Bug#840546: Stable Debdiff For CVE-2016-7966/kdepimlibs
On Wednesday, October 12, 2016 09:36:13 PM Salvatore Bonaccorso wrote: > Hi Scott, > > On Wed, Oct 12, 2016 at 02:56:06PM -0400, Scott Kitterman wrote: > > Proposed update attached. It is the exact upstream commit that resolved > > this issue upstream (relevant code is unchanged from stable) and I have > > the fix running locally. I do not have an example of the exploit to > > verify the adequacy of the fix, but it does appear to be regression free. > > > > I have an upload for jessie-security prepared. > > Thanks, please do upload in this case. Remember to build with -sa, > since it's the first upload dak on security-master seens for > kdepimlibs. Uploaded. Scott K signature.asc Description: This is a digitally signed message part.
kcoreaddons_5.26.0-2_amd64.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 07 Oct 2016 22:46:43 +0200 Source: kcoreaddons Binary: libkf5coreaddons-dev libkf5coreaddons-bin-dev libkf5coreaddons5 libkf5coreaddons-data Architecture: source amd64 all Version: 5.26.0-2 Distribution: unstable Urgency: high Maintainer: Debian/Kubuntu Qt/KDE MaintainersChanged-By: Debian Qt/KDE Maintainers Description: libkf5coreaddons-bin-dev - KDE Frameworks 5 addons to QtCore - development files libkf5coreaddons-data - KDE Frameworks 5 addons to QtCore - data files libkf5coreaddons-dev - KDE Frameworks 5 addons to QtCore - development files libkf5coreaddons5 - KDE Frameworks 5 addons to QtCore Closes: 840547 Changes: kcoreaddons (5.26.0-2) unstable; urgency=high . [ Sandro Knauß ] * Added patches to fix CVE-2016-7966 (Closes: #840547) 0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch 0002-Don-t-convert-as-url-an-url-which-has-a.patch - Fixes CVE-2016-7966 https://security-tracker.debian.org/tracker/CVE-2016-7966 Checksums-Sha1: 15d0a8ce1f767c32879249f9dabb77018c423403 2493 kcoreaddons_5.26.0-2.dsc 6f18a8cea8acf4adae1cb23697ec992a9e1a2716 14740 kcoreaddons_5.26.0-2.debian.tar.xz ec9966893ac54c91b963d3c59f71065bc58dfd65 399950 libkf5coreaddons-bin-dev-dbgsym_5.26.0-2_amd64.deb 6ac683611c9eec7970e6edadedd250139d5ea5c8 35184 libkf5coreaddons-bin-dev_5.26.0-2_amd64.deb 2a484f3a76474124793dcc6f8a4323133455d608 101146 libkf5coreaddons-data_5.26.0-2_all.deb 45e0feb38a631f7b142a7a0becd8d1d219e891bf 64032 libkf5coreaddons-dev_5.26.0-2_amd64.deb d7692668d9e5acba73cb76deaf976b3493ffe52e 3216404 libkf5coreaddons5-dbgsym_5.26.0-2_amd64.deb 9ab6399fcc316ad0a9589b736381518a48b54739 199594 libkf5coreaddons5_5.26.0-2_amd64.deb Checksums-Sha256: 3ade7b493b85c5a285489752c1027917fa53537aa3019ee267588c697da6b679 2493 kcoreaddons_5.26.0-2.dsc 17c1d3b3fa45f3e91f8660bee8fa2209282f1f1a6aa0d4dd45e7dd543b820008 14740 kcoreaddons_5.26.0-2.debian.tar.xz 6a9a78b4faf6ce5efdf2068a44df5fe0fb1cdbcbecc6a1882a2b92cf9ef1171c 399950 libkf5coreaddons-bin-dev-dbgsym_5.26.0-2_amd64.deb 46eff06bd12869beaff6d66cf40dbe61bd3a3df0111c439136afb5997348644b 35184 libkf5coreaddons-bin-dev_5.26.0-2_amd64.deb cfce41e04eb7c622db5b14f218fe46993df716d7581223c0c83c8588d3e66952 101146 libkf5coreaddons-data_5.26.0-2_all.deb 3e80a03fe0f0eec94af5b706cb3bdaf7a7611494f01f0cad80c7dd977a6e3150 64032 libkf5coreaddons-dev_5.26.0-2_amd64.deb 1d12eb384ad2c5c4829078d55f1d36942b82cff86803c6efc0fec11eb7670bc0 3216404 libkf5coreaddons5-dbgsym_5.26.0-2_amd64.deb 2264014ee542897c28787fee5182a4e6a71f59ffa8da7ed7835593f698d00249 199594 libkf5coreaddons5_5.26.0-2_amd64.deb Files: 6f0334c9250f80334d5f969f10500302 2493 libs optional kcoreaddons_5.26.0-2.dsc 402983c37ba81f225bd48c31feca29ec 14740 libs optional kcoreaddons_5.26.0-2.debian.tar.xz f77ac31ce80ff2c920ed0b47e2b67f51 399950 debug extra libkf5coreaddons-bin-dev-dbgsym_5.26.0-2_amd64.deb 5d1dc33212a4a066b3d211a39744a26a 35184 libdevel optional libkf5coreaddons-bin-dev_5.26.0-2_amd64.deb 9f552161e6bf799f831e1a88d15add07 101146 libs optional libkf5coreaddons-data_5.26.0-2_all.deb c118ec71bed3b973dbb116b6988d4c48 64032 libdevel optional libkf5coreaddons-dev_5.26.0-2_amd64.deb a6d23979ea0e5792fbd863a52915bbf1 3216404 debug extra libkf5coreaddons5-dbgsym_5.26.0-2_amd64.deb 3b51863015e8ef809d9dc052189ce530 199594 libs optional libkf5coreaddons5_5.26.0-2_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJX/o5GAAoJEHjX3vua1Zrxp0UP/1EAX/VlSGyvPR6Pa4z/ntGw lg+qIdsYkvnTbLpW3JbAXrXT90asea76kNEWrG2PH+rmhJOs6vikmub8khPSgg3U 5HjxS/rPMQS/zShxxE8Vc6/GrR47Ro46rULlyCDqNtWRTUsegYt5Hcq+WVIb0z3X zSFECASSea/oBl2ftH3EZ6NVyLbt2g6BmbVXW6Gxb0pxQifHJaEualad3oFoVm3O SWVISMHZpyyrXfOU3KuqEvggpj5X7DSRzSAN6XXkm6ubTlCYAAzaXFT59WNSinjw fhqVL4GIwoN+Fm7M0Kes1TcWviVUkDSRJ0yk133cbdo3C2onVkZ/i4lq6A9VR2yy VlSiTJykPF5C6ZVIp17KrBwaJMrOt5+DLdima2Jz1o2T7rwtbpVxO2uB9D5dGDaY RhY1g+SO0H4va1i4y58k+Jf9XFi+BC6nK1D+YHXmmaEtG/V65AVcOSJGbR8HVRiu miEe10ZGsNWo6+ZQkdMCEi0lO4zlI8jbexWGMmpGQD0pdEoCQNRfQr59LF5XAF8L VBif3mX2KcY4GMFYRNj0XRLJodPEau0hXTETWvVDS3xoS+ND3M9qvNpKJkhx4fZx +e64Zgi8qMqLsNGJB5/WZli6ES9cbG/AQpPCux6locsGYJ+aHjoHYgr2xu+lEKsU I8A0ewC3eFhtbdY+QuxB =oX3v -END PGP SIGNATURE- Thank you for your contribution to Debian.
Processing of kcoreaddons_5.26.0-2_amd64.changes
kcoreaddons_5.26.0-2_amd64.changes uploaded successfully to localhost along with the files: kcoreaddons_5.26.0-2.dsc kcoreaddons_5.26.0-2.debian.tar.xz libkf5coreaddons-bin-dev-dbgsym_5.26.0-2_amd64.deb libkf5coreaddons-bin-dev_5.26.0-2_amd64.deb libkf5coreaddons-data_5.26.0-2_all.deb libkf5coreaddons-dev_5.26.0-2_amd64.deb libkf5coreaddons5-dbgsym_5.26.0-2_amd64.deb libkf5coreaddons5_5.26.0-2_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org)
Bug#840547: marked as done (KMail: HTML injection in plain text viewer)
Your message dated Wed, 12 Oct 2016 19:34:57 + with message-idand subject line Bug#840547: fixed in kcoreaddons 5.26.0-2 has caused the Debian Bug report #840547, regarding KMail: HTML injection in plain text viewer to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 840547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: kdepimlibs Version: 4:4.4.5-2 Severity: grave Tags: security patch upstream Justification: user security hole KDE Project Security Advisory = Title: KMail: HTML injection in plain text viewer Risk Rating:Important CVE:CVE-2016-7966 Platforms: All Versions: kmail >= 4.4.0 Author: Andre Heinecke Date: 6 October 2016 Overview Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. Impact == An unauthenticated attacker can send out mails with malicious content that breaks KMail's plain text HTML escape logic. Due to the limitations of the provided HTML in itself it might not be serious. But as a way to break out of KMail's restricted Plain text mode this might open the way to the exploitation of other vulnerabilities in the HTML viewer code, which is disabled by default. Workaround == None. Solution For KDE Frameworks based releases of KMail apply the following patch to kcoreaddons: https://quickgit.kde.org/?p=kcoreaddons.git=commitdiff=96e562d9138c100498da38e4c5b4091a226dde12 For kdelibs4 based releases apply the following patch: https://quickgit.kde.org/?p=kdepimlibs.git=commitdiff=176fee25ca79145ab5c8e2275d248f1a46a8d8cf Credits === Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing the problems and Laurent Montel for fixing this issue. From: Montel Laurent Date: Fri, 30 Sep 2016 13:55:35 + Subject: Backport avoid to transform as a url when we have a quote X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git=commitdiff=176fee25ca79145ab5c8e2275d248f1a46a8d8cf --- Backport avoid to transform as a url when we have a quote --- --- a/kpimutils/linklocator.cpp +++ b/kpimutils/linklocator.cpp @@ -94,6 +94,12 @@ } QString LinkLocator::getUrl() +{ +return getUrlAndCheckValidHref(); +} + + +QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) { QString url; if ( atUrl() ) { @@ -129,13 +135,26 @@ url.reserve( maxUrlLen() ); // avoid allocs int start = mPos; +bool previousCharIsADoubleQuote = false; while ( ( mPos < (int)mText.length() ) && ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { if ( !mText[mPos].isSpace() ) { // skip whitespace -url.append( mText[mPos] ); -if ( url.length() > maxUrlLen() ) { + if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { + //it's an invalid url + if (badurl) { + *badurl = true; + } + return QString(); + } + if (mText[mPos] == QLatin1Char('"')) { + previousCharIsADoubleQuote = true; + } else { + previousCharIsADoubleQuote = false; + } + url.append( mText[mPos] ); + if ( url.length() > maxUrlLen() ) { break; } } @@ -367,7 +386,12 @@ } else { const int start = locator.mPos; if ( !( flags & IgnoreUrls ) ) { -str = locator.getUrl(); +bool badUrl = false; +str = locator.getUrlAndCheckValidHref(); +if (badUrl) { +return locator.mText; +} + if ( !str.isEmpty() ) { QString hyperlink; if ( str.left( 4 ) == QLatin1String("www.") ) { --- a/kpimutils/linklocator.h +++ b/kpimutils/linklocator.h @@ -107,6 +107,7 @@ @return The URL at the current scan position, or an empty string. */ QString getUrl(); +QString getUrlAndCheckValidHref(bool *badurl = 0); /** Attempts to
Bug#840546: Stable Debdiff For CVE-2016-7966/kdepimlibs
Hi Scott, On Wed, Oct 12, 2016 at 02:56:06PM -0400, Scott Kitterman wrote: > Proposed update attached. It is the exact upstream commit that resolved this > issue upstream (relevant code is unchanged from stable) and I have the fix > running locally. I do not have an example of the exploit to verify the > adequacy of the fix, but it does appear to be regression free. > > I have an upload for jessie-security prepared. Thanks, please do upload in this case. Remember to build with -sa, since it's the first upload dak on security-master seens for kdepimlibs. Regards, Salvatore
Bug#840546: Stable Debdiff For CVE-2016-7966/kdepimlibs
B0;115;0cOn Wed, Oct 12, 2016 at 02:56:06PM -0400, Scott Kitterman wrote: > Proposed update attached. It is the exact upstream commit that resolved this > issue upstream (relevant code is unchanged from stable) and I have the fix > running locally. I do not have an example of the exploit to verify the > adequacy of the fix, but it does appear to be regression free. > > I have an upload for jessie-security prepared. Looks fine, please build with "-sa" and upload to security-master. Cheers, Moritz
kdepimlibs_4.14.10-6_amd64.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 12 Oct 2016 14:41:12 -0400 Source: kdepimlibs Binary: kdepimlibs5-dev kdepimlibs-kio-plugins libakonadi-contact4 libakonadi-kabc4 libakonadi-kcal4 libakonadi-kde4 libakonadi-kmime4 libakonadi-socialutils4 libakonadi-notes4 libakonadi-xml4 libgpgme++2v5 libkabc4 libkblog4 libkalarmcal2 libkcal4 libkcalcore4 libkcalutils4 libkholidays4 libkimap4 libkldap4 libkmbox4 libakonadi-calendar4 libkmime4 libkontactinterface4a libkpimidentities4 libkpimtextedit4 libkpimutils4 libkresources4 libktnef4 libkxmlrpcclient4 libmailtransport4 libmicroblog4 libqgpgme1 libsyndication4 kdepimlibs-dbg Architecture: source amd64 Version: 4:4.14.10-6 Distribution: unstable Urgency: high Maintainer: Debian/Kubuntu Qt/KDE MaintainersChanged-By: Scott Kitterman Description: kdepimlibs-dbg - debugging symbols for the KDE Development Platform PIM libraries kdepimlibs-kio-plugins - kio slaves used by KDE PIM applications kdepimlibs5-dev - development files for the KDE Development Platform PIM libraries libakonadi-calendar4 - library providing calendar helpers for Akonadi items libakonadi-contact4 - Akonadi contacts access library libakonadi-kabc4 - Akonadi address book access library libakonadi-kcal4 - Akonadi calendar access library libakonadi-kde4 - library for using the Akonadi PIM data server libakonadi-kmime4 - Akonadi MIME handling library libakonadi-notes4 - Akonadi notes access library libakonadi-socialutils4 - Akonadi resources for handling social feeds libakonadi-xml4 - Akonadi XML helper library libgpgme++2v5 - C++ wrapper library for GPGME libkabc4 - library for handling address book data libkalarmcal2 - library for handling kalarm calendar data libkblog4 - client-side support library for web application remote blogging A libkcal4 - library for handling calendar data libkcalcore4 - library for handling calendar data libkcalutils4 - library with utility functions for the handling of calendar data libkholidays4 - holidays calculation library libkimap4 - library for handling IMAP data libkldap4 - library for accessing LDAP libkmbox4 - library for handling mbox mailboxes libkmime4 - library for handling MIME data libkontactinterface4a - Kontact interface library libkpimidentities4 - library for managing user identities libkpimtextedit4 - library that provides a textedit with PIM-specific features libkpimutils4 - library for dealing with email addresses libkresources4 - KDE Resource framework library libktnef4 - library for handling TNEF data libkxmlrpcclient4 - simple XML-RPC client library libmailtransport4 - mail transport service library libmicroblog4 - library for using the Microblog Akonadi Resource libqgpgme1 - library for GpgME++ integration with Qt libsyndication4 - parser library for RSS and Atom feeds Closes: 840546 Changes: kdepimlibs (4:4.14.10-6) unstable; urgency=high . * Team upload. * CVE-2016-7966 KMail: HTML injection in plain text viewer (Closes: #840546) - Avoid transforming as a url in plain text mode when there is a quote - Add debian/patches/CVE-2016-7966.diff from upstream Checksums-Sha1: 7327a1273193bf258af55a3c2f72aff550dc632c 4661 kdepimlibs_4.14.10-6.dsc e55ebc826da194298e304b0415a0b1d0e1c39756 126668 kdepimlibs_4.14.10-6.debian.tar.xz af623a03e59e644fda716fa2584766a492ac4e90 60760280 kdepimlibs-dbg_4.14.10-6_amd64.deb 08bb8eaf1a197acce86119c3cf863e0c039434a0 273206 kdepimlibs-kio-plugins_4.14.10-6_amd64.deb fdade4d370770db2381bf331e20711fddb89f06d 541742 kdepimlibs5-dev_4.14.10-6_amd64.deb 4583edab82d4948aa57080a37c62d92a9e756bd7 266342 libakonadi-calendar4_4.14.10-6_amd64.deb 15fc22874e5034b20b1d2b524d9f53cbf2002890 352334 libakonadi-contact4_4.14.10-6_amd64.deb a4fafdd28c1fb5392f838791361db3e85429bdfc 27704 libakonadi-kabc4_4.14.10-6_amd64.deb df61ef181a788640eb8d08528f52afec399c65fb 33738 libakonadi-kcal4_4.14.10-6_amd64.deb 5d9170c84d5b30fe6f520c541aada17f1e8aefdd 896902 libakonadi-kde4_4.14.10-6_amd64.deb d9e3b7a82d1843c5a5fff97a33980aece9554265 118380 libakonadi-kmime4_4.14.10-6_amd64.deb fde45879c4fbffd87c20e7d0bcc1b202fd68cd3b 43736 libakonadi-notes4_4.14.10-6_amd64.deb eb0c2a7682c5f014266703af8f47c1d17e23 64216 libakonadi-socialutils4_4.14.10-6_amd64.deb 8934ed1a3d466a6428dc5dbdceb18de8a8adc6a9 50006 libakonadi-xml4_4.14.10-6_amd64.deb 61a1a6cdecf2f11555f11da45adbb0fe3406486d 126414 libgpgme++2v5_4.14.10-6_amd64.deb e0f16989c9046b140580e6a102abb0cfde5258b8 323480 libkabc4_4.14.10-6_amd64.deb 9b77e1f906cb42b65cbee2769c784d6aadebf785 151590 libkalarmcal2_4.14.10-6_amd64.deb 1298b022b40d03f8538052a5128fbc9f4815683b 117520 libkblog4_4.14.10-6_amd64.deb 021b5eb468f6b7c862cf69555a7153d9630fab4b 382286 libkcal4_4.14.10-6_amd64.deb 9545a480cd633928ad67a89f106965998bea56a7 283218 libkcalcore4_4.14.10-6_amd64.deb
Processing of kdepimlibs_4.14.10-6_amd64.changes
kdepimlibs_4.14.10-6_amd64.changes uploaded successfully to localhost along with the files: kdepimlibs_4.14.10-6.dsc kdepimlibs_4.14.10-6.debian.tar.xz kdepimlibs-dbg_4.14.10-6_amd64.deb kdepimlibs-kio-plugins_4.14.10-6_amd64.deb kdepimlibs5-dev_4.14.10-6_amd64.deb libakonadi-calendar4_4.14.10-6_amd64.deb libakonadi-contact4_4.14.10-6_amd64.deb libakonadi-kabc4_4.14.10-6_amd64.deb libakonadi-kcal4_4.14.10-6_amd64.deb libakonadi-kde4_4.14.10-6_amd64.deb libakonadi-kmime4_4.14.10-6_amd64.deb libakonadi-notes4_4.14.10-6_amd64.deb libakonadi-socialutils4_4.14.10-6_amd64.deb libakonadi-xml4_4.14.10-6_amd64.deb libgpgme++2v5_4.14.10-6_amd64.deb libkabc4_4.14.10-6_amd64.deb libkalarmcal2_4.14.10-6_amd64.deb libkblog4_4.14.10-6_amd64.deb libkcal4_4.14.10-6_amd64.deb libkcalcore4_4.14.10-6_amd64.deb libkcalutils4_4.14.10-6_amd64.deb libkholidays4_4.14.10-6_amd64.deb libkimap4_4.14.10-6_amd64.deb libkldap4_4.14.10-6_amd64.deb libkmbox4_4.14.10-6_amd64.deb libkmime4_4.14.10-6_amd64.deb libkontactinterface4a_4.14.10-6_amd64.deb libkpimidentities4_4.14.10-6_amd64.deb libkpimtextedit4_4.14.10-6_amd64.deb libkpimutils4_4.14.10-6_amd64.deb libkresources4_4.14.10-6_amd64.deb libktnef4_4.14.10-6_amd64.deb libkxmlrpcclient4_4.14.10-6_amd64.deb libmailtransport4_4.14.10-6_amd64.deb libmicroblog4_4.14.10-6_amd64.deb libqgpgme1_4.14.10-6_amd64.deb libsyndication4_4.14.10-6_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org)
Re: Calligra stable releases not in Debian stable Jessi
On 8 October 2016 at 15:20, Maximiliano Curiawrote: > ¡Hola Jaroslaw! > > El 2016-10-01 a las 00:43 +0200, Jaroslaw Staniek escribió: > >> On 1 October 2016 at 00:18, Nicolás Alvarez >> wrote: >> >>> 2016-09-30 6:31 GMT-03:00 Jaroslaw Staniek : >>> >> Honestly, we know via telemetrics that more than needed users run >> outdated software. >> > > What kind of telemetrics are these? > Overview and stats here: https://blogs.kde.org/2013/12/09/usage-stats -- regards, Jaroslaw Staniek KDE: : A world-wide network of software engineers, artists, writers, translators : and facilitators committed to Free Software development - http://kde.org Calligra Suite: : A graphic art and office suite - http://calligra.org Kexi: : A visual database apps builder - http://calligra.org/kexi Qt Certified Specialist: : http://www.linkedin.com/in/jstaniek
Bug#840546: marked as done (KMail: HTML injection in plain text viewer)
Your message dated Wed, 12 Oct 2016 19:19:32 + with message-idand subject line Bug#840546: fixed in kdepimlibs 4:4.14.10-6 has caused the Debian Bug report #840546, regarding KMail: HTML injection in plain text viewer to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 840546: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840546 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: kdepimlibs Version: 4:4.4.5-2 Severity: grave Tags: security patch upstream Justification: user security hole KDE Project Security Advisory = Title: KMail: HTML injection in plain text viewer Risk Rating:Important CVE:CVE-2016-7966 Platforms: All Versions: kmail >= 4.4.0 Author: Andre Heinecke Date: 6 October 2016 Overview Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. Impact == An unauthenticated attacker can send out mails with malicious content that breaks KMail's plain text HTML escape logic. Due to the limitations of the provided HTML in itself it might not be serious. But as a way to break out of KMail's restricted Plain text mode this might open the way to the exploitation of other vulnerabilities in the HTML viewer code, which is disabled by default. Workaround == None. Solution For KDE Frameworks based releases of KMail apply the following patch to kcoreaddons: https://quickgit.kde.org/?p=kcoreaddons.git=commitdiff=96e562d9138c100498da38e4c5b4091a226dde12 For kdelibs4 based releases apply the following patch: https://quickgit.kde.org/?p=kdepimlibs.git=commitdiff=176fee25ca79145ab5c8e2275d248f1a46a8d8cf Credits === Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing the problems and Laurent Montel for fixing this issue. From: Montel Laurent Date: Fri, 30 Sep 2016 13:55:35 + Subject: Backport avoid to transform as a url when we have a quote X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git=commitdiff=176fee25ca79145ab5c8e2275d248f1a46a8d8cf --- Backport avoid to transform as a url when we have a quote --- --- a/kpimutils/linklocator.cpp +++ b/kpimutils/linklocator.cpp @@ -94,6 +94,12 @@ } QString LinkLocator::getUrl() +{ +return getUrlAndCheckValidHref(); +} + + +QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) { QString url; if ( atUrl() ) { @@ -129,13 +135,26 @@ url.reserve( maxUrlLen() ); // avoid allocs int start = mPos; +bool previousCharIsADoubleQuote = false; while ( ( mPos < (int)mText.length() ) && ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { if ( !mText[mPos].isSpace() ) { // skip whitespace -url.append( mText[mPos] ); -if ( url.length() > maxUrlLen() ) { + if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { + //it's an invalid url + if (badurl) { + *badurl = true; + } + return QString(); + } + if (mText[mPos] == QLatin1Char('"')) { + previousCharIsADoubleQuote = true; + } else { + previousCharIsADoubleQuote = false; + } + url.append( mText[mPos] ); + if ( url.length() > maxUrlLen() ) { break; } } @@ -367,7 +386,12 @@ } else { const int start = locator.mPos; if ( !( flags & IgnoreUrls ) ) { -str = locator.getUrl(); +bool badUrl = false; +str = locator.getUrlAndCheckValidHref(); +if (badUrl) { +return locator.mText; +} + if ( !str.isEmpty() ) { QString hyperlink; if ( str.left( 4 ) == QLatin1String("www.") ) { --- a/kpimutils/linklocator.h +++ b/kpimutils/linklocator.h @@ -107,6 +107,7 @@ @return The URL at the current scan position, or an empty string. */ QString getUrl(); +QString getUrlAndCheckValidHref(bool *badurl = 0); /** Attempts to
kdepimlibs_4.14.10-2_amd64.changes REJECTED
Version check failed: Your upload included the source package kdepimlibs, version 4:4.14.10-2, however testing already has version 4:4.14.10-5. Uploads to unstable must have a higher version than present in testing. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns.
Processing of kdepimlibs_4.14.10-2_amd64.changes
kdepimlibs_4.14.10-2_amd64.changes uploaded successfully to localhost along with the files: kdepimlibs_4.14.10-2.dsc kdepimlibs_4.14.10-2.debian.tar.xz kdepimlibs-dbg_4.14.10-2_amd64.deb kdepimlibs-kio-plugins_4.14.10-2_amd64.deb kdepimlibs5-dev_4.14.10-2_amd64.deb libakonadi-calendar4_4.14.10-2_amd64.deb libakonadi-contact4_4.14.10-2_amd64.deb libakonadi-kabc4_4.14.10-2_amd64.deb libakonadi-kcal4_4.14.10-2_amd64.deb libakonadi-kde4_4.14.10-2_amd64.deb libakonadi-kmime4_4.14.10-2_amd64.deb libakonadi-notes4_4.14.10-2_amd64.deb libakonadi-socialutils4_4.14.10-2_amd64.deb libakonadi-xml4_4.14.10-2_amd64.deb libgpgme++2v5_4.14.10-2_amd64.deb libkabc4_4.14.10-2_amd64.deb libkalarmcal2_4.14.10-2_amd64.deb libkblog4_4.14.10-2_amd64.deb libkcal4_4.14.10-2_amd64.deb libkcalcore4_4.14.10-2_amd64.deb libkcalutils4_4.14.10-2_amd64.deb libkholidays4_4.14.10-2_amd64.deb libkimap4_4.14.10-2_amd64.deb libkldap4_4.14.10-2_amd64.deb libkmbox4_4.14.10-2_amd64.deb libkmime4_4.14.10-2_amd64.deb libkontactinterface4a_4.14.10-2_amd64.deb libkpimidentities4_4.14.10-2_amd64.deb libkpimtextedit4_4.14.10-2_amd64.deb libkpimutils4_4.14.10-2_amd64.deb libkresources4_4.14.10-2_amd64.deb libktnef4_4.14.10-2_amd64.deb libkxmlrpcclient4_4.14.10-2_amd64.deb libmailtransport4_4.14.10-2_amd64.deb libmicroblog4_4.14.10-2_amd64.deb libqgpgme1_4.14.10-2_amd64.deb libsyndication4_4.14.10-2_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org)
Processed: found 840547 in 5.7.0-1
Processing commands for cont...@bugs.debian.org: > found 840547 5.7.0-1 Bug #840547 [kcoreaddons] KMail: HTML injection in plain text viewer There is no source info for the package 'kcoreaddons' at version '5.7.0-1' with architecture '' Unable to make a source version for version '5.7.0-1' Marked as found in versions 5.7.0-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 840547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 840547
Processing commands for cont...@bugs.debian.org: > tags 840547 + pending Bug #840547 [kcoreaddons] KMail: HTML injection in plain text viewer Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 840547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 840547
Processing commands for cont...@bugs.debian.org: > tags 840547 - patch Bug #840547 [kcoreaddons] KMail: HTML injection in plain text viewer Removed tag(s) patch. > thanks Stopping processing here. Please contact me if you need assistance. -- 840547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: cloning 840546
Processing commands for cont...@bugs.debian.org: > clone 840546 -1 Bug #840546 [kdepimlibs] KMail: HTML injection in plain text viewer Bug 840546 cloned as bug 840547 > reassign -1 kcoreaddons 5.0 Bug #840547 [kdepimlibs] KMail: HTML injection in plain text viewer Bug reassigned from package 'kdepimlibs' to 'kcoreaddons'. No longer marked as found in versions 4:4.4.5-2. Ignoring request to alter fixed versions of bug #840547 to the same values previously set Bug #840547 [kcoreaddons] KMail: HTML injection in plain text viewer There is no source info for the package 'kcoreaddons' at version '5.0' with architecture '' Unable to make a source version for version '5.0' Marked as found in versions 5.0. > thanks Stopping processing here. Please contact me if you need assistance. -- 840546: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840546 840547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#840546: KMail: HTML injection in plain text viewer
Package: kdepimlibs Version: 4:4.4.5-2 Severity: grave Tags: security patch upstream Justification: user security hole KDE Project Security Advisory = Title: KMail: HTML injection in plain text viewer Risk Rating:Important CVE:CVE-2016-7966 Platforms: All Versions: kmail >= 4.4.0 Author: Andre HeineckeDate: 6 October 2016 Overview Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. Impact == An unauthenticated attacker can send out mails with malicious content that breaks KMail's plain text HTML escape logic. Due to the limitations of the provided HTML in itself it might not be serious. But as a way to break out of KMail's restricted Plain text mode this might open the way to the exploitation of other vulnerabilities in the HTML viewer code, which is disabled by default. Workaround == None. Solution For KDE Frameworks based releases of KMail apply the following patch to kcoreaddons: https://quickgit.kde.org/?p=kcoreaddons.git=commitdiff=96e562d9138c100498da38e4c5b4091a226dde12 For kdelibs4 based releases apply the following patch: https://quickgit.kde.org/?p=kdepimlibs.git=commitdiff=176fee25ca79145ab5c8e2275d248f1a46a8d8cf Credits === Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing the problems and Laurent Montel for fixing this issue. From: Montel Laurent Date: Fri, 30 Sep 2016 13:55:35 + Subject: Backport avoid to transform as a url when we have a quote X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git=commitdiff=176fee25ca79145ab5c8e2275d248f1a46a8d8cf --- Backport avoid to transform as a url when we have a quote --- --- a/kpimutils/linklocator.cpp +++ b/kpimutils/linklocator.cpp @@ -94,6 +94,12 @@ } QString LinkLocator::getUrl() +{ +return getUrlAndCheckValidHref(); +} + + +QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) { QString url; if ( atUrl() ) { @@ -129,13 +135,26 @@ url.reserve( maxUrlLen() ); // avoid allocs int start = mPos; +bool previousCharIsADoubleQuote = false; while ( ( mPos < (int)mText.length() ) && ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { if ( !mText[mPos].isSpace() ) { // skip whitespace -url.append( mText[mPos] ); -if ( url.length() > maxUrlLen() ) { + if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { + //it's an invalid url + if (badurl) { + *badurl = true; + } + return QString(); + } + if (mText[mPos] == QLatin1Char('"')) { + previousCharIsADoubleQuote = true; + } else { + previousCharIsADoubleQuote = false; + } + url.append( mText[mPos] ); + if ( url.length() > maxUrlLen() ) { break; } } @@ -367,7 +386,12 @@ } else { const int start = locator.mPos; if ( !( flags & IgnoreUrls ) ) { -str = locator.getUrl(); +bool badUrl = false; +str = locator.getUrlAndCheckValidHref(); +if (badUrl) { +return locator.mText; +} + if ( !str.isEmpty() ) { QString hyperlink; if ( str.left( 4 ) == QLatin1String("www.") ) { --- a/kpimutils/linklocator.h +++ b/kpimutils/linklocator.h @@ -107,6 +107,7 @@ @return The URL at the current scan position, or an empty string. */ QString getUrl(); +QString getUrlAndCheckValidHref(bool *badurl = 0); /** Attempts to grab an email address. If there is an @ symbol at the @@ -155,7 +156,7 @@ */ static QString pngToDataUrl( const QString & iconPath ); - protected: +protected: /** The plaintext string being scanned for URLs and email addresses. */
Bug#797999: more debug info
On 10/12/2016 11:44 AM, Eric Valette wrote: On 10/12/2016 10:57 AM, Eric Valette wrote: On 10/11/2016 04:22 PM, Eric Valette wrote: On 10/11/2016 04:10 PM, Dominique Dumont wrote: Could you try that on your side ? I can do the test but I never open the lid when docked so this will not be my use case and this means also modifying my xorg.conf. Once session is initialized with kdm, in system settings-> display and monitor, I have DP4 on at 1920x1200 (as reported by xrandr even when failing) and DP3 off. I tried to let the lid open with my actual xorg.conf and rebooted, both screen go black. I can still switch to laptop lid in text mode using ctrl-alt-f1. I loged to my accound, killed sddm service and did a startx, and the kde session shows up correctly on the external monitor and laptop screen goes black. I was in a meeting so undocked my laptop and by curiosity completely removed the xorg.conf and tried sddm. Even in this simpliest config it fails and the screen goes black after displaying the Nvidia logo (usually I use the No Logo option but as xorg.conf was empty). I got sddm errors in /var/run/sddm.log. It says the greeter can't open the display. So probably the problem is not the docking and the external monitor. Compared to other working setup with same software stack (legacy 340 nvidia driver), the only thing I can see that differs is the fact that the laptop lid is wired via DisplayPort versus HDMI. xrandr on this config when started via kdm Screen 0: minimum 8 x 8, current 1440 x 900, maximum 8192 x 8192 VGA-0 disconnected (normal left inverted right x axis y axis) DP-0 disconnected (normal left inverted right x axis y axis) DP-1 disconnected (normal left inverted right x axis y axis) DP-2 disconnected (normal left inverted right x axis y axis) DP-3 connected primary 1440x900+0+0 (normal left inverted right x axis y axis) 304mm x 190mm 1440x900 59.96*+ 39.96 DP-4 disconnected (normal left inverted right x axis y axis) --eric
Bug#839715: systemtray: Network Widget in Systemtray: 2 Buttons without any description or Icon
Control: tag -1 + confirmed Control: forwarded -1 https://bugs.kde.org/show_bug.cgi?id=370541 ¡Hola Maria! El 2016-10-04 a las 11:15 +0200, Maria escribió: Package: plasma-workspace Version: 4:5.7.4-1 Severity: normal File: systemtray as shown in the attached screenshot the two buttons of the network widget in the systemtray don't have any description or icon. They would be helpful. :) I could reproduce this issue when switching to the oxygen icon theme, and forwarded this report upstream. You might want to switch to the breeze icon theme, which is the current default. (only one icon was missing for me when using 5.8.0) Happy hacking, -- "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration." -- Edsger W. Dijkstra Saludos /\/\ /\ >< `/ signature.asc Description: PGP signature
Processed: Re: Bug#839715: systemtray: Network Widget in Systemtray: 2 Buttons without any description or Icon
Processing control commands: > tag -1 + confirmed Bug #839715 [plasma-workspace] systemtray: Network Widget in Systemtray: 2 Buttons without any description or Icon Added tag(s) confirmed. > forwarded -1 https://bugs.kde.org/show_bug.cgi?id=370541 Bug #839715 [plasma-workspace] systemtray: Network Widget in Systemtray: 2 Buttons without any description or Icon Set Bug forwarded-to-address to 'https://bugs.kde.org/show_bug.cgi?id=370541'. -- 839715: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839715 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#797999: more debug info
On 10/12/2016 10:57 AM, Eric Valette wrote: On 10/11/2016 04:22 PM, Eric Valette wrote: On 10/11/2016 04:10 PM, Dominique Dumont wrote: Could you try that on your side ? I can do the test but I never open the lid when docked so this will not be my use case and this means also modifying my xorg.conf. Once session is initialized with kdm, in system settings-> display and monitor, I have DP4 on at 1920x1200 (as reported by xrandr even when failing) and DP3 off. I tried to let the lid open with my actual xorg.conf and rebooted, both screen go black. I can still switch to laptop lid in text mode using ctrl-alt-f1. I loged to my accound, killed sddm service and did a startx, and the kde session shows up correctly on the external monitor and laptop screen goes black. Could you try to use nvidia-settings to disable your laptop screen, via the X Server Display Configuration menu and use save X configuration file (in /tmp/xorg.conf) back up you actual /etx/X11/xorg.conf if you have one and then replace your working dual screen conf by the /tmp/xorg.conf NB : actually the xorg.conf file generated is not perfect it misses the config for the second monitor, and still use the laptop screen identifier in the Screen section while adding the external monitor config dpkg -s nvidia-settings-legacy-340xx Package: nvidia-settings-legacy-340xx Status: install ok installed Priority: optional Section: contrib/x11 Installed-Size: 1861 Maintainer: Debian NVIDIA MaintainersArchitecture: amd64 Version: 340.93-1 Depends: pkg-config, nvidia-legacy-340xx-alternative, libc6 (>= 2.14), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0), libjansson4 (>= 2.3), libpango-1.0-0 (>= 1.14.0), libx11-6 (>= 2:1.4.99.1), libxext6, libxxf86vm1 Pre-Depends: nvidia-installer-cleanup Recommends: libgl1-nvidia-legacy-340xx-glx Breaks: nvidia-alternative (<< 313.30-2), nvidia-alternative-legacy-173xx (<< 173.14.37), nvidia-alternative-legacy-96xx (<< 96.43.23-4) Description: tool for configuring the NVIDIA graphics driver (340xx legacy version) The nvidia-settings utility is a tool for configuring the NVIDIA Linux graphics driver. It operates by communicating with the NVIDIA X driver, querying and updating state as appropriate. This communication is done with the NV-CONTROL X extension. . Values such as brightness and gamma, XVideo attributes, temperature, and OpenGL settings can be queried and configured via nvidia-settings. Homepage: ftp://download.nvidia.com/XFree86/nvidia-settings/
Bug#797999: We are now more than one year later and this critical bug is not fixed
On 10/11/2016 04:22 PM, Eric Valette wrote: On 10/11/2016 04:10 PM, Dominique Dumont wrote: Could you try that on your side ? I can do the test but I never open the lid when docked so this will not be my use case and this means also modifying my xorg.conf. Once session is initialized with kdm, in system settings-> display and monitor, I have DP4 on at 1920x1200 (as reported by xrandr even when failing) and DP3 off. --eric
Bug#840478: ksmserver: autostart service "/usr/bin/conky" finished with exit code 0
Control: reassign -1 plasma-workspace 4:5.8.0-1 Control: severity -1 minor Control: tag -1 + confirmed Control: forwarded -1 https://bugs.kde.org/show_bug.cgi?id=370528 ¡Hola allan! El 2016-10-11 a las 17:55 -0400, allan grossman escribió: Package: kde-baseapps-bin Version: 4:16.08.0-1 Severity: important * What led up to the situation? Upgraded Debian Unstable today. * What exactly did you do (or not do) that was effective (or ineffective)? Rebooted machine and started KDE as normal. conky refused to start and .xsession-errors gave the error above. Starting conky in a terminal window or with krunner works, it just won't autostart. ksmserver: autostart service "/usr/bin/conky" finished with exit code 0 A similar report with some workarounds can be found in: https://bbs.archlinux.org/viewtopic.php?id=217920 The problem seems to be that conky's stderr is closed when started from the autostart in daemonize mode. Redirecting stderr or not daemonizing solves the problem. Please note that using stderr after daemonizing a process is usualy a bad practice, and conky should at least check for errors when writting to it before bailing out. (Consider a daemon started from a terminal, what happens when the user closes the terminal?) * What was the outcome of this action? As mentioned, conky exits. * What outcome did you expect instead? Expected conky to autostart. *** /home/wizard/.config/autostart/conky.desktop [Desktop Entry] Exec=/usr/bin/conky -d Icon=system-run Path= [Desktop Entry] Exec=/usr/bin/conky -d Icon=system-run Path= Terminal=false Type=Application Your desktop file seems to list two desktop entries, this seems to be wrong. -- "When explaining a command, or language feature, or hardware widget, first describe the problem it is designed to solve." -- David Martin Saludos /\/\ /\ >< `/ signature.asc Description: PGP signature
Processed: Re: Bug#840478: ksmserver: autostart service "/usr/bin/conky" finished with exit code 0
Processing control commands: > reassign -1 plasma-workspace 4:5.8.0-1 Bug #840478 [kde-baseapps-bin] ksmserver: autostart service "/usr/bin/conky" finished with exit code 0 Bug reassigned from package 'kde-baseapps-bin' to 'plasma-workspace'. No longer marked as found in versions kde-baseapps/4:16.08.0-1. Ignoring request to alter fixed versions of bug #840478 to the same values previously set Bug #840478 [plasma-workspace] ksmserver: autostart service "/usr/bin/conky" finished with exit code 0 Marked as found in versions plasma-workspace/4:5.8.0-1. > severity -1 minor Bug #840478 [plasma-workspace] ksmserver: autostart service "/usr/bin/conky" finished with exit code 0 Severity set to 'minor' from 'important' > tag -1 + confirmed Bug #840478 [plasma-workspace] ksmserver: autostart service "/usr/bin/conky" finished with exit code 0 Added tag(s) confirmed. > forwarded -1 https://bugs.kde.org/show_bug.cgi?id=370528 Bug #840478 [plasma-workspace] ksmserver: autostart service "/usr/bin/conky" finished with exit code 0 Set Bug forwarded-to-address to 'https://bugs.kde.org/show_bug.cgi?id=370528'. -- 840478: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840478 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems