Bug#1006293: bullseye-pu: package plasma-desktop/4:5.20.5-4

2023-08-02 Thread Patrick Franz 
Hi,

On Sun, 30 Jul 2023 14:51:03 +0100 Jonathan Wiltshire  
wrote:
[...]
> Please go ahead.

Package has been uploaded.


-- 
Med vänliga hälsningar

Patrick Franz

Bug#1006293: bullseye-pu: package plasma-desktop/4:5.20.5-4

2023-07-30 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

On Mon, Mar 21, 2022 at 10:37:50PM +0100, Patrick Franz wrote:
> On Fri, 18 Mar 2022 16:22:56 +0100 Julien Cristau  
> wrote:
> [...]
> > Can you clarify the issue and how the 3 affected packages interact?  
> The
> > mailing list links seem to talk about plasma-discover's KNS backend so 
> I guess
> > I understand that part, how are plasma-desktop and knewstuff involved?
> 
> knewstuff is the framework that actually downloads the data. The patch 
> for that package changes the URL from which updates are downloaded as 
> updates were fetched from the "wrong" URL.
> 
> plasma-desktop triggers the process to check for updates.

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1006293: bullseye-pu: package plasma-desktop/4:5.20.5-4

2022-03-21 Thread Patrick Franz 
Hi,

On Fri, 18 Mar 2022 16:22:56 +0100 Julien Cristau  
wrote:
[...]
> Can you clarify the issue and how the 3 affected packages interact?  
The
> mailing list links seem to talk about plasma-discover's KNS backend so 
I guess
> I understand that part, how are plasma-desktop and knewstuff involved?

knewstuff is the framework that actually downloads the data. The patch 
for that package changes the URL from which updates are downloaded as 
updates were fetched from the "wrong" URL.

plasma-desktop triggers the process to check for updates.


-- 
Med vänliga hälsningar

Patrick Franz

Bug#1006293: bullseye-pu: package plasma-desktop/4:5.20.5-4

2022-03-18 Thread Julien Cristau 
Control: tag -1 moreinfo

On Tue, Feb 22, 2022 at 10:45:21PM +0100, Patrick Franz wrote:
> A bug in plasma-discover causes a Denial of Service attack
> against the KDE servers. 3 packages needs to be patch to
> mitigate the attack: knewstuff, plasma-desktop and
> plasma-discover.
> This update fixes bug #1006125 for bullseye and has been 
> fixed in unstable.
> 
Can you clarify the issue and how the 3 affected packages interact?  The
mailing list links seem to talk about plasma-discover's KNS backend so I guess
I understand that part, how are plasma-desktop and knewstuff involved?

Bug#1006293: bullseye-pu: package plasma-desktop/4:5.20.5-4

2022-02-22 Thread Patrick Franz 
Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: delta...@debian.org, debian-qt-...@lists.debian.org

[ Reason ]
A bug in plasma-discover causes a Denial of Service attack
against the KDE servers. 3 packages needs to be patch to
mitigate the attack: knewstuff, plasma-desktop and
plasma-discover.
This update fixes bug #1006125 for bullseye and has been 
fixed in unstable.

[ Impact ]
Running the old version causes considerable load for the KDE
servers.

[ Tests ]
No manual tests have been performed.

[ Risks ]
The risks are rather low as the update is a single patch.
The patch has been created by KDE upstream specifically for the
version in bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The update contains a single patch to help ease the load on
KDE servers.

[ Other info ]
It would be good if users of KDE plasma could receive the update
as quick as possible.
diffstat for plasma-desktop-5.20.5 plasma-desktop-5.20.5

 changelog|8 
 patches/plasma-desktop-dns.patch |   39 +++
 patches/series   |1 +
 3 files changed, 48 insertions(+)

diff -Nru plasma-desktop-5.20.5/debian/changelog 
plasma-desktop-5.20.5/debian/changelog
--- plasma-desktop-5.20.5/debian/changelog  2021-02-24 13:35:04.0 
+0100
+++ plasma-desktop-5.20.5/debian/changelog  2022-02-20 18:50:03.0 
+0100
@@ -1,3 +1,11 @@
+plasma-desktop (4:5.20.5-4+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * Cherry-pick commit to fix the Denial of Service bug in Discover
+(Closes: #1006125).
+
+ -- Patrick Franz   Sun, 20 Feb 2022 18:50:03 +0100
+
 plasma-desktop (4:5.20.5-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch 
plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch
--- plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch   
1970-01-01 01:00:00.0 +0100
+++ plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch   
2022-02-20 18:40:00.0 +0100
@@ -0,0 +1,39 @@
+Author: Dan Leinir Turthra Jensen 
+Description: Fix Denial of Service bug in Discover.
+Forwarded: not-needed
+
+---
+ attica-kde/kdeplugin/kdeplatformdependent.cpp | 19 +++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/attica-kde/kdeplugin/kdeplatformdependent.cpp 
b/attica-kde/kdeplugin/kdeplatformdependent.cpp
+index fbc15ec4e..2c21fe7e6 100644
+--- a/attica-kde/kdeplugin/kdeplatformdependent.cpp
 b/attica-kde/kdeplugin/kdeplatformdependent.cpp
+@@ -125,6 +125,25 @@ QNetworkRequest 
KdePlatformDependent::addOAuthToRequest(const QNetworkRequest 
+ const QString bearer = bearer_format.arg(token);
+ notConstReq.setRawHeader("Authorization", bearer.toUtf8());
+ }
++
++// Add cache preference in a granular fashion (we will almost certainly 
want more of these, but...)
++static const QStringList 
preferCacheEndpoints{QLatin1String{"/content/categories"}};
++for (const QString  : preferCacheEndpoints) {
++if (notConstReq.url().toString().endsWith(endpoint)) {
++QNetworkCacheMetaData 
cacheMeta{m_accessManager->cache()->metaData(notConstReq.url())};
++if (cacheMeta.isValid()) {
++// If the expiration date is valid, but longer than 24 hours, 
don't trust that things
++// haven't changed and check first, otherwise just use the 
cached version to relieve
++// server strain and reduce network traffic.
++const QDateTime 
tomorrow{QDateTime::currentDateTime().addDays(1)};
++if (cacheMeta.expirationDate().isValid() && 
cacheMeta.expirationDate() < tomorrow) {
++
notConstReq.setAttribute(QNetworkRequest::CacheLoadControlAttribute, 
QNetworkRequest::PreferCache);
++}
++}
++break;
++}
++}
++
+ return notConstReq;
+ }
+ 
+-- 
diff -Nru plasma-desktop-5.20.5/debian/patches/series 
plasma-desktop-5.20.5/debian/patches/series
--- plasma-desktop-5.20.5/debian/patches/series 2021-02-24 13:33:20.0 
+0100
+++ plasma-desktop-5.20.5/debian/patches/series 2022-02-20 18:44:56.0 
+0100
@@ -3,3 +3,4 @@
 upstream_5.21+lts_folder_view_de-duplicate_switch_width_height_logic.patch
 upstream_5.21+lts_folder_view_Fix_display_on_not-skinny_vertical_panels.patch
 upstream-1be25dec-fix-crash-deleting-from-activity-manager.patch
+plasma-desktop-dns.patch