Bug#832492: dolphin: depends on baloo-kf5

[HJ]

Package: dolphin
Version: 4:16.04.2-2
Severity: normal

Dear Maintainer,

the dolphin internal find won't work if there is no package baloo-kf5
installed.



-- System Information:
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages dolphin depends on:
ii  libc6  2.23-2
ii  libdolphinvcs5 4:16.04.2-2
ii  libkf5baloo5   5.23.0-1
ii  libkf5baloowidgets516.04.0-1
ii  libkf5bookmarks5   5.23.0-1
ii  libkf5codecs5  5.23.0-1
ii  libkf5completion5  5.23.0-1
ii  libkf5configcore5  5.23.0-1
ii  libkf5configgui5   5.23.0-1
ii  libkf5configwidgets5   5.23.0-1
ii  libkf5coreaddons5  5.23.0-1
ii  libkf5crash5   5.23.0-1
ii  libkf5dbusaddons5  5.23.0-1
ii  libkf5filemetadata35.23.0-1
ii  libkf5i18n55.23.0-1
ii  libkf5iconthemes5  5.23.0-1
ii  libkf5itemviews5   5.23.0-1
ii  libkf5jobwidgets5  5.23.0-1
ii  libkf5kcmutils55.23.0-1
ii  libkf5kiocore5 5.23.0-1
ii  libkf5kiofilewidgets5  5.23.0-1
ii  libkf5kiowidgets5  5.23.0-1
ii  libkf5newstuff55.23.0-1
ii  libkf5notifications5   5.23.0-1
ii  libkf5parts5   5.23.0-1
ii  libkf5service-bin  5.23.0-1
ii  libkf5service5 5.23.0-1
ii  libkf5solid5   5.23.0-1
ii  libkf5textwidgets5 5.23.0-1
ii  libkf5widgetsaddons5   5.23.0-1
ii  libkf5windowsystem55.23.0-1
ii  libkf5xmlgui5  5.23.0-1
ii  libphonon4qt5-44:4.9.0-3
ii  libqt5core5a   5.6.1+dfsg-3
ii  libqt5dbus55.6.1+dfsg-3
ii  libqt5gui5 5.6.1+dfsg-3
ii  libqt5widgets5 5.6.1+dfsg-3
ii  libqt5xml5 5.6.1+dfsg-3
ii  libstdc++6 6.1.1-9
ii  phonon4qt5 4:4.9.0-3

Versions of packages dolphin recommends:
ii  kio-extras  4:16.04.2-1
pn  ruby

Versions of packages dolphin suggests:
ii  dolphin-plugins  4:16.04.0-1

-- debconf information:
Unescaped left brace in regex is deprecated, passed through in regex; marked by 
<-- HERE in m/^(.*?)(\\)?\${ <-- HERE ([^{}]+)}(.*)$/ at 
/usr/share/perl5/Debconf/Question.pm line 72.
Unescaped left brace in regex is deprecated, passed through in regex; marked by 
<-- HERE in m/\${ <-- HERE ([^}]+)}/ at /usr/share/perl5/Debconf/Config.pm line 
30.

Re: Wheezy update of kde4libs?

[Bálint Réczey]

Hi Maximiliano,

2016-07-25 15:41 GMT+02:00 Bálint Réczey :
> Hi,
>
> 2016-07-19 23:12 GMT+02:00 Brian May :
>> Maximiliano Curia  writes:
>>
>>> I just did the upload to unstable, with the karchive fix from upstream and 
>>> an
>>> modified version of that one for kde4libs. The second one needs some test,
>>> sadly adding the (binary) test file used in karchive is a bit of a burden.

Apparently one line, the actual fix is missing from the patch.
The warning is issued, but the wrong path is still used in unstable:
cat debian/patches/cve-2016-6232.patch
...
 const KArchiveDirectory* curDir = dirStack.pop();
-const QString curDirName = dirNameStack.pop();
+
+// extract only to specified folder if it is located within
archive's extraction folder
+// otherwise put file under root position in extraction folder
+QString curDirName = dirNameStack.pop();
+if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
+qWarning() << "Attempted export into folder" << curDirName
+<< "which is outside of the extraction root folder" <<
destDir << "."
+<< "Changing export of contained files to extraction root
folder.";
+}
 root.mkdir(curDirName);
...

In the original fix there is an additional line right after the if ( ...:

https://git.reviewboard.kde.org/r/128185/diff/2#3
...
+ if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
+ curDirName = destDir;
...

I have tested the incomplete fix with the following little program:

vagrant@debian-wheezy:~/extract/test$ cat kextract.cpp
#include 
#include 

int main (int argc, char * argv[]) {
  if (argc < 3) exit (1);
  KTar tar(argv[1]);
  tar.open(QIODevice::ReadOnly);
  const KArchiveDirectory *dir = tar.directory();
  dir->copyTo(argv[2]);
  return 0;
}
vagrant@debian-wheezy:~/extract/test$ rm ../foo
vagrant@debian-wheezy:~/extract/test$ g++ -I/usr/include/qt4 -lkdecore
kextract.cpp
vagrant@debian-wheezy:~/extract/test$ cat ../foo
cat: ../foo: No such file or directory
vagrant@debian-wheezy:~/extract/test$ ./a.out
tar_relative_path_outside_archive.tar.bz2 ./
bzDecompress returned 4
KBzip2Filter::uncompress 1
Attempted export into folder "/home/vagrant/extract/test/.." which is
outside of the extraction root folder "/home/vagrant/extract/test" .
Changing export of contained files to extraction root folder.
vagrant@debian-wheezy:~/extract/test$ cat ../foo
asdf

I have built an update for wheezy with the missing line added.
Please find the proposed diff attached which I plan uploading for Wheezy
on Wednesday.

The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/

Cheers,
Balint

diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog
--- kde4libs-4.8.4/debian/changelog	2014-08-07 22:44:05.0 +0200
+++ kde4libs-4.8.4/debian/changelog	2016-07-25 15:13:22.0 +0200
@@ -1,3 +1,10 @@
+kde4libs (4:4.8.4-4+deb7u2) wheezy-security; urgency=medium
+
+  * Add new patch: cve-2016-6232.patch
+- Fixes: CVE-2016-6232
+
+ -- Balint Reczey   Mon, 25 Jul 2016 15:12:35 +0200
+
 kde4libs (4:4.8.4-4+deb7u1) wheezy-security; urgency=medium
 
   * Fix kauth authentication bypass. (Closes: #755814)
diff -Nru kde4libs-4.8.4/debian/patches/cve-2016-6232.patch kde4libs-4.8.4/debian/patches/cve-2016-6232.patch
--- kde4libs-4.8.4/debian/patches/cve-2016-6232.patch	1970-01-01 01:00:00.0 +0100
+++ kde4libs-4.8.4/debian/patches/cve-2016-6232.patch	2016-07-25 19:58:12.0 +0200
@@ -0,0 +1,50 @@
+From aa4d7b23ca046daeffd0695ee519315d5d6ae1bb Mon Sep 17 00:00:00 2001
+From: Debian/Kubuntu Qt/KDE Maintainers 
+Date: Tue, 19 Jul 2016 10:38:59 +0200
+Subject: [PATCH] Ensure extraction location to be in subfolder
+
+Behavior change: Switch to Tar's default behavior to avoid extraction
+to arbitrary system locations outside of extraction folder. Instead,
+extract such files to root location in extraction folder.
+
+REVIEW: 128185
+Author: Andreas Cord-Landwehr 
+Taken from karchive commit 0cb243f64eef45565741b27364cece7d5c349c37
+the test was dropped in this patch as it depends on a binary file.
+Fixes: CVE-2016-6232
+---
+ kdecore/io/karchive.cpp | 13 +++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/kdecore/io/karchive.cpp
 b/kdecore/io/karchive.cpp
+@@ -778,6 +778,7 @@
+ void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const
+ {
+   QDir root;
++  const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".."
+ 
+   QList fileList;
+   QMap fileToDir;
+@@ -787,10 +788,19 @@
+   QStack dirNameStack;
+ 
+   dirStack.push( this ); // init stack at current directory
+-  dirNameStack.push( dest ); // ... with given path
++  dirNameStack.push(destDir);   // ... with given path
+   

Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)

[Sandro Knauß]

Hey,

> > > Would this also fix the issue with the second mail I posted (positioning
> > > of
> > > content elements over the header)?
> > 
> > yes because now the header css is only active in the header.
> 
> Did you test with the example mail I provided?

yes.

> > > My suggestion would have been to wrap the mail body in an iframe
> > > instead.
> > 
> > mmh do you can add headers etc. inside iframe? for me all docus looks
> > like,
> > that you can only place a url and nothing else.
> 
> You can either load a document from a URL with the src="…" attribute or add
> a document inline with the srcdoc="…" attribute. The latter would require
> smart escaping of the message body and is in general a somewhat broken idea
> in my opinion.
> 
> I'd actually write the message body to be displayed as HTML to a temporary
> file and load that with .
> 
> Actually, the iframe's sandbox attribute seams to be the way to go here, as
> it prevents the exact things we want to prevent here.
> 
> Your approach is a good additional safety net, though.

Well if that works please provide a patch for that and bring it upstream.

Regards,

sandro

Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)

[Dominik George]

Hi,

> > Would this also fix the issue with the second mail I posted (positioning
> > of
> > content elements over the header)?
> 
> yes because now the header css is only active in the header.

Did you test with the example mail I provided?

> 
> > My suggestion would have been to wrap the mail body in an iframe instead.
> 
> mmh do you can add headers etc. inside iframe? for me all docus looks like,
> that you can only place a url and nothing else.

You can either load a document from a URL with the src="…" attribute or add a 
document inline with the srcdoc="…" attribute. The latter would require smart 
escaping of the message body and is in general a somewhat broken idea in my 
opinion.

I'd actually write the message body to be displayed as HTML to a temporary 
file and load that with .

Actually, the iframe's sandbox attribute seams to be the way to go here, as it 
prevents the exact things we want to prevent here.

Your approach is a good additional safety net, though.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

Bug#814762: kmail: CSS from HTML mail interfers with header layout

[Dominik George]

Hi,

> > 2. in my follow-up, I showed that in 16.04, legitimate HTML mail breaks
> > the
> > UI. This has nothing to do with spoofing - KMail breaks when opening
> > random, legitimate mail. I cannot even click any controls in the mail view
> > anymore. This affects daily, normal work with KMail and makes it unusable
> > for reading legitimate mail. That is the definition of "grave
> > functionality
> > bug".
> 
> Yes, it breaks but:
> 
> - only on certain mails. Not any mail shows this behaviour. In fact I
> haven't even seen it before and I use kmail daily.
> 
> - you can change the way headers are displayed and this bug doesn't shows up
> (I have just tried your example with "Fancy headers"), so there is a known
> work around.

That'd be ok if I chose some header format in the first place. I am using what 
KMail imposes on me (changing with every version). As a matter of fact, after 
the upgrade, KMail imposed a new header layout on me *and* failed to display 
some e-mail messages correctly.

Maybe not overriding user settings with every upgrade would be a good starting 
poitn (I do not know whether this should address the Debian maintainers or 
upstream).

> 
> So it might be annoying for you, but considering the above it does not meets
> the RC criterion at least from the usability side.

OK… I still do not agree with that, though.

> 
> On the other hand, please avoid expressions that might sound harsh like
> "Please do something!" and "Did you read all of this bug report?". Always do
> your best to be kind. After all you already did the only thing we can do:
> report the bug upstream. We are volunteers trying to make things happen, we
> do not get paid for doing this and definitely we are not your employees. A
> little respect goes a long way :)

Well, this bug report has been open for almost half a year without any 
reaction whatsoever, neither by upstream nor by a maintainer. Instead, with 
another upgrade, it even got worse. I understand that both upstream and 
maintainers are volunteers, but they agreed on reacting to certain kinds of 
bug reports within a reasonable time. I know that if I completely ignored a 
security bug in one of my packages for several months, I'd be beheaded by my 
sponsors.

Doing something in your freetime does not mean users can't get annoyed when 
the software they use gets worse instead of better.

Cheers,
Nik


-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

Re: Wheezy update of kde4libs?

[Bálint Réczey]

Hi,

2016-07-19 23:12 GMT+02:00 Brian May :
> Maximiliano Curia  writes:
>
>> I just did the upload to unstable, with the karchive fix from upstream and an
>> modified version of that one for kde4libs. The second one needs some test,
>> sadly adding the (binary) test file used in karchive is a bit of a burden.
>>
>> After these packages are available we would need to backport the change to
>> stable. Right now, I can't promise that I would have the time to take care of
>> this. So volunteers for taking care of this are welcome.
>
> I had a look at doing this for wheezy LTS several days ago. It looks
> like it should be reasonably straight forward (famous last words?) to
> apply the changes manually to the wheezy version, although the files
> have moved (and automatic patching failed). If nobody takes this up by
> next month I should have some time then to continue this.

I seems really straight forward indeed and I can fix it today thus let
me take care of it.
It is compiling already.

Cheers,
Balint

Bug#814762: kmail: CSS from HTML mail interfers with header layout

[Lisandro Damián Nicanor Pérez Meyer]

Control: severity -1 important

On lunes, 25 de julio de 2016 12:17:55 P. M. ART Dominik George wrote:
> Control: severity -1 grave

Please: do not override a maintainer's severity.

> Hi,
> 
> >Even more, a mail header can be "spoofed" using simpler tools, like an
> >smtp
> >server, thus I'm not really convinced that this bug deserves a "grave"
> >severity.
> 
> Did you read all of this bug report?

I did. I will not emit a judgment on the security side of this as this is 
really something I don't manage, but...

> 2. in my follow-up, I showed that in 16.04, legitimate HTML mail breaks the
> UI. This has nothing to do with spoofing - KMail breaks when opening
> random, legitimate mail. I cannot even click any controls in the mail view
> anymore. This affects daily, normal work with KMail and makes it unusable
> for reading legitimate mail. That is the definition of "grave functionality
> bug".

Yes, it breaks but:

- only on certain mails. Not any mail shows this behaviour. In fact I haven't 
even seen it before and I use kmail daily.

- you can change the way headers are displayed and this bug doesn't shows up 
(I have just tried your example with "Fancy headers"), so there is a known 
work around.

So it might be annoying for you, but considering the above it does not meets 
the RC criterion at least from the usability side.

On the other hand, please avoid expressions that might sound harsh like 
"Please do something!" and "Did you read all of this bug report?". Always do 
your best to be kind. After all you already did the only thing we can do: 
report the bug upstream. We are volunteers trying to make things happen, we do 
not get paid for doing this and definitely we are not your employees. A little 
respect goes a long way :)

Thank you for your undertanding!

-- 
This end should point toward the ground if you want to go to space.
If it starts pointing toward space you are having a bad problem
and you will not get to space today.
  http://xkcd.com/1133/

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.

Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout

[Debian Bug Tracking System]

Processing control commands:

> severity -1 important
Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout
Severity set to 'important' from 'grave'

-- 
814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout

[Debian Bug Tracking System]

Processing control commands:

> severity -1 important
Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout
Ignoring request to change severity of Bug 814762 to the same value.

-- 
814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)

[Sandro Knauß]

Hi,

> Would this also fix the issue with the second mail I posted (positioning of
> content elements over the header)?

yes because now the header css is only active in the header.
 
> My suggestion would have been to wrap the mail body in an iframe instead.

mmh do you can add headers etc. inside iframe? for me all docus looks like, 
that you can only place a url and nothing else.

Regards,

sandro

Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)

[Dominik George]

Hi,

> I actually set down today and fixed the issue or at least makes it more
> difficult to break the UI.
> 
> http://commits.kde.org/messagelib/3f9d16c7dadd2c98b00c5e7216cd69cfb518cab9
> http://commits.kde.org/kdepim-addons/a97f99b2769d39ffa03a2cd2454f10ef9322248
> 6
> http://commits.kde.org/kdepim-addons/cab925e9d4769762ea0080d49f392022cd8e78
> dd

Would this also fix the issue with the second mail I posted (positioning of 
content elements over the header)?

My suggestion would have been to wrap the mail body in an iframe instead.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

Bug#824059: plasma-desktop: When used with pulseaudio, can make people deaf

[John Kirk]

Package: plasma-desktop
Version: 4:5.6.5-1
Followup-For: Bug #824059

Dear Maintainer,

It is still there with new packagages. Should we try to report it to KDE bugs
system?

Best wishes,
John



-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages plasma-desktop depends on:
ii  breeze   4:5.7.0-1
ii  kactivitymanagerd5.7.0-1
ii  kde-cli-tools4:5.7.0-1
ii  kded55.23.0-1
ii  kio  5.23.0-1
ii  libc62.23-2
ii  libcanberra0 0.30-3
ii  libfontconfig1   2.11.0-6.4
ii  libgcc1  1:6.1.1-9
ii  libkf5activities55.23.0-1
ii  libkf5activitiesexperimentalstats1   4:5.6.5-1
ii  libkf5archive5   5.24.0-1
ii  libkf5auth5  5.23.0-1
ii  libkf5baloo5 5.23.0-1
ii  libkf5bookmarks5 5.23.0-1
ii  libkf5codecs55.23.0-1
ii  libkf5completion55.23.0-1
ii  libkf5configcore55.23.0-1
ii  libkf5configgui5 5.23.0-1
ii  libkf5configwidgets5 5.23.0-1
ii  libkf5coreaddons55.23.0-1
ii  libkf5dbusaddons55.23.0-1
ii  libkf5emoticons-bin  5.23.0-1
ii  libkf5emoticons5 5.23.0-1
ii  libkf5globalaccel5   5.23.0-1
ii  libkf5guiaddons5 5.23.0-1
ii  libkf5i18n5  5.23.0-1
ii  libkf5iconthemes55.23.0-1
ii  libkf5itemmodels55.23.0-1
ii  libkf5itemviews5 5.23.0-1
ii  libkf5jobwidgets55.23.0-1
ii  libkf5kcmutils5  5.23.0-1
ii  libkf5kdelibs4support5   5.23.0-1
ii  libkf5kiocore5   5.23.0-1
ii  libkf5kiofilewidgets55.23.0-1
ii  libkf5kiowidgets55.23.0-1
ii  libkf5newstuff5  5.23.0-1
ii  libkf5notifications5 5.23.0-1
ii  libkf5notifyconfig5  5.23.0-1
ii  libkf5parts5 5.23.0-1
ii  libkf5people55.23.0-1
ii  libkf5peoplewidgets5 5.23.0-1
ii  libkf5plasma55.23.0-1
ii  libkf5plasmaquick5   5.23.0-1
ii  libkf5quickaddons5   5.23.0-1
ii  libkf5runner55.23.0-1
ii  libkf5service-bin5.23.0-1
ii  libkf5service5   5.23.0-1
ii  libkf5solid5 5.23.0-1
ii  libkf5sonnetui5  5.23.0-1
ii  libkf5wallet-bin 5.23.0-3
ii  libkf5wallet55.23.0-3
ii  libkf5widgetsaddons5 5.23.0-1
ii  libkf5windowsystem5  5.23.0-1
ii  libkf5xmlgui55.23.0-1
ii  libkfontinst54:5.6.5-1
ii  libkfontinstui5  4:5.6.5-1
ii  libkworkspace5-5 4:5.6.5.1-1
ii  libphonon4qt5-4  4:4.9.0-3
ii  libpulse-mainloop-glib0  9.0-1.1
ii  libpulse09.0-1.1
ii  libqt5concurrent55.6.1+dfsg-3
ii  libqt5core5a 5.6.1+dfsg-3
ii  libqt5dbus5  5.6.1+dfsg-3
ii  libqt5gui5   5.6.1+dfsg-3
ii  libqt5network5   5.6.1+dfsg-3
ii  libqt5printsupport5  5.6.1+dfsg-3
ii  libqt5qml5   5.6.1-5
ii  libqt5quick5 5.6.1-5
ii  libqt5quickwidgets5  5.6.1-5
ii  libqt5sql5   5.6.1+dfsg-3
ii  libqt5svg5   5.6.1-2
ii  libqt5widgets5   5.6.1+dfsg-3
ii  libqt5x11extras5 5.6.1-2
ii  libqt5xml5   5.6.1+dfsg-3
ii  libstdc++6   6.1.1-9
ii  libtaskmanager5  4:5.6.5.1-1
ii  libx11-6 2:1.6.3-1
ii  libx11-xcb1  2:1.6.3-1
ii  libxcb-record0   1.11.1-1
ii  libxcb-xkb1  1.11.1-1
ii  libxcb1 

Bug#832421: ITP: qtwebchannel -- Publish `QObjects` for the usage of webengine

[Sandro Knauß]

Package: wnpp
Severity: wishlist
Owner: "Sandro Knauß" 

* Package name: qtwebchannel
  Version : 5.6.1
  Upstream Author : The QtCompany Ltd.
* URL : http://doc.qt.io/qt-5/qtwebchannel-index.html
* License : LGPL2.1, LGPL3
  Programming Lang: C++
  Description : Publish `QObjects` for the usage of webengine

 Provides public API shared by both QtWebEngine and QtWebEngineWidgets

 We intend to package it under the Debian Qt/KDE Maintainers 
 umbrella.
 It is needed for QtWebEngine.

Bug#832420: ITP: qtwebengine -- Web content engine library for Qt

[Sandro Knauß]

Package: wnpp
Severity: wishlist
Owner: "Sandro Knauß" 

* Package name: qtwebengine
  Version : 5.6.1
  Upstream Author : The Qt Company Ltd.
* URL : http://trac.webengine.org/wiki/QtWebEngine
* License : LGPL2+,GPL2+, BSD
  Programming Lang: C++
  Description : Web content engine library for Qt

 QtWebEngine provides a Web browser engine that makes it easy to embed content
 from the World Wide Web into your Qt application.
 .
 This package contains the development files needed to build Qt 5 applications
 using QtWebEngine library.

We want to package it within the  Debian Qt/KDE Maintainers 
 umrella
and need it for newer KDE Applications.

Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)

[Sandro Knauß]

Hey,

I actually set down today and fixed the issue or at least makes it more 
difficult 
to break the UI. 

http://commits.kde.org/messagelib/3f9d16c7dadd2c98b00c5e7216cd69cfb518cab9
http://commits.kde.org/kdepim-addons/a97f99b2769d39ffa03a2cd2454f10ef93222486
http://commits.kde.org/kdepim-addons/cab925e9d4769762ea0080d49f392022cd8e78dd

Regards,

sandro


signature.asc
Description: This is a digitally signed message part.

Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)

[Dominik George]

In order to speed things up, I will look into providing a patch today.

-nik
-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

Bug#814762: kmail: CSS from HTML mail interfers with header layout

[Dominik George]

Control: severity -1 grave

Hi,

>Even more, a mail header can be "spoofed" using simpler tools, like an
>smtp 
>server, thus I'm not really convinced that this bug deserves a "grave" 
>severity.

Did you read all of this bug report?

1. I explained that this method can do more than other ways of spoofing mail 
headers because mail filters do not see the spoofed headers,

2. in my follow-up, I showed that in 16.04, legitimate HTML mail breaks the UI. 
This has nothing to do with spoofing - KMail breaks when opening random, 
legitimate mail. I cannot even click any controls in the mail view anymore. 
This affects daily, normal work with KMail and makes it unusable for reading 
legitimate mail. That is the definition of "grave functionality bug".

I am ok with dropping the security tag, but the grave was for the follow-up.

The bug with the legitimate mail does *not* occur in any prior version, so 
migration would introduce this issue into testing.

In conclusion: I can read legitimate mail in kmail in testing; I can't do so in 
unstable. Thus, the new version should not migrate unless the bug is fixed.

-nik
-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout

[Debian Bug Tracking System]

Processing control commands:

> severity -1 grave
Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout
Severity set to 'grave' from 'important'

-- 
814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout

[Debian Bug Tracking System]

Processing control commands:

> severity -1 important
Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout
Severity set to 'important' from 'grave'

-- 
814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#814762: kmail: CSS from HTML mail interfers with header layout

[Maximiliano Curia]

Control: severity -1 important

¡Hola Dominik!

El 2016-07-24 a las 22:11 +0200, Dominik George escribió:
Package: kmail 
Version: 4:16.04.3-1 
Followup-For: Bug #814762


It got worse. Today, I stumbled about a legitimate HTML mail that just 
trashed the whole UI.



Find attached the mail that caused the issue and a screenshot.


Raising severity to grave. Please do something! Firstly, I am certain 
this is a security-relevant bug; secondly, it now makes stuff break in 
daily use.


I'm temporarily lowering the severity of this mail to finish the kdepim 16.04 
transition.


Also, I think that this issue should be easily reproduceable in the older 
kmail2 versions, thus I see no reason to block the transition by this.


Even more, a mail header can be "spoofed" using simpler tools, like an smtp 
server, thus I'm not really convinced that this bug deserves a "grave" 
severity.


Happy hacking,
--
"There are only two things wrong with C++: The initial concept and the
implementation."
-- Bertrand Meyer
Saludos /\/\ /\ >< `/


signature.asc
Description: Digital signature