On Thu, Oct 13, 2016 at 12:15:01PM +0200, Sandro Knauß wrote:
> Hey,
>
> The description
> https://www.kde.org/info/security/advisory-20161006-1.txt do not describe all
> patches that are needed to fix the CVE (at the moment).
>
> The additional patches are not part of KDE Frameworks 5.27, so they need to
> be
> applied for KF 5.27:
> 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a (0004-Display-bad-url.patch)
> a06cef31cc4c908bc9b76bd9d103fe9c60e0953f (0003-Add-more-autotests.patch)
>
> (the first two will be included in KF 5.27).
>
> The fixed version is 5.26.0-3 (sid only - already uploaded). I'll test if we
> need these patches also for stable inside kdepimlibs.
Ok, please let us know once you know more. Scott Kitterman has already sent an
update for kdepimlibs (attached).
Cheers,
Moritz
diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog
--- kdepimlibs-4.14.2/debian/changelog 2014-11-16 22:38:20.000000000 -0500
+++ kdepimlibs-4.14.2/debian/changelog 2016-10-12 12:21:04.000000000 -0400
@@ -1,3 +1,12 @@
+kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high
+
+ * Team upload.
+ * CVE-2016-7966 KMail: HTML injection in plain text viewer (Closes: #840546)
+ - Avoid transforming as a url in plain text mode when there is a quote
+ - Add debian/patches/CVE-2016-7966.diff from upstream
+
+ -- Scott Kitterman <sc...@kitterman.com> Wed, 12 Oct 2016 12:20:26 -0400
+
kdepimlibs (4:4.14.2-2) unstable; urgency=medium
* Team upload.
diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff
kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff
--- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff 1969-12-31
19:00:00.000000000 -0500
+++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff 2016-10-12
11:45:54.000000000 -0400
@@ -0,0 +1,89 @@
+From: Montel Laurent <mon...@kde.org>
+Date: Fri, 30 Sep 2016 13:55:35 +0000
+Subject: Backport avoid to transform as a url when we have a quote
+X-Git-Url:
http://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
+---
+Backport avoid to transform as a url when we have a quote
+---
+
+
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -94,6 +94,12 @@
+ }
+
+ QString LinkLocator::getUrl()
++{
++ return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
+ {
+ QString url;
+ if ( atUrl() ) {
+@@ -129,13 +135,26 @@
+
+ url.reserve( maxUrlLen() ); // avoid allocs
+ int start = mPos;
++ bool previousCharIsADoubleQuote = false;
+ while ( ( mPos < (int)mText.length() ) &&
+ ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+ ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+ ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+ if ( !mText[mPos].isSpace() ) { // skip whitespace
+- url.append( mText[mPos] );
+- if ( url.length() > maxUrlLen() ) {
++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++ //it's an invalid url
++ if (badurl) {
++ *badurl = true;
++ }
++ return QString();
++ }
++ if (mText[mPos] == QLatin1Char('"')) {
++ previousCharIsADoubleQuote = true;
++ } else {
++ previousCharIsADoubleQuote = false;
++ }
++ url.append( mText[mPos] );
++ if ( url.length() > maxUrlLen() ) {
+ break;
+ }
+ }
+@@ -367,7 +386,12 @@
+ } else {
+ const int start = locator.mPos;
+ if ( !( flags & IgnoreUrls ) ) {
+- str = locator.getUrl();
++ bool badUrl = false;
++ str = locator.getUrlAndCheckValidHref(&badUrl);
++ if (badUrl) {
++ return locator.mText;
++ }
++
+ if ( !str.isEmpty() ) {
+ QString hyperlink;
+ if ( str.left( 4 ) == QLatin1String("www.") ) {
+
+--- a/kpimutils/linklocator.h
++++ b/kpimutils/linklocator.h
+@@ -107,6 +107,7 @@
+ @return The URL at the current scan position, or an empty string.
+ */
+ QString getUrl();
++ QString getUrlAndCheckValidHref(bool *badurl = 0);
+
+ /**
+ Attempts to grab an email address. If there is an @ symbol at the
+@@ -155,7 +156,7 @@
+ */
+ static QString pngToDataUrl( const QString & iconPath );
+
+- protected:
++protected:
+ /**
+ The plaintext string being scanned for URLs and email addresses.
+ */
+
+
diff -Nru kdepimlibs-4.14.2/debian/patches/series
kdepimlibs-4.14.2/debian/patches/series
--- kdepimlibs-4.14.2/debian/patches/series 2014-11-16 22:40:13.000000000
-0500
+++ kdepimlibs-4.14.2/debian/patches/series 2016-10-12 11:46:32.000000000
-0400
@@ -1,3 +1,4 @@
add_soname_to_xsd_file
sslv2_disabled.patch
tlscancelled.patch
+CVE-2016-7966.diff
--
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk
