Bug#840546: CVE-2016-7966 kdepimlibs jessie
Hey Moritz, ping. Are there anything missing before rolling out the patch inside jessie- security? Can I help somehow / are you need input from my side? Regards, sandro -- Am Freitag, 14. Oktober 2016, 21:23:45 CEST schrieb Moritz Muehlenhoff: > On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote: > > Hey, > > > > I now back ported the second part of the fix of the CVE. I updated the > > version deb8u1 from Scott. Should I create a deb8u2 for the additional > > patch? > > > > I attached the uptodate debdiff. > > Thanks, please upload. > > Cheers, > Moritz signature.asc Description: This is a digitally signed message part.
Bug#840546: CVE-2016-7966 kdepimlibs jessie
Hi Sandro, On Fri, Oct 14, 2016 at 10:56:00PM +0200, Sandro Knauß wrote: > Hi, > > now I'm fully confused - you said on IRC, I should better create a deb8u2 > ontop. Well I created now the debdiff for a deb8u2. > > So you can decide what is the best way for the sec team and what version > should be uploaded where. Sorry then if some confusion was present. I looked at the debdiff you sent previously and it was a +deb8u1 with all changes. That would not have worked, since +deb8u1 is now already on security master and been rejected by dak. > diff -Nru kdepimlibs-4.14.2/debian/changelog > kdepimlibs-4.14.2/debian/changelog > --- kdepimlibs-4.14.2/debian/changelog2016-10-12 18:20:26.0 > +0200 > +++ kdepimlibs-4.14.2/debian/changelog2016-10-14 21:33:53.0 > +0200 > @@ -1,3 +1,14 @@ > +kdepimlibs (4:4.14.2-2+deb8u2) jessie-security; urgency=high > + > + * Team upload. > + * Additional patch to complete the fix for CVE-2016-7966 > +- Replace all scary charactars (", <, > and &) with safe HTML > + replacements. > +- Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a > + in debian/patches/CVE-2016-7966_part2.diff > + > + -- Sandro Knauß Fri, 14 Oct 2016 21:33:53 +0200 > + Thanks, that is exactly what I meant. Create a +deb8u2 with your additional needed fixes on top of the deb8u1 previously already uploaded by Scott. It's perfect now as you attached above. I will now no furhter interfere, since Moritz will take care of the DSA. Regards, Salvatore
Bug#840546: CVE-2016-7966 kdepimlibs jessie
Hi, now I'm fully confused - you said on IRC, I should better create a deb8u2 ontop. Well I created now the debdiff for a deb8u2. So you can decide what is the best way for the sec team and what version should be uploaded where. Best Regards, sandro -- Am Freitag, 14. Oktober 2016, 21:50:18 CEST schrieb Salvatore Bonaccorso: > Hi, > > Just an additional comment on the debdiff: > > On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote: > > Hey, > > > > I now back ported the second part of the fix of the CVE. I updated the > > version deb8u1 from Scott. Should I create a deb8u2 for the additional > > patch? > Please note, to build the attached debdiff instead as +deb8u2 on top > of the +deb8u1 already present on security-master and just > incoorporate the additional changes needed. > > Regards and thanks for your work! > > Salvatore diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog --- kdepimlibs-4.14.2/debian/changelog 2016-10-12 18:20:26.0 +0200 +++ kdepimlibs-4.14.2/debian/changelog 2016-10-14 21:33:53.0 +0200 @@ -1,3 +1,14 @@ +kdepimlibs (4:4.14.2-2+deb8u2) jessie-security; urgency=high + + * Team upload. + * Additional patch to complete the fix for CVE-2016-7966 +- Replace all scary charactars (", <, > and &) with safe HTML + replacements. +- Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a + in debian/patches/CVE-2016-7966_part2.diff + + -- Sandro Knauß Fri, 14 Oct 2016 21:33:53 +0200 + kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high * Team upload. diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff --- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 1970-01-01 01:00:00.0 +0100 +++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 2016-10-14 21:33:14.0 +0200 @@ -0,0 +1,27 @@ +--- a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( cons + bool badUrl = false; + str = locator.getUrlAndCheckValidHref(&badUrl); + if (badUrl) { +-return locator.mText; ++QString resultBadUrl; ++const int helperTextSize(locator.mText.count()); ++for (int i = 0; i < helperTextSize; ++i) { ++const QChar chBadUrl = locator.mText[i]; ++if (chBadUrl == QLatin1Char('&')) { ++resultBadUrl += QLatin1String("&"); ++} else if (chBadUrl == QLatin1Char('"')) { ++resultBadUrl += QLatin1String("""); ++} else if (chBadUrl == QLatin1Char('<')) { ++resultBadUrl += QLatin1String("<"); ++} else if (chBadUrl == QLatin1Char('>')) { ++resultBadUrl += QLatin1String(">"); ++} else { ++resultBadUrl += chBadUrl; ++} ++} ++return resultBadUrl; + } + + if ( !str.isEmpty() ) { diff -Nru kdepimlibs-4.14.2/debian/patches/series kdepimlibs-4.14.2/debian/patches/series --- kdepimlibs-4.14.2/debian/patches/series 2016-10-12 18:20:26.0 +0200 +++ kdepimlibs-4.14.2/debian/patches/series 2016-10-14 21:33:14.0 +0200 @@ -2,3 +2,4 @@ sslv2_disabled.patch tlscancelled.patch CVE-2016-7966.diff +CVE-2016-7966_part2.diff signature.asc Description: This is a digitally signed message part.
Bug#840546: CVE-2016-7966 kdepimlibs jessie
Hi, Just an additional comment on the debdiff: On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote: > Hey, > > I now back ported the second part of the fix of the CVE. I updated the > version > deb8u1 from Scott. Should I create a deb8u2 for the additional patch? Please note, to build the attached debdiff instead as +deb8u2 on top of the +deb8u1 already present on security-master and just incoorporate the additional changes needed. Regards and thanks for your work! Salvatore signature.asc Description: PGP signature
Bug#840546: CVE-2016-7966 kdepimlibs jessie
On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote: > Hey, > > I now back ported the second part of the fix of the CVE. I updated the > version > deb8u1 from Scott. Should I create a deb8u2 for the additional patch? > > I attached the uptodate debdiff. Thanks, please upload. Cheers, Moritz
Bug#840546: CVE-2016-7966 kdepimlibs jessie
Hey, I now back ported the second part of the fix of the CVE. I updated the version deb8u1 from Scott. Should I create a deb8u2 for the additional patch? I attached the uptodate debdiff. Regards, sandro Am Donnerstag, 13. Oktober 2016, 18:19:35 CEST schrieb Moritz Mühlenhoff: > On Thu, Oct 13, 2016 at 12:15:01PM +0200, Sandro Knauß wrote: > > Hey, > > > > The description > > https://www.kde.org/info/security/advisory-20161006-1.txt do not describe > > all patches that are needed to fix the CVE (at the moment). > > > > The additional patches are not part of KDE Frameworks 5.27, so they need > > to be applied for KF 5.27: > > 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a (0004-Display-bad-url.patch) > > a06cef31cc4c908bc9b76bd9d103fe9c60e0953f (0003-Add-more-autotests.patch) > > > > (the first two will be included in KF 5.27). > > > > The fixed version is 5.26.0-3 (sid only - already uploaded). I'll test if > > we need these patches also for stable inside kdepimlibs. > > Ok, please let us know once you know more. Scott Kitterman has already sent > an update for kdepimlibs (attached). > > Cheers, > Moritz diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog --- kdepimlibs-4.14.2/debian/changelog 2014-11-17 04:38:20.0 +0100 +++ kdepimlibs-4.14.2/debian/changelog 2016-10-14 18:09:02.0 +0200 @@ -1,3 +1,21 @@ +kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high + + * Team upload. + [ Scott Kitterman ] + * CVE-2016-7966 KMail: HTML injection in plain text viewer (Closes: #840546) +- Avoid transforming as a url in plain text mode when there is a quote +- Add debian/patches/CVE-2016-7966.diff from upstream + + [ Sandro Knauß ] + * Additional patch to complete the fix for CVE-2016-7966 +- Replace all scary charactars (", <, > and &) with safe HTML + replacements. +- Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a + in debian/patches/CVE-2016-7966_part2.diff + * Update symbols files. + + -- Sandro Knauß Fri, 14 Oct 2016 18:09:02 +0200 + kdepimlibs (4:4.14.2-2) unstable; urgency=medium * Team upload. diff -Nru kdepimlibs-4.14.2/debian/libkpimutils4.symbols kdepimlibs-4.14.2/debian/libkpimutils4.symbols --- kdepimlibs-4.14.2/debian/libkpimutils4.symbols 2014-10-20 17:13:26.0 +0200 +++ kdepimlibs-4.14.2/debian/libkpimutils4.symbols 2016-10-14 18:09:02.0 +0200 @@ -7,6 +7,7 @@ _ZN9KPIMUtils11LinkLocator15getEmailAddressEv@Base 4:4.3.4 _ZN9KPIMUtils11LinkLocator15highlightedTextEv@Base 4:4.3.4 _ZN9KPIMUtils11LinkLocator16setMaxAddressLenEi@Base 4:4.3.4 + _ZN9KPIMUtils11LinkLocator23getUrlAndCheckValidHrefEPb@Base 4:4.14.2-2+deb8u1 _ZN9KPIMUtils11LinkLocator6getUrlEv@Base 4:4.3.4 _ZN9KPIMUtils11LinkLocatorC1ERK7QStringi@Base 4:4.3.4 _ZN9KPIMUtils11LinkLocatorC2ERK7QStringi@Base 4:4.3.4 diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff --- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff 1970-01-01 01:00:00.0 +0100 +++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff 2016-10-14 16:59:11.0 +0200 @@ -0,0 +1,89 @@ +From: Montel Laurent +Date: Fri, 30 Sep 2016 13:55:35 + +Subject: Backport avoid to transform as a url when we have a quote +X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf +--- +Backport avoid to transform as a url when we have a quote +--- + + +--- a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +@@ -94,6 +94,12 @@ + } + + QString LinkLocator::getUrl() ++{ ++return getUrlAndCheckValidHref(); ++} ++ ++ ++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) + { + QString url; + if ( atUrl() ) { +@@ -129,13 +135,26 @@ + + url.reserve( maxUrlLen() ); // avoid allocs + int start = mPos; ++bool previousCharIsADoubleQuote = false; + while ( ( mPos < (int)mText.length() ) && + ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && + ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || + ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { + if ( !mText[mPos].isSpace() ) { // skip whitespace +-url.append( mText[mPos] ); +-if ( url.length() > maxUrlLen() ) { ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } ++ url.append( mText[mPos] ); ++ if ( url.length() > maxUrlLen() ) { + break; + } + } +@@ -367,7 +386,12 @@ + } else { + const int start = locator.mPos; + if ( !( flags &