Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package arianna for openSUSE:Factory checked in at 2026-04-29 19:20:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/arianna (Old) and /work/SRC/openSUSE:Factory/.arianna.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "arianna" Wed Apr 29 19:20:28 2026 rev:38 rq:1349976 version:26.04.0 Changes: -------- --- /work/SRC/openSUSE:Factory/arianna/arianna.changes 2026-04-17 21:50:39.820504300 +0200 +++ /work/SRC/openSUSE:Factory/.arianna.new.30200/arianna.changes 2026-04-29 19:22:02.723405500 +0200 @@ -1,0 +2,7 @@ +Wed Apr 29 11:25:18 UTC 2026 - Christophe Marin <[email protected]> + +- Add upstream changes (CVE-2026-42095, boo#1262800) + * 0001-bookserver-Use-qrc-as-access-control-protocol.patch + * 0002-bookserver-Add-authentication-token.patch + +------------------------------------------------------------------- New: ---- 0001-bookserver-Use-qrc-as-access-control-protocol.patch 0002-bookserver-Add-authentication-token.patch ----------(New B)---------- New:- Add upstream changes (CVE-2026-42095, boo#1262800) * 0001-bookserver-Use-qrc-as-access-control-protocol.patch * 0002-bookserver-Add-authentication-token.patch New: * 0001-bookserver-Use-qrc-as-access-control-protocol.patch * 0002-bookserver-Add-authentication-token.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ arianna.spec ++++++ --- /var/tmp/diff_new_pack.9tW0Fo/_old 2026-04-29 19:22:04.871493421 +0200 +++ /var/tmp/diff_new_pack.9tW0Fo/_new 2026-04-29 19:22:04.891494240 +0200 @@ -31,6 +31,9 @@ Source1: https://download.kde.org/stable/release-service/%{version}/src/%{name}-%{version}.tar.xz.sig Source2: applications.keyring %endif +# PATCH-FIX-UPSTREAM -- CVE-2026-42095 +Patch0: 0001-bookserver-Use-qrc-as-access-control-protocol.patch +Patch1: 0002-bookserver-Add-authentication-token.patch BuildRequires: cmake(KF6Archive) >= %{kf6_version} BuildRequires: cmake(KF6Baloo) >= %{kf6_version} BuildRequires: cmake(KF6ColorScheme) >= %{kf6_version} ++++++ 0001-bookserver-Use-qrc-as-access-control-protocol.patch ++++++ >From 485851d25de279a9d2711d3780443530e9851300 Mon Sep 17 00:00:00 2001 From: Carl Schwan <[email protected]> Date: Fri, 24 Apr 2026 14:39:57 +0200 Subject: [PATCH 1/2] bookserver: Use qrc: as access control protocol --- src/bookserver.cpp | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/bookserver.cpp b/src/bookserver.cpp index 4167a16..2bc74cb 100644 --- a/src/bookserver.cpp +++ b/src/bookserver.cpp @@ -23,21 +23,23 @@ BookServer::BookServer() }); #if QT_VERSION >= QT_VERSION_CHECK(6, 8, 0) - server.addAfterRequestHandler(&server, [](const QHttpServerRequest &, QHttpServerResponse &resp) { - auto headers = resp.headers(); - headers.append("Access-Control-Allow-Origin", "*"); - resp.setHeaders(headers); + server.addAfterRequestHandler(&server, [](const QHttpServerRequest &request, QHttpServerResponse &resp) { + if (request.value("Origin") == "qrc:") { + auto headers = resp.headers(); + headers.append("Access-Control-Allow-Origin", "qrc:"); + resp.setHeaders(headers); + } }); #else server.afterRequest([](QHttpServerResponse &&resp) { - resp.setHeader("Access-Control-Allow-Origin", "*"); + resp.setHeader("Access-Control-Allow-Origin", "qrc:"); return std::move(resp); }); #endif #if QT_VERSION >= QT_VERSION_CHECK(6, 8, 0) auto tcpserver = std::make_unique<QTcpServer>(); - if (!tcpserver->listen(QHostAddress::Any, 45961) || !server.bind(tcpserver.get())) { + if (!tcpserver->listen(QHostAddress::LocalHost, 45961) || !server.bind(tcpserver.get())) { qWarning() << "Server failed to listen on a port."; return; } @@ -45,7 +47,7 @@ BookServer::BookServer() auto s = tcpserver.release(); Q_UNUSED(s); #else - const auto port = server.listen(QHostAddress::Any, 45961); + const auto port = server.listen(QHostAddress::LocalHost, 45961); if (!port) { qWarning() << "Server failed to listen on a port."; return; -- 2.53.0 ++++++ 0002-bookserver-Add-authentication-token.patch ++++++ >From 3cd56fce103ab62887c5592827d78a1197cd926a Mon Sep 17 00:00:00 2001 From: Carl Schwan <[email protected]> Date: Fri, 24 Apr 2026 14:41:45 +0200 Subject: [PATCH 2/2] bookserver: Add authentication token --- src/bookserver.cpp | 7 +++++-- src/bookserver.h | 3 ++- src/main.cpp | 4 ++-- src/navigation.cpp | 8 ++++++++ src/navigation.h | 8 ++++++++ src/qml/EpubViewerPage.qml | 2 +- 6 files changed, 26 insertions(+), 6 deletions(-) diff --git a/src/bookserver.cpp b/src/bookserver.cpp index 2bc74cb..014b4ed 100644 --- a/src/bookserver.cpp +++ b/src/bookserver.cpp @@ -8,9 +8,12 @@ using namespace Qt::StringLiterals; #include <QFileInfo> #include <QTcpServer> -BookServer::BookServer() +BookServer::BookServer(const QString &token) { - server.route(u"/book"_s, [](const QHttpServerRequest &request) { + server.route(u"/book"_s, [token](const QHttpServerRequest &request) { + if (request.query().queryItemValue(u"token"_s) != token) { + return QHttpServerResponse{QHttpServerResponder::StatusCode::Unauthorized}; + } // + is an standing for %20 // fromPercentEncoded doesn't handle it but it needs to come first // otherwise we end up with %2B -> + -> ' ' which won't be the correct path diff --git a/src/bookserver.h b/src/bookserver.h index 0eb4e9d..9c97e70 100644 --- a/src/bookserver.h +++ b/src/bookserver.h @@ -5,11 +5,12 @@ #include <QHttpServer> #include <QHttpServerResponse> +#include <QString> class BookServer { public: - BookServer(); + explicit BookServer(const QString &token); private: QHttpServer server; diff --git a/src/main.cpp b/src/main.cpp index 3500fcb..2ca1b8a 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -83,8 +83,6 @@ int main(int argc, char *argv[]) parser.process(app); about.processCommandLine(&parser); - BookServer bookServer; - engine.loadFromModule("org.kde.arianna", "Main"); if (engine.rootObjects().isEmpty()) { return -1; @@ -92,6 +90,8 @@ int main(int argc, char *argv[]) auto navigation = engine.singletonInstance<Navigation *>("org.kde.arianna", "Navigation"); + BookServer bookServer(navigation->bookServerToken()); + QObject::connect(&service, &KDBusService::activateRequested, &engine, diff --git a/src/navigation.cpp b/src/navigation.cpp index e6acdd3..166ecbb 100644 --- a/src/navigation.cpp +++ b/src/navigation.cpp @@ -3,9 +3,17 @@ #include "navigation.h" +#include <QUuid> + Navigation::Navigation(QObject *parent) : QObject(parent) + , m_bookServerToken(QUuid::createUuid().toString(QUuid::WithoutBraces)) +{ +} + +QString Navigation::bookServerToken() const { + return m_bookServerToken; } #include "moc_navigation.cpp" diff --git a/src/navigation.h b/src/navigation.h index f18d4f5..0a5dcfe 100644 --- a/src/navigation.h +++ b/src/navigation.h @@ -4,6 +4,7 @@ #pragma once #include <QObject> +#include <QString> #include <qqmlintegration.h> #include "categoryentriesmodel.h" @@ -14,13 +15,20 @@ class Navigation : public QObject QML_SINGLETON QML_ELEMENT + Q_PROPERTY(QString bookServerToken READ bookServerToken CONSTANT) + public: explicit Navigation(QObject *parent = nullptr); + QString bookServerToken() const; + Q_SIGNALS: void openBook(const QString &fileName, const QString &locations, const QString ¤tLocation, const BookEntry &entry); void openLibrary(const QString &title, CategoryEntriesModel *model, bool replace); void openSettings(); + +private: + QString m_bookServerToken; }; diff --git a/src/qml/EpubViewerPage.qml b/src/qml/EpubViewerPage.qml index 343ff64..eb2d89b 100644 --- a/src/qml/EpubViewerPage.qml +++ b/src/qml/EpubViewerPage.qml @@ -53,7 +53,7 @@ Kirigami.Page { // HACK: renderTo and options are the value of layouts.auto, but referencing layouts.auto here crashes const renderTo = "'viewer'"; const options = JSON.stringify({ width: '100%', flow: 'paginated', maxSpreadColumns: 2 }); - const urlNormalized = JSON.stringify('http://127.0.0.1:45961/book?url=' + encodeURIComponent(root.url)); + const urlNormalized = JSON.stringify('http://127.0.0.1:45961/book?token=' + Navigation.bookServerToken + '&url=' + encodeURIComponent(root.url)); const initCfi = currentLocation ? JSON.stringify(currentLocation) : "null"; console.info("opening book", root.url, " to ", initCfi); view.runJavaScript(`openSync(${urlNormalized}, ${initCfi})`); -- 2.53.0
