CVE-2016-7966 kcoreaddons

Moritz Mühlenhoff jmm at inutil.org
Thu Oct 13 16:19:35 UTC 2016 

On Thu, Oct 13, 2016 at 12:15:01PM +0200, Sandro Knauß wrote:
> Hey,
> 
> The description 
> https://www.kde.org/info/security/advisory-20161006-1.txt do not describe all 
> patches that are needed to fix the CVE (at the moment).
> 
> The additional patches are not part of KDE Frameworks 5.27, so they need to be 
> applied for KF 5.27:
> 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a (0004-Display-bad-url.patch)
> a06cef31cc4c908bc9b76bd9d103fe9c60e0953f (0003-Add-more-autotests.patch)
> 
> (the first two will be included in KF 5.27).
> 
> The fixed version is 5.26.0-3 (sid only - already uploaded). I'll test if we 
> need these patches also for stable inside kdepimlibs.

Ok, please let us know once you know more. Scott Kitterman has already sent an
update for kdepimlibs (attached).

Cheers,
        Moritz



-------------- next part --------------
diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog
--- kdepimlibs-4.14.2/debian/changelog	2014-11-16 22:38:20.000000000 -0500
+++ kdepimlibs-4.14.2/debian/changelog	2016-10-12 12:21:04.000000000 -0400
@@ -1,3 +1,12 @@
+kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high
+
+  * Team upload.
+  * CVE-2016-7966 KMail: HTML injection in plain text viewer (Closes: #840546)
+    - Avoid transforming as a url in plain text mode when there is a quote
+    - Add debian/patches/CVE-2016-7966.diff from upstream
+
+ -- Scott Kitterman <scott at kitterman.com>  Wed, 12 Oct 2016 12:20:26 -0400
+
 kdepimlibs (4:4.14.2-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff
--- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff	1969-12-31 19:00:00.000000000 -0500
+++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff	2016-10-12 11:45:54.000000000 -0400
@@ -0,0 +1,89 @@
+From: Montel Laurent <montel at kde.org>
+Date: Fri, 30 Sep 2016 13:55:35 +0000
+Subject: Backport avoid to transform as a url when we have a quote
+X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
+---
+Backport avoid to transform as a url when we have a quote
+---
+
+
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -94,6 +94,12 @@
+ }
+ 
+ QString LinkLocator::getUrl()
++{
++    return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
+ {
+   QString url;
+   if ( atUrl() ) {
+@@ -129,13 +135,26 @@
+ 
+     url.reserve( maxUrlLen() );  // avoid allocs
+     int start = mPos;
++    bool previousCharIsADoubleQuote = false;
+     while ( ( mPos < (int)mText.length() ) &&
+             ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+             ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+               ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+       if ( !mText[mPos].isSpace() ) {   // skip whitespace
+-        url.append( mText[mPos] );
+-        if ( url.length() > maxUrlLen() ) {
++          if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++              //it's an invalid url
++              if (badurl) {
++                  *badurl = true;
++              }
++              return QString();
++          }
++          if (mText[mPos] == QLatin1Char('"')) {
++              previousCharIsADoubleQuote = true;
++          } else {
++              previousCharIsADoubleQuote = false;
++          }
++          url.append( mText[mPos] );
++          if ( url.length() > maxUrlLen() ) {
+           break;
+         }
+       }
+@@ -367,7 +386,12 @@
+     } else {
+       const int start = locator.mPos;
+       if ( !( flags & IgnoreUrls ) ) {
+-        str = locator.getUrl();
++        bool badUrl = false;
++        str = locator.getUrlAndCheckValidHref(&badUrl);
++        if (badUrl) {
++            return locator.mText;
++        }
++
+         if ( !str.isEmpty() ) {
+           QString hyperlink;
+           if ( str.left( 4 ) == QLatin1String("www.") ) {
+
+--- a/kpimutils/linklocator.h
++++ b/kpimutils/linklocator.h
+@@ -107,6 +107,7 @@
+       @return The URL at the current scan position, or an empty string.
+     */
+     QString getUrl();
++    QString getUrlAndCheckValidHref(bool *badurl = 0);
+ 
+     /**
+       Attempts to grab an email address. If there is an @ symbol at the
+@@ -155,7 +156,7 @@
+     */
+     static QString pngToDataUrl( const QString & iconPath );
+ 
+-  protected:
++protected:
+     /**
+       The plaintext string being scanned for URLs and email addresses.
+     */
+
+
diff -Nru kdepimlibs-4.14.2/debian/patches/series kdepimlibs-4.14.2/debian/patches/series
--- kdepimlibs-4.14.2/debian/patches/series	2014-11-16 22:40:13.000000000 -0500
+++ kdepimlibs-4.14.2/debian/patches/series	2016-10-12 11:46:32.000000000 -0400
@@ -1,3 +1,4 @@
 add_soname_to_xsd_file
 sslv2_disabled.patch
 tlscancelled.patch
+CVE-2016-7966.diff

More information about the pkg-kde-talk mailing list