I've made a small change to the package, changing the new dependency
from gvfs to desktop-file-utils, since that's what's really necessary
(as discovered in #885086).
The new debdiff is attached.
--
Eduardo M KALINOWSKI
edua...@kalinowski.com.br
diff -Nru kildclient-3.0.0/debian/changelog kildclient-3.0.0/debian/changelog
--- kildclient-3.0.0/debian/changelog 2014-12-09 20:20:51.0 -0200
+++ kildclient-3.0.0/debian/changelog 2018-01-20 11:06:39.0 -0200
@@ -1,3 +1,10 @@
+kildclient (3.0.0-2+deb8u1) jessie; urgency=low
+
+ * Fix for CVE-2017-17511. New dependency 'desktop-file-utils' required
+in order to use GTK+ function for opening URLs. Closes: #885007
+
+ -- Eduardo M Kalinowski Sat, 20 Jan 2018 11:06:37 -0200
+
kildclient (3.0.0-2) unstable; urgency=medium
* Added work-around to enable scroll-to-end feature to work with
diff -Nru kildclient-3.0.0/debian/control kildclient-3.0.0/debian/control
--- kildclient-3.0.0/debian/control 2014-12-09 20:20:51.0 -0200
+++ kildclient-3.0.0/debian/control 2018-01-20 11:06:18.0 -0200
@@ -10,7 +10,7 @@
Package: kildclient
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl, libjson-perl
+Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl, libjson-perl, desktop-file-utils
Suggests: kildclient-doc, libgtk3-perl
Description: powerful MUD client with a built-in Perl interpreter
KildClient is a MUD Client written with the GTK+ windowing toolkit.
diff -Nru kildclient-3.0.0/debian/NEWS.Debian kildclient-3.0.0/debian/NEWS.Debian
--- kildclient-3.0.0/debian/NEWS.Debian 2014-12-09 20:20:51.0 -0200
+++ kildclient-3.0.0/debian/NEWS.Debian 2018-01-20 11:17:50.0 -0200
@@ -1,3 +1,11 @@
+kildclient (3.0.0-2+deb8u1) jessie-security; urgency=high
+
+ * The option to define the command used to run a web browser has been
+removed; the default browser (as selected by MIME types database) is
+now used.
+
+ -- Eduardo M Kalinowski Sat, 20 Jan 2018 11:06:37 -0200
+
kildclient (2.8.1-1) experimental; urgency=low
The HTML manual is now in the package kildclient-doc.
diff -Nru kildclient-3.0.0/debian/patches/cve-2017-17511.patch kildclient-3.0.0/debian/patches/cve-2017-17511.patch
--- kildclient-3.0.0/debian/patches/cve-2017-17511.patch 1969-12-31 21:00:00.0 -0300
+++ kildclient-3.0.0/debian/patches/cve-2017-17511.patch 2018-01-20 11:05:35.0 -0200
@@ -0,0 +1,221 @@
+Description: Fix for CVE-2017-17511
+ Uses a GTK+ function to open URLs, instead of using a command
+ supplied by the user or $BROWSER.
+Author: Eduardo M KALINOWSKI
+Last-Update: 2017-12-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/kildclient.h
b/src/kildclient.h
+@@ -633,7 +633,6 @@
+ GtkPositionType tab_position;
+ gboolean hide_single_tab;
+ gboolean urgency_hint;
+- char*browser_command;
+ char*audio_player_command;
+ char*last_open_world;
+ gboolean no_plugin_help_msg;
+--- a/src/prefs.c
b/src/prefs.c
+@@ -92,7 +92,6 @@
+ GObject *txtProxyUser;
+ GObject *txtProxyPassword;
+ #ifndef __WIN32__
+- GObject *txtBrowserCommand;
+ GObject *txtAudioPlayerCommand;
+ #else
+ GtkWidget*tabPrograms;
+@@ -178,12 +177,6 @@
+
+ #ifndef __WIN32__
+ /* Load commands */
+-txtBrowserCommand = gtk_builder_get_object(main_builder, "txtBrowserCommand");
+-gtk_entry_set_text(GTK_ENTRY(txtBrowserCommand),
+- globalPrefs.browser_command);
+-g_signal_connect(txtBrowserCommand, "focus_out_event",
+- G_CALLBACK(txt_cmd_focus_out_cb),
+- _command);
+ txtAudioPlayerCommand
+ = gtk_builder_get_object(main_builder, "txtAudioPlayerCommand");
+ gtk_entry_set_text(GTK_ENTRY(txtAudioPlayerCommand),
+@@ -319,9 +312,6 @@
+ }
+
+ /* Has the commands been set? */
+- if (!globalPrefs.browser_command) {
+-globalPrefs.browser_command = g_strdup("${BROWSER} \"%s\" &");
+- }
+ if (!globalPrefs.audio_player_command) {
+ globalPrefs.audio_player_command = g_strdup("play \"%s\" &");
+ }
+@@ -380,8 +370,6 @@
+ globalPrefs.hide_single_tab = atoi(line + pos + 1);
+ } else if (strcmp(first_word, "urgencyhint") == 0) {
+ globalPrefs.urgency_hint = atoi(line + pos + 1);
+-} else if (strcmp(first_word, "browsercommand") == 0) {
+- globalPrefs.browser_command = g_strdup(line + pos + 1);
+ } else if (strcmp(first_word, "audioplayercommand") == 0) {
+ globalPrefs.audio_player_command = g_strdup(line + pos + 1);
+ } else if (strcmp(first_word, "lastopenworld") == 0) {
+@@ -475,8 +463,6 @@
+ g_string_append_printf(str, "urgencyhint %d\n", globalPrefs.urgency_hint);
+
+ g_string_append_printf(str,
+-