[gentoo-commits] repo/gentoo:master commit in: kde-apps/kdepimlibs/files/, kde-apps/kdepimlibs/

2016-11-02 Thread Michael Palimaka 
commit: acad49edefd0e0f7b5cb5272806875749441a303
Author: Michael Palimaka  gentoo  org>
AuthorDate: Wed Nov  2 12:04:57 2016 +
Commit: Michael Palimaka  gentoo  org>
CommitDate: Wed Nov  2 12:05:18 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acad49ed

kde-apps/kdepimlibs: backport additional commits from upstream to resolve 
CVE-2016-7966

Gentoo-bug: 596224

Package-Manager: portage-2.3.2

 .../files/kdepimlibs-CVE-2016-7966-r1.patch| 135 +
 kde-apps/kdepimlibs/kdepimlibs-4.14.10-r2.ebuild   |  62 ++
 .../kdepimlibs-4.14.11_pre20160211-r2.ebuild   |  66 ++
 3 files changed, 263 insertions(+)

diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch 
b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch
new file mode 100644
index ..9bea572
--- /dev/null
+++ b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch
@@ -0,0 +1,135 @@
+From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001
+From: Montel Laurent 
+Date: Fri, 30 Sep 2016 15:55:35 +0200
+Subject: [PATCH] Backport avoid to transform as a url when we have a quote
+
+---
+ kpimutils/linklocator.cpp | 30 +++---
+ kpimutils/linklocator.h   |  3 ++-
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp
+index f5d9afd..f30e8fc 100644
+--- a/kpimutils/linklocator.cpp
 b/kpimutils/linklocator.cpp
+@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const
+ 
+ QString LinkLocator::getUrl()
+ {
++return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
++{
+   QString url;
+   if ( atUrl() ) {
+ // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially 
appendix-C
+@@ -129,13 +135,26 @@ QString LinkLocator::getUrl()
+ 
+ url.reserve( maxUrlLen() );  // avoid allocs
+ int start = mPos;
++bool previousCharIsADoubleQuote = false;
+ while ( ( mPos < (int)mText.length() ) &&
+ ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+ ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+   ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+   if ( !mText[mPos].isSpace() ) {   // skip whitespace
+-url.append( mText[mPos] );
+-if ( url.length() > maxUrlLen() ) {
++  if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++  //it's an invalid url
++  if (badurl) {
++  *badurl = true;
++  }
++  return QString();
++  }
++  if (mText[mPos] == QLatin1Char('"')) {
++  previousCharIsADoubleQuote = true;
++  } else {
++  previousCharIsADoubleQuote = false;
++  }
++  url.append( mText[mPos] );
++  if ( url.length() > maxUrlLen() ) {
+   break;
+ }
+   }
+@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString 
, int flags,
+ } else {
+   const int start = locator.mPos;
+   if ( !( flags & IgnoreUrls ) ) {
+-str = locator.getUrl();
++bool badUrl = false;
++str = locator.getUrlAndCheckValidHref();
++if (badUrl) {
++return locator.mText;
++}
++
+ if ( !str.isEmpty() ) {
+   QString hyperlink;
+   if ( str.left( 4 ) == QLatin1String("www.") ) {
+diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h
+index 3049397..375498d 100644
+--- a/kpimutils/linklocator.h
 b/kpimutils/linklocator.h
+@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator
+   @return The URL at the current scan position, or an empty string.
+ */
+ QString getUrl();
++QString getUrlAndCheckValidHref(bool *badurl = 0);
+ 
+ /**
+   Attempts to grab an email address. If there is an @ symbol at the
+@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator
+ */
+ static QString pngToDataUrl( const QString & iconPath );
+ 
+-  protected:
++protected:
+ /**
+   The plaintext string being scanned for URLs and email addresses.
+ */
+-- 
+2.7.3
+
+From 8bbe1bd3fdc55f609340edc667ff154b3d2aaab1 Mon Sep 17 00:00:00 2001
+From: Montel Laurent 
+Date: Tue, 11 Oct 2016 11:47:41 +0200
+Subject: [PATCH] Backport  show bad url text
+
+---
+ kpimutils/linklocator.cpp | 18 +-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp
+index f30e8fc..4abe968 100644
+--- a/kpimutils/linklocator.cpp
 b/kpimutils/linklocator.cpp
+@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( const QString 
, int flags,
+ bool badUrl = false;
+ str = locator.getUrlAndCheckValidHref();
+ if (badUrl) {
+-return locator.mText;
++QString resultBadUrl;
++

[gentoo-commits] repo/gentoo:master commit in: kde-apps/kdepimlibs/files/, kde-apps/kdepimlibs/

2016-10-06 Thread Michael Palimaka 
commit: bc4885e20e781ccef65f90991090df7d79545078
Author: Michael Palimaka  gentoo  org>
AuthorDate: Thu Oct  6 18:20:46 2016 +
Commit: Michael Palimaka  gentoo  org>
CommitDate: Thu Oct  6 18:33:27 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc4885e2

kde-apps/kdepimlibs: backport patch from upstream for CVE-2016-7966

Gentoo-bug: 596224

Package-Manager: portage-2.3.1

 .../files/kdepimlibs-CVE-2016-7966.patch   | 94 ++
 kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild   | 63 +++
 .../kdepimlibs-4.14.11_pre20160211-r1.ebuild   | 67 +++
 3 files changed, 224 insertions(+)

diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch 
b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch
new file mode 100644
index ..b6f278a
--- /dev/null
+++ b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch
@@ -0,0 +1,94 @@
+From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001
+From: Montel Laurent 
+Date: Fri, 30 Sep 2016 15:55:35 +0200
+Subject: [PATCH] Backport avoid to transform as a url when we have a quote
+
+---
+ kpimutils/linklocator.cpp | 30 +++---
+ kpimutils/linklocator.h   |  3 ++-
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp
+index f5d9afd..f30e8fc 100644
+--- a/kpimutils/linklocator.cpp
 b/kpimutils/linklocator.cpp
+@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const
+ 
+ QString LinkLocator::getUrl()
+ {
++return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
++{
+   QString url;
+   if ( atUrl() ) {
+ // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially 
appendix-C
+@@ -129,13 +135,26 @@ QString LinkLocator::getUrl()
+ 
+ url.reserve( maxUrlLen() );  // avoid allocs
+ int start = mPos;
++bool previousCharIsADoubleQuote = false;
+ while ( ( mPos < (int)mText.length() ) &&
+ ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+ ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+   ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+   if ( !mText[mPos].isSpace() ) {   // skip whitespace
+-url.append( mText[mPos] );
+-if ( url.length() > maxUrlLen() ) {
++  if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++  //it's an invalid url
++  if (badurl) {
++  *badurl = true;
++  }
++  return QString();
++  }
++  if (mText[mPos] == QLatin1Char('"')) {
++  previousCharIsADoubleQuote = true;
++  } else {
++  previousCharIsADoubleQuote = false;
++  }
++  url.append( mText[mPos] );
++  if ( url.length() > maxUrlLen() ) {
+   break;
+ }
+   }
+@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString 
, int flags,
+ } else {
+   const int start = locator.mPos;
+   if ( !( flags & IgnoreUrls ) ) {
+-str = locator.getUrl();
++bool badUrl = false;
++str = locator.getUrlAndCheckValidHref();
++if (badUrl) {
++return locator.mText;
++}
++
+ if ( !str.isEmpty() ) {
+   QString hyperlink;
+   if ( str.left( 4 ) == QLatin1String("www.") ) {
+diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h
+index 3049397..375498d 100644
+--- a/kpimutils/linklocator.h
 b/kpimutils/linklocator.h
+@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator
+   @return The URL at the current scan position, or an empty string.
+ */
+ QString getUrl();
++QString getUrlAndCheckValidHref(bool *badurl = 0);
+ 
+ /**
+   Attempts to grab an email address. If there is an @ symbol at the
+@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator
+ */
+ static QString pngToDataUrl( const QString & iconPath );
+ 
+-  protected:
++protected:
+ /**
+   The plaintext string being scanned for URLs and email addresses.
+ */
+-- 
+2.7.3
+

diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild 
b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild
new file mode 100644
index ..4275aaa
--- /dev/null
+++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild
@@ -0,0 +1,63 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+KDE_HANDBOOK="optional"
+CPPUNIT_REQUIRED="optional"
+EGIT_BRANCH="KDE/4.14"
+inherit kde4-base
+
+DESCRIPTION="Common library for KDE PIM apps"
+KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux"
+LICENSE="LGPL-2.1"
+IUSE="debug ldap prison"
+
+# some akonadi tests timeout, that probaly needs more work as its ~700 tests
+RESTRICT="test"
+
+DEPEND="
+   !kde-misc/akonadi-social-utils
+