Date: Friday, October 7, 2016 @ 06:19:25 Author: arojas Revision: 277861
archrelease: copy trunk to extra-i686, extra-x86_64 Added: kcoreaddons/repos/extra-i686/CVE-2016-7966.patch (from rev 277860, kcoreaddons/trunk/CVE-2016-7966.patch) kcoreaddons/repos/extra-i686/PKGBUILD (from rev 277860, kcoreaddons/trunk/PKGBUILD) kcoreaddons/repos/extra-x86_64/CVE-2016-7966.patch (from rev 277860, kcoreaddons/trunk/CVE-2016-7966.patch) kcoreaddons/repos/extra-x86_64/PKGBUILD (from rev 277860, kcoreaddons/trunk/PKGBUILD) Deleted: kcoreaddons/repos/extra-i686/PKGBUILD kcoreaddons/repos/extra-x86_64/PKGBUILD ----------------------------------+ /PKGBUILD | 80 +++++++++++++++++++++++++++++++++++++ extra-i686/CVE-2016-7966.patch | 71 ++++++++++++++++++++++++++++++++ extra-i686/PKGBUILD | 36 ---------------- extra-x86_64/CVE-2016-7966.patch | 71 ++++++++++++++++++++++++++++++++ extra-x86_64/PKGBUILD | 36 ---------------- 5 files changed, 222 insertions(+), 72 deletions(-) Copied: kcoreaddons/repos/extra-i686/CVE-2016-7966.patch (from rev 277860, kcoreaddons/trunk/CVE-2016-7966.patch) =================================================================== --- extra-i686/CVE-2016-7966.patch (rev 0) +++ extra-i686/CVE-2016-7966.patch 2016-10-07 06:19:25 UTC (rev 277861) @@ -0,0 +1,71 @@ +diff --git a/autotests/kjobtest.cpp b/autotests/kjobtest.cpp +index 88be4ac..139b9be 100644 +--- a/autotests/kjobtest.cpp ++++ b/autotests/kjobtest.cpp +@@ -276,6 +276,7 @@ void KJobTest::testDelegateUsage() + TestJob *job1 = new TestJob; + TestJob *job2 = new TestJob; + TestJobUiDelegate *delegate = new TestJobUiDelegate; ++ QPointer<TestJobUiDelegate> guard(delegate); + + QVERIFY(job1->uiDelegate() == 0); + job1->setUiDelegate(delegate); +@@ -284,6 +285,10 @@ void KJobTest::testDelegateUsage() + QVERIFY(job2->uiDelegate() == 0); + job2->setUiDelegate(delegate); + QVERIFY(job2->uiDelegate() == 0); ++ ++ delete job1; ++ delete job2; ++ QVERIFY(guard.isNull()); // deleted by job1 + } + + void KJobTest::testNestedExec() +diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp +index 474f0ca..c5690e8 100644 +--- a/autotests/ktexttohtmltest.cpp ++++ b/autotests/ktexttohtmltest.cpp +@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest) + + Q_DECLARE_METATYPE(KTextToHTML::Options) + ++#ifndef Q_OS_WIN ++void initLocale() ++{ ++ setenv("LC_ALL", "en_US.utf-8", 1); ++} ++Q_CONSTRUCTOR_FUNCTION(initLocale) ++#endif ++ ++ + void KTextToHTMLTest::testGetEmailAddress() + { + // empty input +@@ -372,6 +381,17 @@ void KTextToHTMLTest::testHtmlConvert_data() + QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)" + << KTextToHTML::Options(KTextToHTML::PreserveSpaces) + << "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)"; ++ ++ // Fix url as foo <<url> <url>> when we concatened them. ++ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" ++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) ++ << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; ++ ++ //Fix url exploit ++ QTest::newRow("url-exec-html") << "https://\"><!--" ++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) ++ << "https://\"><!--"; ++ + } + + +diff --git a/autotests/kurlmimedatatest.cpp b/autotests/kurlmimedatatest.cpp +index 5e55d9e..264879f 100644 +--- a/autotests/kurlmimedatatest.cpp ++++ b/autotests/kurlmimedatatest.cpp +@@ -135,4 +135,5 @@ void KUrlMimeDataTest::testMostLocalUrlList() + QCOMPARE(qurls[i], static_cast<QUrl>(localUrls[i])); + } + ++ delete mimeData; + } Deleted: extra-i686/PKGBUILD =================================================================== --- extra-i686/PKGBUILD 2016-10-07 06:18:57 UTC (rev 277860) +++ extra-i686/PKGBUILD 2016-10-07 06:19:25 UTC (rev 277861) @@ -1,36 +0,0 @@ -# $Id$ -# Maintainer: Felix Yan <felixonm...@archlinux.org> -# Contributor: Andrea Scarpino <and...@archlinux.org> - -pkgname=kcoreaddons -pkgver=5.26.0 -pkgrel=1 -pkgdesc='Addons to QtCore' -arch=('i686' 'x86_64') -url='https://community.kde.org/Frameworks' -license=('LGPL') -depends=('qt5-base' 'shared-mime-info') -makedepends=('extra-cmake-modules' 'qt5-tools') -groups=('kf5') -source=("http://download.kde.org/stable/frameworks/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz") -md5sums=('263530a26fd0b80238827d2d97225e7b') - -prepare() { - mkdir -p build -} - -build() { - cd build - cmake ../${pkgname}-${pkgver} \ - -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_INSTALL_PREFIX=/usr \ - -DKDE_INSTALL_LIBDIR=lib \ - -D_KDE4_DEFAULT_HOME_POSTFIX=4 \ - -DBUILD_TESTING=OFF - make -} - -package() { - cd build - make DESTDIR="${pkgdir}" install -} Copied: kcoreaddons/repos/extra-i686/PKGBUILD (from rev 277860, kcoreaddons/trunk/PKGBUILD) =================================================================== --- extra-i686/PKGBUILD (rev 0) +++ extra-i686/PKGBUILD 2016-10-07 06:19:25 UTC (rev 277861) @@ -0,0 +1,40 @@ +# $Id$ +# Maintainer: Felix Yan <felixonm...@archlinux.org> +# Contributor: Andrea Scarpino <and...@archlinux.org> + +pkgname=kcoreaddons +pkgver=5.26.0 +pkgrel=2 +pkgdesc='Addons to QtCore' +arch=('i686' 'x86_64') +url='https://community.kde.org/Frameworks' +license=('LGPL') +depends=('qt5-base' 'shared-mime-info') +makedepends=('extra-cmake-modules' 'qt5-tools') +groups=('kf5') +source=("http://download.kde.org/stable/frameworks/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz" CVE-2016-7966.patch) +md5sums=('263530a26fd0b80238827d2d97225e7b' + '2078f5ef9f761df6f7701ba96c046125') + +prepare() { + mkdir -p build + + cd $pkgname-$pkgver + patch -p1 -i ../CVE-2016-7966.patch # https://www.kde.org/info/security/advisory-20161006-1.txt +} + +build() { + cd build + cmake ../${pkgname}-${pkgver} \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DKDE_INSTALL_LIBDIR=lib \ + -D_KDE4_DEFAULT_HOME_POSTFIX=4 \ + -DBUILD_TESTING=OFF + make +} + +package() { + cd build + make DESTDIR="${pkgdir}" install +} Copied: kcoreaddons/repos/extra-x86_64/CVE-2016-7966.patch (from rev 277860, kcoreaddons/trunk/CVE-2016-7966.patch) =================================================================== --- extra-x86_64/CVE-2016-7966.patch (rev 0) +++ extra-x86_64/CVE-2016-7966.patch 2016-10-07 06:19:25 UTC (rev 277861) @@ -0,0 +1,71 @@ +diff --git a/autotests/kjobtest.cpp b/autotests/kjobtest.cpp +index 88be4ac..139b9be 100644 +--- a/autotests/kjobtest.cpp ++++ b/autotests/kjobtest.cpp +@@ -276,6 +276,7 @@ void KJobTest::testDelegateUsage() + TestJob *job1 = new TestJob; + TestJob *job2 = new TestJob; + TestJobUiDelegate *delegate = new TestJobUiDelegate; ++ QPointer<TestJobUiDelegate> guard(delegate); + + QVERIFY(job1->uiDelegate() == 0); + job1->setUiDelegate(delegate); +@@ -284,6 +285,10 @@ void KJobTest::testDelegateUsage() + QVERIFY(job2->uiDelegate() == 0); + job2->setUiDelegate(delegate); + QVERIFY(job2->uiDelegate() == 0); ++ ++ delete job1; ++ delete job2; ++ QVERIFY(guard.isNull()); // deleted by job1 + } + + void KJobTest::testNestedExec() +diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp +index 474f0ca..c5690e8 100644 +--- a/autotests/ktexttohtmltest.cpp ++++ b/autotests/ktexttohtmltest.cpp +@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest) + + Q_DECLARE_METATYPE(KTextToHTML::Options) + ++#ifndef Q_OS_WIN ++void initLocale() ++{ ++ setenv("LC_ALL", "en_US.utf-8", 1); ++} ++Q_CONSTRUCTOR_FUNCTION(initLocale) ++#endif ++ ++ + void KTextToHTMLTest::testGetEmailAddress() + { + // empty input +@@ -372,6 +381,17 @@ void KTextToHTMLTest::testHtmlConvert_data() + QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)" + << KTextToHTML::Options(KTextToHTML::PreserveSpaces) + << "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)"; ++ ++ // Fix url as foo <<url> <url>> when we concatened them. ++ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" ++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) ++ << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; ++ ++ //Fix url exploit ++ QTest::newRow("url-exec-html") << "https://\"><!--" ++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) ++ << "https://\"><!--"; ++ + } + + +diff --git a/autotests/kurlmimedatatest.cpp b/autotests/kurlmimedatatest.cpp +index 5e55d9e..264879f 100644 +--- a/autotests/kurlmimedatatest.cpp ++++ b/autotests/kurlmimedatatest.cpp +@@ -135,4 +135,5 @@ void KUrlMimeDataTest::testMostLocalUrlList() + QCOMPARE(qurls[i], static_cast<QUrl>(localUrls[i])); + } + ++ delete mimeData; + } Deleted: extra-x86_64/PKGBUILD =================================================================== --- extra-x86_64/PKGBUILD 2016-10-07 06:18:57 UTC (rev 277860) +++ extra-x86_64/PKGBUILD 2016-10-07 06:19:25 UTC (rev 277861) @@ -1,36 +0,0 @@ -# $Id$ -# Maintainer: Felix Yan <felixonm...@archlinux.org> -# Contributor: Andrea Scarpino <and...@archlinux.org> - -pkgname=kcoreaddons -pkgver=5.26.0 -pkgrel=1 -pkgdesc='Addons to QtCore' -arch=('i686' 'x86_64') -url='https://community.kde.org/Frameworks' -license=('LGPL') -depends=('qt5-base' 'shared-mime-info') -makedepends=('extra-cmake-modules' 'qt5-tools') -groups=('kf5') -source=("http://download.kde.org/stable/frameworks/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz") -md5sums=('263530a26fd0b80238827d2d97225e7b') - -prepare() { - mkdir -p build -} - -build() { - cd build - cmake ../${pkgname}-${pkgver} \ - -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_INSTALL_PREFIX=/usr \ - -DKDE_INSTALL_LIBDIR=lib \ - -D_KDE4_DEFAULT_HOME_POSTFIX=4 \ - -DBUILD_TESTING=OFF - make -} - -package() { - cd build - make DESTDIR="${pkgdir}" install -} Copied: kcoreaddons/repos/extra-x86_64/PKGBUILD (from rev 277860, kcoreaddons/trunk/PKGBUILD) =================================================================== --- extra-x86_64/PKGBUILD (rev 0) +++ extra-x86_64/PKGBUILD 2016-10-07 06:19:25 UTC (rev 277861) @@ -0,0 +1,40 @@ +# $Id$ +# Maintainer: Felix Yan <felixonm...@archlinux.org> +# Contributor: Andrea Scarpino <and...@archlinux.org> + +pkgname=kcoreaddons +pkgver=5.26.0 +pkgrel=2 +pkgdesc='Addons to QtCore' +arch=('i686' 'x86_64') +url='https://community.kde.org/Frameworks' +license=('LGPL') +depends=('qt5-base' 'shared-mime-info') +makedepends=('extra-cmake-modules' 'qt5-tools') +groups=('kf5') +source=("http://download.kde.org/stable/frameworks/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz" CVE-2016-7966.patch) +md5sums=('263530a26fd0b80238827d2d97225e7b' + '2078f5ef9f761df6f7701ba96c046125') + +prepare() { + mkdir -p build + + cd $pkgname-$pkgver + patch -p1 -i ../CVE-2016-7966.patch # https://www.kde.org/info/security/advisory-20161006-1.txt +} + +build() { + cd build + cmake ../${pkgname}-${pkgver} \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DKDE_INSTALL_LIBDIR=lib \ + -D_KDE4_DEFAULT_HOME_POSTFIX=4 \ + -DBUILD_TESTING=OFF + make +} + +package() { + cd build + make DESTDIR="${pkgdir}" install +}