Subject: [PATCH] Only turn http[s] links into clickable links
+
+CVE-2021-28117
+
+(cherry picked from commit d375031ff0262cedac7d6ee2b26d6a164ddebb67)
+---
+ libdiscover/backends/KNSBackend/KNSResource.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libdiscover/backends/KNSBackend/KNSResource.cpp 
b/libdiscover/backends/KNSBackend/KNSResource.cpp
+index 4394d5df..f7670c55 100644
+--- a/libdiscover/backends/KNSBackend/KNSResource.cpp
++++ b/libdiscover/backends/KNSBackend/KNSResource.cpp
+@@ -87,7 +87,7 @@ QString KNSResource::longDescription()
+     ret.remove(QRegularExpression(QStringLiteral("\\[\\/?[a-z]*\\]")));
+     // Find anything that looks like a link (but which also is not some html
+     // tag value or another already) and make it a link
+-    static const QRegularExpression 
urlRegExp(QStringLiteral("(^|\\s)([-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"),
 QRegularExpression::CaseInsensitiveOption);
++    static const QRegularExpression 
urlRegExp(QStringLiteral("(^|\\s)(http[-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"),
 QRegularExpression::CaseInsensitiveOption);
+     ret.replace(urlRegExp, QStringLiteral("<a href=\"\\2\">\\2</a>"));
+     return ret;
+ }
+-- 
+GitLab
+

Reply via email to