subject:"Bug#840546\: CVE\-2016\-7966 kdepimlibs jessie"

Bug#840546: CVE-2016-7966 kdepimlibs jessie

2016-10-20 Thread Sandro Knauß

Hey Moritz,

ping. 

Are there anything missing before rolling out the patch inside jessie-
security? Can I help somehow / are you need input from my side?

Regards,

sandro

--
Am Freitag, 14. Oktober 2016, 21:23:45 CEST schrieb Moritz Muehlenhoff:
> On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote:
> > Hey,
> > 
> > I now back ported the second part of the fix of the CVE. I updated the
> > version deb8u1 from Scott. Should I create a deb8u2 for the additional
> > patch?
> > 
> > I attached the uptodate debdiff.
> 
> Thanks, please upload.
> 
> Cheers,
> Moritz

signature.asc
Description: This is a digitally signed message part.

Bug#840546: CVE-2016-7966 kdepimlibs jessie

2016-10-14 Thread Salvatore Bonaccorso

Hi Sandro,

On Fri, Oct 14, 2016 at 10:56:00PM +0200, Sandro Knauß wrote:
> Hi,
> 
> now I'm fully confused - you said on IRC, I should better create a deb8u2 
> ontop.  Well I created now the debdiff for a deb8u2.
> 
> So you can decide what is the best way for the sec team and what version 
> should be uploaded where.

Sorry then if some confusion was present. I looked at the debdiff you
sent previously and it was a +deb8u1 with all changes. That would not
have worked, since +deb8u1 is now already on security master and been
rejected by dak.

> diff -Nru kdepimlibs-4.14.2/debian/changelog 
> kdepimlibs-4.14.2/debian/changelog
> --- kdepimlibs-4.14.2/debian/changelog2016-10-12 18:20:26.0 
> +0200
> +++ kdepimlibs-4.14.2/debian/changelog2016-10-14 21:33:53.0 
> +0200
> @@ -1,3 +1,14 @@
> +kdepimlibs (4:4.14.2-2+deb8u2) jessie-security; urgency=high
> +
> +  * Team upload.
> +  * Additional patch to complete the fix for CVE-2016-7966
> +- Replace all scary charactars (", <, > and &) with safe HTML
> +  replacements.
> +- Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
> +  in debian/patches/CVE-2016-7966_part2.diff
> +
> + -- Sandro Knauß   Fri, 14 Oct 2016 21:33:53 +0200
> +

Thanks, that is exactly what I meant. Create a +deb8u2 with your
additional needed fixes on top of the deb8u1 previously already
uploaded by Scott.

It's perfect now as you attached above.

I will now no furhter interfere, since Moritz will take care of the
DSA.

Regards,
Salvatore

Bug#840546: CVE-2016-7966 kdepimlibs jessie

2016-10-14 Thread Sandro Knauß

Hi,

now I'm fully confused - you said on IRC, I should better create a deb8u2 
ontop.  Well I created now the debdiff for a deb8u2.

So you can decide what is the best way for the sec team and what version 
should be uploaded where.

Best Regards,

sandro

--
Am Freitag, 14. Oktober 2016, 21:50:18 CEST schrieb Salvatore Bonaccorso:
> Hi,
> 
> Just an additional comment on the debdiff:
> 
> On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote:
> > Hey,
> > 
> > I now back ported the second part of the fix of the CVE. I updated the
> > version deb8u1 from Scott. Should I create a deb8u2 for the additional
> > patch?
> Please note, to build the attached debdiff instead as +deb8u2 on top
> of the +deb8u1 already present on security-master and just
> incoorporate the additional changes needed.
> 
> Regards and thanks for your work!
> 
> Salvatore

diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog
--- kdepimlibs-4.14.2/debian/changelog	2016-10-12 18:20:26.0 +0200
+++ kdepimlibs-4.14.2/debian/changelog	2016-10-14 21:33:53.0 +0200
@@ -1,3 +1,14 @@
+kdepimlibs (4:4.14.2-2+deb8u2) jessie-security; urgency=high
+
+  * Team upload.
+  * Additional patch to complete the fix for CVE-2016-7966
+- Replace all scary charactars (", <, > and &) with safe HTML
+  replacements.
+- Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
+  in debian/patches/CVE-2016-7966_part2.diff
+
+ -- Sandro Knauß   Fri, 14 Oct 2016 21:33:53 +0200
+
 kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high
 
   * Team upload.
diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff
--- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff	1970-01-01 01:00:00.0 +0100
+++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff	2016-10-14 21:33:14.0 +0200
@@ -0,0 +1,27 @@
+--- a/kpimutils/linklocator.cpp
 b/kpimutils/linklocator.cpp
+@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( cons
+ bool badUrl = false;
+ str = locator.getUrlAndCheckValidHref();
+ if (badUrl) {
+-return locator.mText;
++QString resultBadUrl;
++const int helperTextSize(locator.mText.count());
++for (int i = 0; i < helperTextSize; ++i) {
++const QChar chBadUrl = locator.mText[i];
++if (chBadUrl == QLatin1Char('&')) {
++resultBadUrl += QLatin1String("");
++} else if (chBadUrl == QLatin1Char('"')) {
++resultBadUrl += QLatin1String("");
++} else if (chBadUrl == QLatin1Char('<')) {
++resultBadUrl += QLatin1String("");
++} else if (chBadUrl == QLatin1Char('>')) {
++resultBadUrl += QLatin1String("");
++} else {
++resultBadUrl += chBadUrl;
++}
++}
++return resultBadUrl;
+ }
+ 
+ if ( !str.isEmpty() ) {
diff -Nru kdepimlibs-4.14.2/debian/patches/series kdepimlibs-4.14.2/debian/patches/series
--- kdepimlibs-4.14.2/debian/patches/series	2016-10-12 18:20:26.0 +0200
+++ kdepimlibs-4.14.2/debian/patches/series	2016-10-14 21:33:14.0 +0200
@@ -2,3 +2,4 @@
 sslv2_disabled.patch
 tlscancelled.patch
 CVE-2016-7966.diff
+CVE-2016-7966_part2.diff


signature.asc
Description: This is a digitally signed message part.

Bug#840546: CVE-2016-7966 kdepimlibs jessie

2016-10-14 Thread Salvatore Bonaccorso

Hi,

Just an additional comment on the debdiff:

On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote:
> Hey,
> 
> I now back ported the second part of the fix of the CVE. I updated the 
> version 
> deb8u1 from Scott. Should I create a deb8u2 for the additional patch?

Please note, to build the attached debdiff instead as +deb8u2 on top
of the +deb8u1 already present on security-master and just
incoorporate the additional changes needed.

Regards and thanks for your work!

Salvatore

signature.asc
Description: PGP signature

Bug#840546: CVE-2016-7966 kdepimlibs jessie

2016-10-14 Thread Moritz Muehlenhoff

On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote:
> Hey,
> 
> I now back ported the second part of the fix of the CVE. I updated the 
> version 
> deb8u1 from Scott. Should I create a deb8u2 for the additional patch?
> 
> I attached the uptodate debdiff.

Thanks, please upload.

Cheers,
Moritz

Bug#840546: CVE-2016-7966 kdepimlibs jessie

2016-10-14 Thread Sandro Knauß

Hey,

I now back ported the second part of the fix of the CVE. I updated the version 
deb8u1 from Scott. Should I create a deb8u2 for the additional patch?

I attached the uptodate debdiff.
 
Regards,

sandro

Am Donnerstag, 13. Oktober 2016, 18:19:35 CEST schrieb Moritz Mühlenhoff:
> On Thu, Oct 13, 2016 at 12:15:01PM +0200, Sandro Knauß wrote:
> > Hey,
> > 
> > The description
> > https://www.kde.org/info/security/advisory-20161006-1.txt do not describe
> > all patches that are needed to fix the CVE (at the moment).
> > 
> > The additional patches are not part of KDE Frameworks 5.27, so they need
> > to be applied for KF 5.27:
> > 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a (0004-Display-bad-url.patch)
> > a06cef31cc4c908bc9b76bd9d103fe9c60e0953f (0003-Add-more-autotests.patch)
> > 
> > (the first two will be included in KF 5.27).
> > 
> > The fixed version is 5.26.0-3 (sid only - already uploaded). I'll test if
> > we need these patches also for stable inside kdepimlibs.
> 
> Ok, please let us know once you know more. Scott Kitterman has already sent
> an update for kdepimlibs (attached).
> 
> Cheers,
> Moritz

diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog
--- kdepimlibs-4.14.2/debian/changelog	2014-11-17 04:38:20.0 +0100
+++ kdepimlibs-4.14.2/debian/changelog	2016-10-14 18:09:02.0 +0200
@@ -1,3 +1,21 @@
+kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high
+
+  * Team upload.
+  [ Scott Kitterman ]
+  * CVE-2016-7966 KMail: HTML injection in plain text viewer (Closes: #840546)
+- Avoid transforming as a url in plain text mode when there is a quote
+- Add debian/patches/CVE-2016-7966.diff from upstream
+
+  [ Sandro Knauß ]
+  * Additional patch to complete the fix for CVE-2016-7966
+- Replace all scary charactars (", <, > and &) with safe HTML
+  replacements.
+- Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
+  in debian/patches/CVE-2016-7966_part2.diff
+  * Update symbols files.
+
+ -- Sandro Knauß   Fri, 14 Oct 2016 18:09:02 +0200
+
 kdepimlibs (4:4.14.2-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru kdepimlibs-4.14.2/debian/libkpimutils4.symbols kdepimlibs-4.14.2/debian/libkpimutils4.symbols
--- kdepimlibs-4.14.2/debian/libkpimutils4.symbols	2014-10-20 17:13:26.0 +0200
+++ kdepimlibs-4.14.2/debian/libkpimutils4.symbols	2016-10-14 18:09:02.0 +0200
@@ -7,6 +7,7 @@
  _ZN9KPIMUtils11LinkLocator15getEmailAddressEv@Base 4:4.3.4
  _ZN9KPIMUtils11LinkLocator15highlightedTextEv@Base 4:4.3.4
  _ZN9KPIMUtils11LinkLocator16setMaxAddressLenEi@Base 4:4.3.4
+ _ZN9KPIMUtils11LinkLocator23getUrlAndCheckValidHrefEPb@Base 4:4.14.2-2+deb8u1
  _ZN9KPIMUtils11LinkLocator6getUrlEv@Base 4:4.3.4
  _ZN9KPIMUtils11LinkLocatorC1ERK7QStringi@Base 4:4.3.4
  _ZN9KPIMUtils11LinkLocatorC2ERK7QStringi@Base 4:4.3.4
diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff
--- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff	1970-01-01 01:00:00.0 +0100
+++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff	2016-10-14 16:59:11.0 +0200
@@ -0,0 +1,89 @@
+From: Montel Laurent 
+Date: Fri, 30 Sep 2016 13:55:35 +
+Subject: Backport avoid to transform as a url when we have a quote
+X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git=commitdiff=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
+---
+Backport avoid to transform as a url when we have a quote
+---
+
+
+--- a/kpimutils/linklocator.cpp
 b/kpimutils/linklocator.cpp
+@@ -94,6 +94,12 @@
+ }
+ 
+ QString LinkLocator::getUrl()
++{
++return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
+ {
+   QString url;
+   if ( atUrl() ) {
+@@ -129,13 +135,26 @@
+ 
+ url.reserve( maxUrlLen() );  // avoid allocs
+ int start = mPos;
++bool previousCharIsADoubleQuote = false;
+ while ( ( mPos < (int)mText.length() ) &&
+ ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+ ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+   ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+   if ( !mText[mPos].isSpace() ) {   // skip whitespace
+-url.append( mText[mPos] );
+-if ( url.length() > maxUrlLen() ) {
++  if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++  //it's an invalid url
++  if (badurl) {
++  *badurl = true;
++  }
++  return QString();
++  }
++  if (mText[mPos] == QLatin1Char('"')) {
++  previousCharIsADoubleQuote = true;
++  } else {
++  previousCharIsADoubleQuote = false;
++  }
++  url.append( mText[mPos] );
++  if ( url.length() > maxUrlLen() ) {
+   break;
+ }
+   }
+@@ -367,7 +386,12 @@
+ } else {
+   const int start =

Bug#840546: CVE-2016-7966 kdepimlibs jessie

Bug#840546: CVE-2016-7966 kdepimlibs jessie

Bug#840546: CVE-2016-7966 kdepimlibs jessie

Bug#840546: CVE-2016-7966 kdepimlibs jessie

Bug#840546: CVE-2016-7966 kdepimlibs jessie

Bug#840546: CVE-2016-7966 kdepimlibs jessie

6 matches

Site Navigation

Mail list logo

Footer information