[gentoo-commits] repo/gentoo:master commit in: kde-apps/kdepimlibs/files/, kde-apps/kdepimlibs/
commit: acad49edefd0e0f7b5cb5272806875749441a303 Author: Michael Palimaka gentoo org> AuthorDate: Wed Nov 2 12:04:57 2016 + Commit: Michael Palimaka gentoo org> CommitDate: Wed Nov 2 12:05:18 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acad49ed kde-apps/kdepimlibs: backport additional commits from upstream to resolve CVE-2016-7966 Gentoo-bug: 596224 Package-Manager: portage-2.3.2 .../files/kdepimlibs-CVE-2016-7966-r1.patch| 135 + kde-apps/kdepimlibs/kdepimlibs-4.14.10-r2.ebuild | 62 ++ .../kdepimlibs-4.14.11_pre20160211-r2.ebuild | 66 ++ 3 files changed, 263 insertions(+) diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch new file mode 100644 index ..9bea572 --- /dev/null +++ b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch @@ -0,0 +1,135 @@ +From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001 +From: Montel Laurent+Date: Fri, 30 Sep 2016 15:55:35 +0200 +Subject: [PATCH] Backport avoid to transform as a url when we have a quote + +--- + kpimutils/linklocator.cpp | 30 +++--- + kpimutils/linklocator.h | 3 ++- + 2 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +index f5d9afd..f30e8fc 100644 +--- a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const + + QString LinkLocator::getUrl() + { ++return getUrlAndCheckValidHref(); ++} ++ ++ ++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) ++{ + QString url; + if ( atUrl() ) { + // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C +@@ -129,13 +135,26 @@ QString LinkLocator::getUrl() + + url.reserve( maxUrlLen() ); // avoid allocs + int start = mPos; ++bool previousCharIsADoubleQuote = false; + while ( ( mPos < (int)mText.length() ) && + ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && + ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || + ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { + if ( !mText[mPos].isSpace() ) { // skip whitespace +-url.append( mText[mPos] ); +-if ( url.length() > maxUrlLen() ) { ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } ++ url.append( mText[mPos] ); ++ if ( url.length() > maxUrlLen() ) { + break; + } + } +@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString , int flags, + } else { + const int start = locator.mPos; + if ( !( flags & IgnoreUrls ) ) { +-str = locator.getUrl(); ++bool badUrl = false; ++str = locator.getUrlAndCheckValidHref(); ++if (badUrl) { ++return locator.mText; ++} ++ + if ( !str.isEmpty() ) { + QString hyperlink; + if ( str.left( 4 ) == QLatin1String("www.") ) { +diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h +index 3049397..375498d 100644 +--- a/kpimutils/linklocator.h b/kpimutils/linklocator.h +@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator + @return The URL at the current scan position, or an empty string. + */ + QString getUrl(); ++QString getUrlAndCheckValidHref(bool *badurl = 0); + + /** + Attempts to grab an email address. If there is an @ symbol at the +@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator + */ + static QString pngToDataUrl( const QString & iconPath ); + +- protected: ++protected: + /** + The plaintext string being scanned for URLs and email addresses. + */ +-- +2.7.3 + +From 8bbe1bd3fdc55f609340edc667ff154b3d2aaab1 Mon Sep 17 00:00:00 2001 +From: Montel Laurent +Date: Tue, 11 Oct 2016 11:47:41 +0200 +Subject: [PATCH] Backport show bad url text + +--- + kpimutils/linklocator.cpp | 18 +- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +index f30e8fc..4abe968 100644 +--- a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( const QString , int flags, + bool badUrl = false; + str = locator.getUrlAndCheckValidHref(); + if (badUrl) { +-return locator.mText; ++QString resultBadUrl; ++
[gentoo-commits] repo/gentoo:master commit in: kde-apps/kdepimlibs/files/, kde-apps/kdepimlibs/
commit: bc4885e20e781ccef65f90991090df7d79545078 Author: Michael Palimaka gentoo org> AuthorDate: Thu Oct 6 18:20:46 2016 + Commit: Michael Palimaka gentoo org> CommitDate: Thu Oct 6 18:33:27 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc4885e2 kde-apps/kdepimlibs: backport patch from upstream for CVE-2016-7966 Gentoo-bug: 596224 Package-Manager: portage-2.3.1 .../files/kdepimlibs-CVE-2016-7966.patch | 94 ++ kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild | 63 +++ .../kdepimlibs-4.14.11_pre20160211-r1.ebuild | 67 +++ 3 files changed, 224 insertions(+) diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch new file mode 100644 index ..b6f278a --- /dev/null +++ b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch @@ -0,0 +1,94 @@ +From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001 +From: Montel Laurent+Date: Fri, 30 Sep 2016 15:55:35 +0200 +Subject: [PATCH] Backport avoid to transform as a url when we have a quote + +--- + kpimutils/linklocator.cpp | 30 +++--- + kpimutils/linklocator.h | 3 ++- + 2 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +index f5d9afd..f30e8fc 100644 +--- a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const + + QString LinkLocator::getUrl() + { ++return getUrlAndCheckValidHref(); ++} ++ ++ ++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) ++{ + QString url; + if ( atUrl() ) { + // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C +@@ -129,13 +135,26 @@ QString LinkLocator::getUrl() + + url.reserve( maxUrlLen() ); // avoid allocs + int start = mPos; ++bool previousCharIsADoubleQuote = false; + while ( ( mPos < (int)mText.length() ) && + ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && + ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || + ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { + if ( !mText[mPos].isSpace() ) { // skip whitespace +-url.append( mText[mPos] ); +-if ( url.length() > maxUrlLen() ) { ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } ++ url.append( mText[mPos] ); ++ if ( url.length() > maxUrlLen() ) { + break; + } + } +@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString , int flags, + } else { + const int start = locator.mPos; + if ( !( flags & IgnoreUrls ) ) { +-str = locator.getUrl(); ++bool badUrl = false; ++str = locator.getUrlAndCheckValidHref(); ++if (badUrl) { ++return locator.mText; ++} ++ + if ( !str.isEmpty() ) { + QString hyperlink; + if ( str.left( 4 ) == QLatin1String("www.") ) { +diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h +index 3049397..375498d 100644 +--- a/kpimutils/linklocator.h b/kpimutils/linklocator.h +@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator + @return The URL at the current scan position, or an empty string. + */ + QString getUrl(); ++QString getUrlAndCheckValidHref(bool *badurl = 0); + + /** + Attempts to grab an email address. If there is an @ symbol at the +@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator + */ + static QString pngToDataUrl( const QString & iconPath ); + +- protected: ++protected: + /** + The plaintext string being scanned for URLs and email addresses. + */ +-- +2.7.3 + diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild new file mode 100644 index ..4275aaa --- /dev/null +++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild @@ -0,0 +1,63 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +KDE_HANDBOOK="optional" +CPPUNIT_REQUIRED="optional" +EGIT_BRANCH="KDE/4.14" +inherit kde4-base + +DESCRIPTION="Common library for KDE PIM apps" +KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux" +LICENSE="LGPL-2.1" +IUSE="debug ldap prison" + +# some akonadi tests timeout, that probaly needs more work as its ~700 tests +RESTRICT="test" + +DEPEND=" + !kde-misc/akonadi-social-utils +