kde-apps/kdepimlibs: backport patch from upstream for CVE-2016-7966

Gentoo-bug: 596224 Package-Manager: portage-2.3.1
johu · Oct 6, 2016 · bc4885e · bc4885e
1 parent 0c22a7d
commit bc4885e
Show file tree

Hide file tree

Showing 3 changed files with 224 additions and 0 deletions.
diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966.patch
@@ -0,0 +1,94 @@
+From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001
+From: Montel Laurent <[email protected]>
+Date: Fri, 30 Sep 2016 15:55:35 +0200
+Subject: [PATCH] Backport avoid to transform as a url when we have a quote
+
+---
+ kpimutils/linklocator.cpp | 30 +++++++++++++++++++++++++++---
+ kpimutils/linklocator.h   |  3 ++-
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp
+index f5d9afd..f30e8fc 100644
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const
+
+ QString LinkLocator::getUrl()
+ {
++    return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
++{
+   QString url;
+   if ( atUrl() ) {
+     // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C
+@@ -129,13 +135,26 @@ QString LinkLocator::getUrl()
+
+     url.reserve( maxUrlLen() );  // avoid allocs
+     int start = mPos;
++    bool previousCharIsADoubleQuote = false;
+     while ( ( mPos < (int)mText.length() ) &&
+             ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+             ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+               ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+       if ( !mText[mPos].isSpace() ) {   // skip whitespace
+-        url.append( mText[mPos] );
+-        if ( url.length() > maxUrlLen() ) {
++          if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++              //it's an invalid url
++              if (badurl) {
++                  *badurl = true;
++              }
++              return QString();
++          }
++          if (mText[mPos] == QLatin1Char('"')) {
++              previousCharIsADoubleQuote = true;
++          } else {
++              previousCharIsADoubleQuote = false;
++          }
++          url.append( mText[mPos] );
++          if ( url.length() > maxUrlLen() ) {
+           break;
+         }
+       }
+@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags,
+     } else {
+       const int start = locator.mPos;
+       if ( !( flags & IgnoreUrls ) ) {
+-        str = locator.getUrl();
++        bool badUrl = false;
++        str = locator.getUrlAndCheckValidHref(&badUrl);
++        if (badUrl) {
++            return locator.mText;
++        }
++
+         if ( !str.isEmpty() ) {
+           QString hyperlink;
+           if ( str.left( 4 ) == QLatin1String("www.") ) {
+diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h
+index 3049397..375498d 100644
+--- a/kpimutils/linklocator.h
++++ b/kpimutils/linklocator.h
+@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator
+       @return The URL at the current scan position, or an empty string.
+     */
+     QString getUrl();
++    QString getUrlAndCheckValidHref(bool *badurl = 0);
+
+     /**
+       Attempts to grab an email address. If there is an @ symbol at the
+@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator
+     */
+     static QString pngToDataUrl( const QString & iconPath );
+
+-  protected:
++protected:
+     /**
+       The plaintext string being scanned for URLs and email addresses.
+     */
+-- 
+2.7.3
+
diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.10-r1.ebuild
@@ -0,0 +1,63 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+KDE_HANDBOOK="optional"
+CPPUNIT_REQUIRED="optional"
+EGIT_BRANCH="KDE/4.14"
+inherit kde4-base
+
+DESCRIPTION="Common library for KDE PIM apps"
+KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux"
+LICENSE="LGPL-2.1"
+IUSE="debug ldap prison"
+
+# some akonadi tests timeout, that probaly needs more work as its ~700 tests
+RESTRICT="test"
+
+DEPEND="
+	!kde-misc/akonadi-social-utils
+	>=app-crypt/gpgme-1.1.6
+	>=app-office/akonadi-server-1.12.90[qt4(+)]
+	>=dev-libs/boost-1.35.0-r5:=
+	dev-libs/libgpg-error
+	>=dev-libs/libical-0.48-r2:=
+	dev-libs/cyrus-sasl
+	>=dev-libs/qjson-0.8.1
+	media-libs/phonon[qt4]
+	x11-misc/shared-mime-info
+	prison? ( media-libs/prison:4 )
+	ldap? ( net-nds/openldap )
+"
+# boost is not linked to, but headers which include it are installed
+# bug #418071
+RDEPEND="${DEPEND}
+	!=kde-apps/kdepim-runtime-4.10*
+	!=kde-apps/kdepim-runtime-4.11*
+	!<kde-apps/kdepim-runtime-4.4.11.1-r2:4
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-4.9.1-boostincludes.patch"
+	"${FILESDIR}/${PN}-CVE-2016-7966.patch"
+)
+
+src_configure() {
+	local mycmakeargs=(
+		$(cmake-utils_use_build handbook doc)
+		$(cmake-utils_use_find_package ldap)
+		$(cmake-utils_use_find_package prison)
+	)
+
+	kde4-base_src_configure
+}
+
+src_install() {
+	kde4-base_src_install
+	rm "${ED}"/usr/share/apps/cmake/modules/FindQtOAuth.cmake #Collides with net-im/choqok
+
+	# contains constants/defines only
+	QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')"
+}
diff --git a/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r1.ebuild b/kde-apps/kdepimlibs/kdepimlibs-4.14.11_pre20160211-r1.ebuild
@@ -0,0 +1,67 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+KDE_HANDBOOK="optional"
+CPPUNIT_REQUIRED="optional"
+EGIT_BRANCH="KDE/4.14"
+inherit kde4-base
+
+DESCRIPTION="Common library for KDE PIM apps"
+COMMIT_ID="a791b69599c3571ff2f4b1cc9033d8fb30f1bc33"
+SRC_URI="https://quickgit.kde.org/?p=kdepimlibs.git&a=snapshot&h=${COMMIT_ID}&fmt=tgz -> ${P}.tar.gz"
+S=${WORKDIR}/${PN}
+
+KEYWORDS="~amd64 ~arm ~x86 ~amd64-linux ~x86-linux"
+LICENSE="LGPL-2.1"
+IUSE="debug ldap prison"
+
+# some akonadi tests timeout, that probaly needs more work as its ~700 tests
+RESTRICT="test"
+
+DEPEND="
+	>=app-crypt/gpgme-1.1.6
+	>=app-office/akonadi-server-1.12.90[qt4(+)]
+	>=dev-libs/boost-1.35.0-r5:=
+	dev-libs/libgpg-error
+	>=dev-libs/libical-0.48-r2:=
+	dev-libs/cyrus-sasl
+	>=dev-libs/qjson-0.8.1
+	media-libs/phonon[qt4]
+	x11-misc/shared-mime-info
+	prison? ( media-libs/prison:4 )
+	ldap? ( net-nds/openldap )
+"
+# boost is not linked to, but headers which include it are installed
+# bug #418071
+RDEPEND="${DEPEND}
+	!<kde-apps/kdepim-runtime-4.4.11.1-r2:4
+	!kde-misc/akonadi-social-utils
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-4.14.11-boostincludes.patch"
+	"${FILESDIR}/${PN}-CVE-2016-7966.patch"
+)
+
+src_configure() {
+	local mycmakeargs=(
+		-DBUILD_doc=$(usex handbook)
+		$(cmake-utils_use_find_package ldap Ldap)
+		$(cmake-utils_use_find_package prison Prison)
+	)
+
+	kde4-base_src_configure
+}
+
+src_install() {
+	kde4-base_src_install
+
+	# Collides with net-im/choqok
+	rm "${ED}"usr/share/apps/cmake/modules/FindQtOAuth.cmake || die
+
+	# contains constants/defines only
+	QA_DT_NEEDED="$(find "${ED}" -type f -name 'libakonadi-kabc.so.*' -printf '/%P\n')"
+}