Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: debian-qt-...@lists.debian.org
Please unblock package plasma-discover [ Reason ] It fixes CVE-2021-28117 affecting bullseye. See Security Tracker at [1]. [ Impact ] URLs other than HTTP like smb:// or nfs:// can be opened from package descriptions in Discover, which could be used to chain to other attack vectors. See KDE security advisory at [2]. [ Tests ] Manual tests of basic Discover functionality, checking that package descriptions are not broken by the change. [ Risks ] The upstream commit is a one-liner fixing the regexp pattern used to transform URL text into clickable links in package descriptions in Discover. I’d qualify it as very low risk. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] KDE Security Advisory: [1] https://kde.org/info/security/advisory-20210310-1.txt Security Tracker: [2] https://security-tracker.debian.org/tracker/CVE-2021-28117 unblock plasma-discover/5.20.5-3
diff -Nru plasma-discover-5.20.5/debian/changelog plasma-discover-5.20.5/debian/changelog --- plasma-discover-5.20.5/debian/changelog 2021-01-21 09:02:53.000000000 +0100 +++ plasma-discover-5.20.5/debian/changelog 2021-03-10 23:53:46.000000000 +0100 @@ -1,3 +1,10 @@ +plasma-discover (5.20.5-3) unstable; urgency=medium + + [ Patrick Franz ] + * Add patch to validate URI scheme (Fixes: CVE-2021-28117). + + -- Patrick Franz <patfr...@gmail.com> Wed, 10 Mar 2021 23:53:46 +0100 + plasma-discover (5.20.5-2) unstable; urgency=medium * Add jcat, libjcat-dev, and any of the libcurl*-dev variants to B-D to work diff -Nru plasma-discover-5.20.5/debian/patches/https_only_links.patch plasma-discover-5.20.5/debian/patches/https_only_links.patch --- plasma-discover-5.20.5/debian/patches/https_only_links.patch 1970-01-01 01:00:00.000000000 +0100 +++ plasma-discover-5.20.5/debian/patches/https_only_links.patch 2021-03-10 23:53:46.000000000 +0100 @@ -0,0 +1,23 @@ +Description: Missing URI scheme validation (CVE-2021-28117) + Validate to only turn https(s)-links into clickable links. +Author: upstream +Forwarded: not-needed + +--- + libdiscover/backends/KNSBackend/KNSResource.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libdiscover/backends/KNSBackend/KNSResource.cpp b/libdiscover/backends/KNSBackend/KNSResource.cpp +index e43b2e48..0ba88032 100644 +--- a/libdiscover/backends/KNSBackend/KNSResource.cpp ++++ b/libdiscover/backends/KNSBackend/KNSResource.cpp +@@ -87,7 +87,7 @@ QString KNSResource::longDescription() + ret.remove(QRegularExpression(QStringLiteral("\\[\\/?[a-z]*\\]"))); + // Find anything that looks like a link (but which also is not some html + // tag value or another already) and make it a link +- static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)([-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption); ++ static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)(http[-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption); + ret.replace(urlRegExp, QStringLiteral("<a href=\"\\2\">\\2</a>")); + return ret; + } + diff -Nru plasma-discover-5.20.5/debian/patches/series plasma-discover-5.20.5/debian/patches/series --- plasma-discover-5.20.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ plasma-discover-5.20.5/debian/patches/series 2021-03-10 23:53:46.000000000 +0100 @@ -0,0 +1 @@ +https_only_links.patch