Hi, now I'm fully confused - you said on IRC, I should better create a deb8u2 ontop. Well I created now the debdiff for a deb8u2. So you can decide what is the best way for the sec team and what version should be uploaded where. Best Regards, sandro -- Am Freitag, 14. Oktober 2016, 21:50:18 CEST schrieb Salvatore Bonaccorso: > Hi, > > Just an additional comment on the debdiff: > > On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote: > > Hey, > > > > I now back ported the second part of the fix of the CVE. I updated the > > version deb8u1 from Scott. Should I create a deb8u2 for the additional > > patch? > Please note, to build the attached debdiff instead as +deb8u2 on top > of the +deb8u1 already present on security-master and just > incoorporate the additional changes needed. > > Regards and thanks for your work! > > Salvatore
diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog
--- kdepimlibs-4.14.2/debian/changelog 2016-10-12 18:20:26.000000000 +0200
+++ kdepimlibs-4.14.2/debian/changelog 2016-10-14 21:33:53.000000000 +0200
@@ -1,3 +1,14 @@
+kdepimlibs (4:4.14.2-2+deb8u2) jessie-security; urgency=high
+
+ * Team upload.
+ * Additional patch to complete the fix for CVE-2016-7966
+ - Replace all scary charactars (", <, > and &) with safe HTML
+ replacements.
+ - Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
+ in debian/patches/CVE-2016-7966_part2.diff
+
+ -- Sandro Knauß <hefee@debian.org> Fri, 14 Oct 2016 21:33:53 +0200
+
kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high
* Team upload.
diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff
--- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 1970-01-01 01:00:00.000000000 +0100
+++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff 2016-10-14 21:33:14.000000000 +0200
@@ -0,0 +1,27 @@
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( cons
+ bool badUrl = false;
+ str = locator.getUrlAndCheckValidHref(&badUrl);
+ if (badUrl) {
+- return locator.mText;
++ QString resultBadUrl;
++ const int helperTextSize(locator.mText.count());
++ for (int i = 0; i < helperTextSize; ++i) {
++ const QChar chBadUrl = locator.mText[i];
++ if (chBadUrl == QLatin1Char('&')) {
++ resultBadUrl += QLatin1String("&");
++ } else if (chBadUrl == QLatin1Char('"')) {
++ resultBadUrl += QLatin1String(""");
++ } else if (chBadUrl == QLatin1Char('<')) {
++ resultBadUrl += QLatin1String("<");
++ } else if (chBadUrl == QLatin1Char('>')) {
++ resultBadUrl += QLatin1String(">");
++ } else {
++ resultBadUrl += chBadUrl;
++ }
++ }
++ return resultBadUrl;
+ }
+
+ if ( !str.isEmpty() ) {
diff -Nru kdepimlibs-4.14.2/debian/patches/series kdepimlibs-4.14.2/debian/patches/series
--- kdepimlibs-4.14.2/debian/patches/series 2016-10-12 18:20:26.000000000 +0200
+++ kdepimlibs-4.14.2/debian/patches/series 2016-10-14 21:33:14.000000000 +0200
@@ -2,3 +2,4 @@
sslv2_disabled.patch
tlscancelled.patch
CVE-2016-7966.diff
+CVE-2016-7966_part2.diff
Attachment:
signature.asc
Description: This is a digitally signed message part.