Hi, now I'm fully confused - you said on IRC, I should better create a deb8u2 ontop. Well I created now the debdiff for a deb8u2.
So you can decide what is the best way for the sec team and what version should be uploaded where. Best Regards, sandro -- Am Freitag, 14. Oktober 2016, 21:50:18 CEST schrieb Salvatore Bonaccorso: > Hi, > > Just an additional comment on the debdiff: > > On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote: > > Hey, > > > > I now back ported the second part of the fix of the CVE. I updated the > > version deb8u1 from Scott. Should I create a deb8u2 for the additional > > patch? > Please note, to build the attached debdiff instead as +deb8u2 on top > of the +deb8u1 already present on security-master and just > incoorporate the additional changes needed. > > Regards and thanks for your work! > > Salvatore
diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog --- kdepimlibs-4.14.2/debian/changelog 2016-10-12 18:20:26.000000000 +0200 +++ kdepimlibs-4.14.2/debian/changelog 2016-10-14 21:33:53.000000000 +0200 @@ -1,3 +1,14 @@ +kdepimlibs (4:4.14.2-2+deb8u2) jessie-security; urgency=high + + * Team upload. + * Additional patch to complete the fix for CVE-2016-7966 + - Replace all scary charactars (", <, > and &) with safe HTML + replacements. + - Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a + in debian/patches/CVE-2016-7966_part2.diff + + -- Sandro Knauß <he...@debian.org> Fri, 14 Oct 2016 21:33:53 +0200 + kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high * Team upload. diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff --- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 1970-01-01 01:00:00.000000000 +0100 +++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 2016-10-14 21:33:14.000000000 +0200 @@ -0,0 +1,27 @@ +--- a/kpimutils/linklocator.cpp ++++ b/kpimutils/linklocator.cpp +@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( cons + bool badUrl = false; + str = locator.getUrlAndCheckValidHref(&badUrl); + if (badUrl) { +- return locator.mText; ++ QString resultBadUrl; ++ const int helperTextSize(locator.mText.count()); ++ for (int i = 0; i < helperTextSize; ++i) { ++ const QChar chBadUrl = locator.mText[i]; ++ if (chBadUrl == QLatin1Char('&')) { ++ resultBadUrl += QLatin1String("&"); ++ } else if (chBadUrl == QLatin1Char('"')) { ++ resultBadUrl += QLatin1String("""); ++ } else if (chBadUrl == QLatin1Char('<')) { ++ resultBadUrl += QLatin1String("<"); ++ } else if (chBadUrl == QLatin1Char('>')) { ++ resultBadUrl += QLatin1String(">"); ++ } else { ++ resultBadUrl += chBadUrl; ++ } ++ } ++ return resultBadUrl; + } + + if ( !str.isEmpty() ) { diff -Nru kdepimlibs-4.14.2/debian/patches/series kdepimlibs-4.14.2/debian/patches/series --- kdepimlibs-4.14.2/debian/patches/series 2016-10-12 18:20:26.000000000 +0200 +++ kdepimlibs-4.14.2/debian/patches/series 2016-10-14 21:33:14.000000000 +0200 @@ -2,3 +2,4 @@ sslv2_disabled.patch tlscancelled.patch CVE-2016-7966.diff +CVE-2016-7966_part2.diff
signature.asc
Description: This is a digitally signed message part.