diff options
| author | Sandro Knauß <sknauss@kde.org> | 2016-10-07 21:39:46 (GMT) |
|---|---|---|
| committer | Sandro Knauß <sknauss@kde.org> | 2016-10-07 21:39:46 (GMT) |
| commit | ab7258dd8a87668ba63c585a69f41f291254aa43 (patch) | |
| tree | c0e865e3cd0e41d249d7522491388844326a2134 | |
| parent | b37cff9c66959bd10391e009c76c44ae7816b4fc (diff) | |
Fix CVE-2016-7966
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/patches/0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch | 98 | ||||
| -rw-r--r-- | debian/patches/0002-Don-t-convert-as-url-an-url-which-has-a.patch | 122 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
4 files changed, 229 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 633971f..4072401 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,12 @@ kcoreaddons (5.26.0-2) UNRELEASED; urgency=medium + [ Sandro Knauß ] + * Added patches to fix CVE-2016-7966 + 0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch + 0002-Don-t-convert-as-url-an-url-which-has-a.patch + - Fixes CVE-2016-7966 + https://security-tracker.debian.org/tracker/CVE-2016-7966 + -- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Fri, 07 Oct 2016 22:46:43 +0200 kcoreaddons (5.26.0-1) unstable; urgency=medium diff --git a/debian/patches/0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch b/debian/patches/0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch new file mode 100644 index 0000000..01138ce --- /dev/null +++ b/debian/patches/0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch @@ -0,0 +1,98 @@ +From 1be7272373d60e4234f1a5584e676b579302b053 Mon Sep 17 00:00:00 2001 +From: Montel Laurent <montel@kde.org> +Date: Wed, 21 Sep 2016 07:24:30 +0200 +Subject: [PATCH 03/12] Fix very old bug when we remove space in url as "foo + <<url> <url>>" + +diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp +index 474f0ca..8fc0c56 100644 +--- a/autotests/ktexttohtmltest.cpp ++++ b/autotests/ktexttohtmltest.cpp +@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest) + + Q_DECLARE_METATYPE(KTextToHTML::Options) + ++#ifndef Q_OS_WIN ++void initLocale() ++{ ++ setenv("LC_ALL", "en_US.utf-8", 1); ++} ++Q_CONSTRUCTOR_FUNCTION(initLocale) ++#endif ++ ++ + void KTextToHTMLTest::testGetEmailAddress() + { + // empty input +@@ -372,6 +381,11 @@ void KTextToHTMLTest::testHtmlConvert_data() + QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)" + << KTextToHTML::Options(KTextToHTML::PreserveSpaces) + << "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)"; ++ ++ // Fix url as foo <<url> <url>> when we concatened them. ++ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" ++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) ++ << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; + } + + +diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp +index b5e1bda..c70d062 100644 +--- a/src/lib/text/ktexttohtml.cpp ++++ b/src/lib/text/ktexttohtml.cpp +@@ -228,11 +228,19 @@ QString KTextToHTMLHelper::getUrl() + + url.reserve(mMaxUrlLen); // avoid allocs + int start = mPos; ++ bool previousCharIsSpace = false; + while ((mPos < mText.length()) && + (mText[mPos].isPrint() || mText[mPos].isSpace()) && + ((afterUrl.isNull() && !mText[mPos].isSpace()) || + (!afterUrl.isNull() && mText[mPos] != afterUrl))) { +- if (!mText[mPos].isSpace()) { // skip whitespace ++ if (mText[mPos].isSpace()) { ++ previousCharIsSpace = true; ++ } else { // skip whitespace ++ if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) { ++ url.append(QLatin1Char(' ')); ++ break; ++ } ++ previousCharIsSpace = false; + url.append(mText[mPos]); + if (url.length() > mMaxUrlLen) { + break; +@@ -267,7 +275,6 @@ QString KTextToHTMLHelper::getUrl() + } + } while (url.length() > 1); + } +- + return url; + } + +@@ -334,6 +341,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: + QChar ch; + int x; + bool startOfLine = true; ++ //qDebug()<<" plainText"<<plainText; + + for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); + ++helper.mPos, ++x) { +@@ -402,6 +410,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: + const int start = helper.mPos; + if (!(flags & IgnoreUrls)) { + str = helper.getUrl(); ++ //qDebug()<<" str"<<str; + if (!str.isEmpty()) { + QString hyperlink; + if (str.left(4) == QLatin1String("www.")) { +@@ -455,6 +464,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: + + result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); + } ++ //qDebug()<<" result "<<result; + + return result; + } +-- +2.9.3 + diff --git a/debian/patches/0002-Don-t-convert-as-url-an-url-which-has-a.patch b/debian/patches/0002-Don-t-convert-as-url-an-url-which-has-a.patch new file mode 100644 index 0000000..50dd9b3 --- /dev/null +++ b/debian/patches/0002-Don-t-convert-as-url-an-url-which-has-a.patch @@ -0,0 +1,122 @@ +From 96e562d9138c100498da38e4c5b4091a226dde12 Mon Sep 17 00:00:00 2001 +From: Montel Laurent <montel@kde.org> +Date: Fri, 30 Sep 2016 13:21:45 +0200 +Subject: [PATCH 08/12] Don't convert as url an url which has a " + +--- + autotests/ktexttohtmltest.cpp | 6 ++++++ + src/lib/text/ktexttohtml.cpp | 25 +++++++++++++++++++------ + src/lib/text/ktexttohtml_p.h | 2 +- + 3 files changed, 26 insertions(+), 7 deletions(-) + +diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp +index 8fc0c56..c5690e8 100644 +--- a/autotests/ktexttohtmltest.cpp ++++ b/autotests/ktexttohtmltest.cpp +@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data() + QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" + << KTextToHTML::Options(KTextToHTML::PreserveSpaces) + << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; ++ ++ //Fix url exploit ++ QTest::newRow("url-exec-html") << "https://\"><!--" ++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) ++ << "https://\"><!--"; ++ + } + + +diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp +index c70d062..97c5eab 100644 +--- a/src/lib/text/ktexttohtml.cpp ++++ b/src/lib/text/ktexttohtml.cpp +@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl() + (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) { + return false; + } +- + QChar ch = mText[mPos]; + return + (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") || +@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url) + url == QLatin1String("news://"); + } + +-QString KTextToHTMLHelper::getUrl() ++QString KTextToHTMLHelper::getUrl(bool *badurl) + { + QString url; + if (atUrl()) { +@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl() + url.reserve(mMaxUrlLen); // avoid allocs + int start = mPos; + bool previousCharIsSpace = false; ++ bool previousCharIsADoubleQuote = false; + while ((mPos < mText.length()) && + (mText[mPos].isPrint() || mText[mPos].isSpace()) && + ((afterUrl.isNull() && !mText[mPos].isSpace()) || +@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl() + break; + } + previousCharIsSpace = false; ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } + url.append(mText[mPos]); + if (url.length() > mMaxUrlLen) { + break; +@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: + QChar ch; + int x; + bool startOfLine = true; +- //qDebug()<<" plainText"<<plainText; + + for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); + ++helper.mPos, ++x) { +@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: + } else { + const int start = helper.mPos; + if (!(flags & IgnoreUrls)) { +- str = helper.getUrl(); +- //qDebug()<<" str"<<str; ++ bool badUrl = false; ++ str = helper.getUrl(&badUrl); ++ if (badUrl) { ++ return helper.mText; ++ } + if (!str.isEmpty()) { + QString hyperlink; + if (str.left(4) == QLatin1String("www.")) { +@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: + + result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); + } +- //qDebug()<<" result "<<result; + + return result; + } +diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h +index 74ad7a0..fc43613 100644 +--- a/src/lib/text/ktexttohtml_p.h ++++ b/src/lib/text/ktexttohtml_p.h +@@ -49,7 +49,7 @@ public: + QString getEmailAddress(); + bool atUrl(); + bool isEmptyUrl(const QString &url); +- QString getUrl(); ++ QString getUrl(bool *badurl = Q_NULLPTR); + QString pngToDataUrl(const QString &pngPath); + QString highlightedText(); + +-- +2.9.3 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..8ac2f60 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch +0002-Don-t-convert-as-url-an-url-which-has-a.patch |