diff options
author | Michael Palimaka <kensington@gentoo.org> | 2016-10-07 05:20:46 +1100 |
---|---|---|
committer | Michael Palimaka <kensington@gentoo.org> | 2016-10-07 05:33:27 +1100 |
commit | bc4885e20e781ccef65f90991090df7d79545078 (patch) | |
tree | 5f8af72849fefac98f58ace173fb9903d819dc7c /kde-apps/kdepimlibs | |
parent | sys-cluster/heat: NEWTON :D (diff) | |
download | gentoo-bc4885e20e781ccef65f90991090df7d79545078.tar.gz gentoo-bc4885e20e781ccef65f90991090df7d79545078.tar.bz2 gentoo-bc4885e20e781ccef65f90991090df7d79545078.zip |
kde-apps/kdepimlibs: backport patch from upstream for CVE-2016-7966
Gentoo-bug: 596224
Package-Manager: portage-2.3.1
Diffstat (limited to 'kde-apps/kdepimlibs')
3 files changed, 224 insertions, 0 deletions
diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch new file mode 100644 index 000000000000..b6f278a6b0a4 --- /dev/null +++ b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch @@ -0,0 +1,94 @@ +From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001 +From: Montel Laurent <montel@kde.org> +Date: Fri, 30 Sep 2016 15:55:35 +0200 +Subject: [PATCH] Backport avoid to transform as a url when we have a quote + +--- + kpimutils/linklocator.cpp | 30 +++++++++++++++++++++++++++--- + kpimutils/linklocator.h | 3 ++- + 2 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp +index f5d9afd..f30e8fc 100644 +--- a/kpimutils/linklocator.cpp ++++ b/kpimutils/linklocator.cpp +@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const + + QString LinkLocator::getUrl() + { ++ return getUrlAndCheckValidHref(); ++} ++ ++ ++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) ++{ + QString url; + if ( atUrl() ) { + // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C +@@ -129,13 +135,26 @@ QString LinkLocator::getUrl() + + url.reserve( maxUrlLen() ); // avoid allocs + int start = mPos; ++ bool previousCharIsADoubleQuote = false; + while ( ( mPos < (int)mText.length() ) && + ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && + ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || + ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { + if ( !mText[mPos].isSpace() ) { // skip whitespace +- url.append( mText[mPos] ); +- if ( url.length() > maxUrlLen() ) { ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } ++ url.append( mText[mPos] ); ++ if ( url.length() > maxUrlLen() ) { + break; + } + } +@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags, + } else { + const int start = locator.mPos; + if ( !( flags & IgnoreUrls ) ) { +- str = locator.getUrl(); ++ bool badUrl = false; ++ str = locator.getUrlAndCheckValidHref(&badUrl); ++ if (badUrl) { ++ return locator.mText; ++ } ++ + if ( !str.isEmpty() ) { + QString hyperlink; + if ( str.left( 4 ) == QLatin1String("www.") ) { +diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h +index 3049397..375498d 100644 +--- a/kpimutils/linklocator.h ++++ b/kpimutils/linklocator.h +@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator + @return The URL at the current scan position, or an empty string. + */ + QString getUrl(); ++ QString getUrlAndCheckValidHref(bool *badurl = 0); + + /** + Attempts to grab an email address. If there is an @ symbol at the +@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator + */ + static QString pngToDataUrl( const QString & iconPath ); + +- protected: ++protected: + /** + The plaintext string being scanned for URLs and email addresses. + */ +-- +2.7.3 + diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild new file mode 100644 index 000000000000..4275aaa123b6 --- /dev/null +++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild @@ -0,0 +1,63 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +KDE_HANDBOOK="optional" +CPPUNIT_REQUIRED="optional" +EGIT_BRANCH="KDE/4.14" +inherit kde4-base + +DESCRIPTION="Common library for KDE PIM apps" +KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux" +LICENSE="LGPL-2.1" +IUSE="debug ldap prison" + +# some akonadi tests timeout, that probaly needs more work as its ~700 tests +RESTRICT="test" + +DEPEND=" + !kde-misc/akonadi-social-utils + >=app-crypt/gpgme-1.1.6 + >=app-office/akonadi-server-1.12.90[qt4(+)] + >=dev-libs/boost-1.35.0-r5:= + dev-libs/libgpg-error + >=dev-libs/libical-0.48-r2:= + dev-libs/cyrus-sasl + >=dev-libs/qjson-0.8.1 + media-libs/phonon[qt4] + x11-misc/shared-mime-info + prison? ( media-libs/prison:4 ) + ldap? ( net-nds/openldap ) +" +# boost is not linked to, but headers which include it are installed +# bug #418071 +RDEPEND="${DEPEND} + !=kde-apps/kdepim-runtime-4.10* + !=kde-apps/kdepim-runtime-4.11* + !<kde-apps/kdepim-runtime-4.4.11.1-r2:4 +" + +PATCHES=( + "${FILESDIR}/${PN}-4.9.1-boostincludes.patch" + "${FILESDIR}/${PN}-CVE-2016-7966.patch" +) + +src_configure() { + local mycmakeargs=( + $(cmake-utils_use_build handbook doc) + $(cmake-utils_use_find_package ldap) + $(cmake-utils_use_find_package prison) + ) + + kde4-base_src_configure +} + +src_install() { + kde4-base_src_install + rm "${ED}"/usr/share/apps/cmake/modules/FindQtOAuth.cmake #Collides with net-im/choqok + + # contains constants/defines only + QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')" +} diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r1.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r1.ebuild new file mode 100644 index 000000000000..15b49c9f77e3 --- /dev/null +++ b/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r1.ebuild @@ -0,0 +1,67 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 + +KDE_HANDBOOK="optional" +CPPUNIT_REQUIRED="optional" +EGIT_BRANCH="KDE/4.14" +inherit kde4-base + +DESCRIPTION="Common library for KDE PIM apps" +COMMIT_ID="a791b69599c3571ff2f4b1cc9033d8fb30f1bc33" +SRC_URI="https://quickgit.kde.org/?p=kdepimlibs.git&a=snapshot&h=${COMMIT_ID}&fmt=tgz -> ${P}.tar.gz" +S=${WORKDIR}/${PN} + +KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux" +LICENSE="LGPL-2.1" +IUSE="debug ldap prison" + +# some akonadi tests timeout, that probaly needs more work as its ~700 tests +RESTRICT="test" + +DEPEND=" + >=app-crypt/gpgme-1.1.6 + >=app-office/akonadi-server-1.12.90[qt4(+)] + >=dev-libs/boost-1.35.0-r5:= + dev-libs/libgpg-error + >=dev-libs/libical-0.48-r2:= + dev-libs/cyrus-sasl + >=dev-libs/qjson-0.8.1 + media-libs/phonon[qt4] + x11-misc/shared-mime-info + prison? ( media-libs/prison:4 ) + ldap? ( net-nds/openldap ) +" +# boost is not linked to, but headers which include it are installed +# bug #418071 +RDEPEND="${DEPEND} + !<kde-apps/kdepim-runtime-4.4.11.1-r2:4 + !kde-misc/akonadi-social-utils +" + +PATCHES=( + "${FILESDIR}/${PN}-4.14.11-boostincludes.patch" + "${FILESDIR}/${PN}-CVE-2016-7966.patch" +) + +src_configure() { + local mycmakeargs=( + -DBUILD_doc=$(usex handbook) + $(cmake-utils_use_find_package ldap Ldap) + $(cmake-utils_use_find_package prison Prison) + ) + + kde4-base_src_configure +} + +src_install() { + kde4-base_src_install + + # Collides with net-im/choqok + rm "${ED}"usr/share/apps/cmake/modules/FindQtOAuth.cmake || die + + # contains constants/defines only + QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')" +} |