Hey, I now back ported the second part of the fix of the CVE. I updated the version deb8u1 from Scott. Should I create a deb8u2 for the additional patch?
I attached the uptodate debdiff. Regards, sandro Am Donnerstag, 13. Oktober 2016, 18:19:35 CEST schrieb Moritz Mühlenhoff: > On Thu, Oct 13, 2016 at 12:15:01PM +0200, Sandro Knauß wrote: > > Hey, > > > > The description > > https://www.kde.org/info/security/advisory-20161006-1.txt do not describe > > all patches that are needed to fix the CVE (at the moment). > > > > The additional patches are not part of KDE Frameworks 5.27, so they need > > to be applied for KF 5.27: > > 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a (0004-Display-bad-url.patch) > > a06cef31cc4c908bc9b76bd9d103fe9c60e0953f (0003-Add-more-autotests.patch) > > > > (the first two will be included in KF 5.27). > > > > The fixed version is 5.26.0-3 (sid only - already uploaded). I'll test if > > we need these patches also for stable inside kdepimlibs. > > Ok, please let us know once you know more. Scott Kitterman has already sent > an update for kdepimlibs (attached). > > Cheers, > Moritz
diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog --- kdepimlibs-4.14.2/debian/changelog 2014-11-17 04:38:20.000000000 +0100 +++ kdepimlibs-4.14.2/debian/changelog 2016-10-14 18:09:02.000000000 +0200 @@ -1,3 +1,21 @@ +kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high + + * Team upload. + [ Scott Kitterman ] + * CVE-2016-7966 KMail: HTML injection in plain text viewer (Closes: #840546) + - Avoid transforming as a url in plain text mode when there is a quote + - Add debian/patches/CVE-2016-7966.diff from upstream + + [ Sandro Knauß ] + * Additional patch to complete the fix for CVE-2016-7966 + - Replace all scary charactars (", <, > and &) with safe HTML + replacements. + - Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a + in debian/patches/CVE-2016-7966_part2.diff + * Update symbols files. + + -- Sandro Knauß <he...@debian.org> Fri, 14 Oct 2016 18:09:02 +0200 + kdepimlibs (4:4.14.2-2) unstable; urgency=medium * Team upload. diff -Nru kdepimlibs-4.14.2/debian/libkpimutils4.symbols kdepimlibs-4.14.2/debian/libkpimutils4.symbols --- kdepimlibs-4.14.2/debian/libkpimutils4.symbols 2014-10-20 17:13:26.000000000 +0200 +++ kdepimlibs-4.14.2/debian/libkpimutils4.symbols 2016-10-14 18:09:02.000000000 +0200 @@ -7,6 +7,7 @@ _ZN9KPIMUtils11LinkLocator15getEmailAddressEv@Base 4:4.3.4 _ZN9KPIMUtils11LinkLocator15highlightedTextEv@Base 4:4.3.4 _ZN9KPIMUtils11LinkLocator16setMaxAddressLenEi@Base 4:4.3.4 + _ZN9KPIMUtils11LinkLocator23getUrlAndCheckValidHrefEPb@Base 4:4.14.2-2+deb8u1 _ZN9KPIMUtils11LinkLocator6getUrlEv@Base 4:4.3.4 _ZN9KPIMUtils11LinkLocatorC1ERK7QStringi@Base 4:4.3.4 _ZN9KPIMUtils11LinkLocatorC2ERK7QStringi@Base 4:4.3.4 diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff --- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff 1970-01-01 01:00:00.000000000 +0100 +++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff 2016-10-14 16:59:11.000000000 +0200 @@ -0,0 +1,89 @@ +From: Montel Laurent <mon...@kde.org> +Date: Fri, 30 Sep 2016 13:55:35 +0000 +Subject: Backport avoid to transform as a url when we have a quote +X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf +--- +Backport avoid to transform as a url when we have a quote +--- + + +--- a/kpimutils/linklocator.cpp ++++ b/kpimutils/linklocator.cpp +@@ -94,6 +94,12 @@ + } + + QString LinkLocator::getUrl() ++{ ++ return getUrlAndCheckValidHref(); ++} ++ ++ ++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) + { + QString url; + if ( atUrl() ) { +@@ -129,13 +135,26 @@ + + url.reserve( maxUrlLen() ); // avoid allocs + int start = mPos; ++ bool previousCharIsADoubleQuote = false; + while ( ( mPos < (int)mText.length() ) && + ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && + ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || + ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { + if ( !mText[mPos].isSpace() ) { // skip whitespace +- url.append( mText[mPos] ); +- if ( url.length() > maxUrlLen() ) { ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } ++ url.append( mText[mPos] ); ++ if ( url.length() > maxUrlLen() ) { + break; + } + } +@@ -367,7 +386,12 @@ + } else { + const int start = locator.mPos; + if ( !( flags & IgnoreUrls ) ) { +- str = locator.getUrl(); ++ bool badUrl = false; ++ str = locator.getUrlAndCheckValidHref(&badUrl); ++ if (badUrl) { ++ return locator.mText; ++ } ++ + if ( !str.isEmpty() ) { + QString hyperlink; + if ( str.left( 4 ) == QLatin1String("www.") ) { + +--- a/kpimutils/linklocator.h ++++ b/kpimutils/linklocator.h +@@ -107,6 +107,7 @@ + @return The URL at the current scan position, or an empty string. + */ + QString getUrl(); ++ QString getUrlAndCheckValidHref(bool *badurl = 0); + + /** + Attempts to grab an email address. If there is an @ symbol at the +@@ -155,7 +156,7 @@ + */ + static QString pngToDataUrl( const QString & iconPath ); + +- protected: ++protected: + /** + The plaintext string being scanned for URLs and email addresses. + */ + + diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff --- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 1970-01-01 01:00:00.000000000 +0100 +++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 2016-10-14 17:11:34.000000000 +0200 @@ -0,0 +1,27 @@ +--- a/kpimutils/linklocator.cpp ++++ b/kpimutils/linklocator.cpp +@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( cons + bool badUrl = false; + str = locator.getUrlAndCheckValidHref(&badUrl); + if (badUrl) { +- return locator.mText; ++ QString resultBadUrl; ++ const int helperTextSize(locator.mText.count()); ++ for (int i = 0; i < helperTextSize; ++i) { ++ const QChar chBadUrl = locator.mText[i]; ++ if (chBadUrl == QLatin1Char('&')) { ++ resultBadUrl += QLatin1String("&"); ++ } else if (chBadUrl == QLatin1Char('"')) { ++ resultBadUrl += QLatin1String("""); ++ } else if (chBadUrl == QLatin1Char('<')) { ++ resultBadUrl += QLatin1String("<"); ++ } else if (chBadUrl == QLatin1Char('>')) { ++ resultBadUrl += QLatin1String(">"); ++ } else { ++ resultBadUrl += chBadUrl; ++ } ++ } ++ return resultBadUrl; + } + + if ( !str.isEmpty() ) { diff -Nru kdepimlibs-4.14.2/debian/patches/series kdepimlibs-4.14.2/debian/patches/series --- kdepimlibs-4.14.2/debian/patches/series 2014-11-17 04:40:13.000000000 +0100 +++ kdepimlibs-4.14.2/debian/patches/series 2016-10-14 17:08:07.000000000 +0200 @@ -1,3 +1,5 @@ add_soname_to_xsd_file sslv2_disabled.patch tlscancelled.patch +CVE-2016-7966.diff +CVE-2016-7966_part2.diff
signature.asc
Description: This is a digitally signed message part.