Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: delta...@debian.org, debian-qt-...@lists.debian.org
[ Reason ]
A bug in plasma-discover causes a Denial of Service attack
against the KDE servers. 3 packages needs to be patch to
mitigate the attack: knewstuff, plasma-desktop and
plasma-discover.
This update fixes bug #1006125 for bullseye and has been
fixed in unstable.
[ Impact ]
Running the old version causes considerable load for the KDE
servers.
[ Tests ]
No manual tests have been performed.
[ Risks ]
The risks are rather low as the update is a single patch.
The patch has been created by KDE upstream specifically for the
version in bullseye.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The update contains a single patch to help ease the load on
KDE servers.
[ Other info ]
It would be good if users of KDE plasma could receive the update
as quick as possible.
diffstat for plasma-desktop-5.20.5 plasma-desktop-5.20.5
changelog|8
patches/plasma-desktop-dns.patch | 39 +++
patches/series |1 +
3 files changed, 48 insertions(+)
diff -Nru plasma-desktop-5.20.5/debian/changelog
plasma-desktop-5.20.5/debian/changelog
--- plasma-desktop-5.20.5/debian/changelog 2021-02-24 13:35:04.0
+0100
+++ plasma-desktop-5.20.5/debian/changelog 2022-02-20 18:50:03.0
+0100
@@ -1,3 +1,11 @@
+plasma-desktop (4:5.20.5-4+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * Cherry-pick commit to fix the Denial of Service bug in Discover
+(Closes: #1006125).
+
+ -- Patrick Franz Sun, 20 Feb 2022 18:50:03 +0100
+
plasma-desktop (4:5.20.5-4) unstable; urgency=medium
* Team upload.
diff -Nru plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch
plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch
--- plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch
1970-01-01 01:00:00.0 +0100
+++ plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch
2022-02-20 18:40:00.0 +0100
@@ -0,0 +1,39 @@
+Author: Dan Leinir Turthra Jensen
+Description: Fix Denial of Service bug in Discover.
+Forwarded: not-needed
+
+---
+ attica-kde/kdeplugin/kdeplatformdependent.cpp | 19 +++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/attica-kde/kdeplugin/kdeplatformdependent.cpp
b/attica-kde/kdeplugin/kdeplatformdependent.cpp
+index fbc15ec4e..2c21fe7e6 100644
+--- a/attica-kde/kdeplugin/kdeplatformdependent.cpp
b/attica-kde/kdeplugin/kdeplatformdependent.cpp
+@@ -125,6 +125,25 @@ QNetworkRequest
KdePlatformDependent::addOAuthToRequest(const QNetworkRequest &r
+ const QString bearer = bearer_format.arg(token);
+ notConstReq.setRawHeader("Authorization", bearer.toUtf8());
+ }
++
++// Add cache preference in a granular fashion (we will almost certainly
want more of these, but...)
++static const QStringList
preferCacheEndpoints{QLatin1String{"/content/categories"}};
++for (const QString &endpoint : preferCacheEndpoints) {
++if (notConstReq.url().toString().endsWith(endpoint)) {
++QNetworkCacheMetaData
cacheMeta{m_accessManager->cache()->metaData(notConstReq.url())};
++if (cacheMeta.isValid()) {
++// If the expiration date is valid, but longer than 24 hours,
don't trust that things
++// haven't changed and check first, otherwise just use the
cached version to relieve
++// server strain and reduce network traffic.
++const QDateTime
tomorrow{QDateTime::currentDateTime().addDays(1)};
++if (cacheMeta.expirationDate().isValid() &&
cacheMeta.expirationDate() < tomorrow) {
++
notConstReq.setAttribute(QNetworkRequest::CacheLoadControlAttribute,
QNetworkRequest::PreferCache);
++}
++}
++break;
++}
++}
++
+ return notConstReq;
+ }
+
+--
diff -Nru plasma-desktop-5.20.5/debian/patches/series
plasma-desktop-5.20.5/debian/patches/series
--- plasma-desktop-5.20.5/debian/patches/series 2021-02-24 13:33:20.0
+0100
+++ plasma-desktop-5.20.5/debian/patches/series 2022-02-20 18:44:56.0
+0100
@@ -3,3 +3,4 @@
upstream_5.21+lts_folder_view_de-duplicate_switch_width_height_logic.patch
upstream_5.21+lts_folder_view_Fix_display_on_not-skinny_vertical_panels.patch
upstream-1be25dec-fix-crash-deleting-from-activity-manager.patch
+plasma-desktop-dns.patch