kde-frameworks/kcoreaddons: backport patch from upstream for CVE-2016-7966

Gentoo-bug: 596224 Package-Manager: portage-2.3.1
author: Michael Palimaka <kensington@gentoo.org> 2016-10-07 05:11:32 +1100
committer: Michael Palimaka <kensington@gentoo.org> 2016-10-07 05:12:44 +1100
commit: bd38ebeaf7ab220314d81699d0176c0be1600447 (patch)
tree: 015c26ea1eba47d67a74ab6369914eca6fb1658f /kde-frameworks/kcoreaddons
parent: app-admin/glance: NEWTON :D (diff)
download: gentoo-bd38ebeaf7ab220314d81699d0176c0be1600447.tar.gz
gentoo-bd38ebeaf7ab220314d81699d0176c0be1600447.tar.bz2
gentoo-bd38ebeaf7ab220314d81699d0176c0be1600447.zip
2 files changed, 155 insertions, 0 deletions
diff --git a/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch
new file mode 100644
index 000000000000..8374d5a1a4bd
--- /dev/null
+++ b/kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch
@@ -0,0 +1,122 @@
+From 96e562d9138c100498da38e4c5b4091a226dde12 Mon Sep 17 00:00:00 2001
+From: Montel Laurent <montel@kde.org>
+Date: Fri, 30 Sep 2016 13:21:45 +0200
+Subject: [PATCH] Don't convert as url an url which has a "
+
+---
+ autotests/ktexttohtmltest.cpp |  6 ++++++
+ src/lib/text/ktexttohtml.cpp  | 25 +++++++++++++++++++------
+ src/lib/text/ktexttohtml_p.h  |  2 +-
+ 3 files changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index 8fc0c56..c5690e8 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data()
+    QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>"
+                                << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+                                << "foo &lt;<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a>&lt;<a href=\"http://www.kde.org/\">http://www.kde.org/</a>&gt;&gt;";
++
++   //Fix url exploit
++   QTest::newRow("url-exec-html") << "https://\"><!--"
++                               << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                               << "https://\"><!--";
++
+ }
+ 
+ 
+diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
+index c70d062..97c5eab 100644
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl()
+              (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) {
+         return false;
+     }
+-
+     QChar ch = mText[mPos];
+     return
+         (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") ||
+@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url)
+            url == QLatin1String("news://");
+ }
+ 
+-QString KTextToHTMLHelper::getUrl()
++QString KTextToHTMLHelper::getUrl(bool *badurl)
+ {
+     QString url;
+     if (atUrl()) {
+@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl()
+         url.reserve(mMaxUrlLen);    // avoid allocs
+         int start = mPos;
+         bool previousCharIsSpace = false;
++        bool previousCharIsADoubleQuote = false;
+         while ((mPos < mText.length()) &&
+                 (mText[mPos].isPrint() || mText[mPos].isSpace()) &&
+                 ((afterUrl.isNull() && !mText[mPos].isSpace()) ||
+@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl()
+                     break;
+                 }
+                 previousCharIsSpace = false;
++                if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++                    //it's an invalid url
++                    if (badurl) {
++                        *badurl = true;
++                    }
++                    return QString();
++                }
++                if (mText[mPos] == QLatin1Char('"')) {
++                    previousCharIsADoubleQuote = true;
++                } else {
++                    previousCharIsADoubleQuote = false;
++                }
+                 url.append(mText[mPos]);
+                 if (url.length() > mMaxUrlLen) {
+                     break;
+@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
+     QChar ch;
+     int x;
+     bool startOfLine = true;
+-    //qDebug()<<" plainText"<<plainText;
+ 
+     for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length();
+             ++helper.mPos, ++x) {
+@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
+         } else {
+             const int start = helper.mPos;
+             if (!(flags & IgnoreUrls)) {
+-                str = helper.getUrl();
+-                //qDebug()<<" str"<<str;
++                bool badUrl = false;
++                str = helper.getUrl(&badUrl);
++                if (badUrl) {
++                    return helper.mText;
++                }
+                 if (!str.isEmpty()) {
+                     QString hyperlink;
+                     if (str.left(4) == QLatin1String("www.")) {
+@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
+ 
+         result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude);
+     }
+-    //qDebug()<<" result "<<result;
+ 
+     return result;
+ }
+diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h
+index 74ad7a0..fc43613 100644
+--- a/src/lib/text/ktexttohtml_p.h
++++ b/src/lib/text/ktexttohtml_p.h
+@@ -49,7 +49,7 @@ public:
+     QString getEmailAddress();
+     bool atUrl();
+     bool isEmptyUrl(const QString &url);
+-    QString getUrl();
++    QString getUrl(bool *badurl = Q_NULLPTR);
+     QString pngToDataUrl(const QString &pngPath);
+     QString highlightedText();
+ 
+-- 
+2.7.3
+
diff --git a/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild b/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild
new file mode 100644
index 000000000000..ebb5cd8d7bf5
--- /dev/null
+++ b/kde-frameworks/kcoreaddons/kcoreaddons-5.26.0-r1.ebuild
@@ -0,0 +1,33 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit kde5
+
+DESCRIPTION="Framework for solving common problems such as caching, randomisation, and more"
+LICENSE="LGPL-2+"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="fam nls"
+
+RDEPEND="
+	$(add_qt_dep qtcore 'icu')
+	fam? ( virtual/fam )
+	!<kde-frameworks/kservice-5.2.0:5
+"
+DEPEND="${RDEPEND}
+	x11-misc/shared-mime-info
+	nls? ( $(add_qt_dep linguist-tools) )
+"
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2016-7966.patch" )
+
+src_configure() {
+	local mycmakeargs=(
+		-D_KDE4_DEFAULT_HOME_POSTFIX=4
+		$(cmake-utils_use_find_package fam FAM)
+	)
+
+	kde5_src_configure
+}
author	Michael Palimaka <kensington@gentoo.org>	2016-10-07 05:11:32 +1100
committer	Michael Palimaka <kensington@gentoo.org>	2016-10-07 05:12:44 +1100
commit	bd38ebeaf7ab220314d81699d0176c0be1600447 (patch)
tree	015c26ea1eba47d67a74ab6369914eca6fb1658f /kde-frameworks/kcoreaddons
parent	app-admin/glance: NEWTON :D (diff)
download	gentoo-bd38ebeaf7ab220314d81699d0176c0be1600447.tar.gz gentoo-bd38ebeaf7ab220314d81699d0176c0be1600447.tar.bz2 gentoo-bd38ebeaf7ab220314d81699d0176c0be1600447.zip