Bug#840546: CVE-2016-7966 kdepimlibs jessie

[Sandro Knauß <hefee@debian.org>]

Hey,

I now back ported the second part of the fix of the CVE. I updated the version 
deb8u1 from Scott. Should I create a deb8u2 for the additional patch?

I attached the uptodate debdiff.
 
Regards,

sandro

Am Donnerstag, 13. Oktober 2016, 18:19:35 CEST schrieb Moritz Mühlenhoff:
> On Thu, Oct 13, 2016 at 12:15:01PM +0200, Sandro Knauß wrote:
> > Hey,
> > 
> > The description
> > https://www.kde.org/info/security/advisory-20161006-1.txt do not describe
> > all patches that are needed to fix the CVE (at the moment).
> > 
> > The additional patches are not part of KDE Frameworks 5.27, so they need
> > to be applied for KF 5.27:
> > 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a (0004-Display-bad-url.patch)
> > a06cef31cc4c908bc9b76bd9d103fe9c60e0953f (0003-Add-more-autotests.patch)
> > 
> > (the first two will be included in KF 5.27).
> > 
> > The fixed version is 5.26.0-3 (sid only - already uploaded). I'll test if
> > we need these patches also for stable inside kdepimlibs.
> 
> Ok, please let us know once you know more. Scott Kitterman has already sent
> an update for kdepimlibs (attached).
> 
> Cheers,
>         Moritz

diff -Nru kdepimlibs-4.14.2/debian/changelog kdepimlibs-4.14.2/debian/changelog
--- kdepimlibs-4.14.2/debian/changelog	2014-11-17 04:38:20.000000000 +0100
+++ kdepimlibs-4.14.2/debian/changelog	2016-10-14 18:09:02.000000000 +0200
@@ -1,3 +1,21 @@
+kdepimlibs (4:4.14.2-2+deb8u1) jessie-security; urgency=high
+
+  * Team upload.
+  [ Scott Kitterman ]
+  * CVE-2016-7966 KMail: HTML injection in plain text viewer (Closes: #840546)
+    - Avoid transforming as a url in plain text mode when there is a quote
+    - Add debian/patches/CVE-2016-7966.diff from upstream
+
+  [ Sandro Knauß ]
+  * Additional patch to complete the fix for CVE-2016-7966
+    - Replace all scary charactars (", <, > and &) with safe HTML
+      replacements.
+    - Backport commit kcoreaddons 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
+      in debian/patches/CVE-2016-7966_part2.diff
+  * Update symbols files.
+
+ -- Sandro Knauß <hefee@debian.org>  Fri, 14 Oct 2016 18:09:02 +0200
+
 kdepimlibs (4:4.14.2-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru kdepimlibs-4.14.2/debian/libkpimutils4.symbols kdepimlibs-4.14.2/debian/libkpimutils4.symbols
--- kdepimlibs-4.14.2/debian/libkpimutils4.symbols	2014-10-20 17:13:26.000000000 +0200
+++ kdepimlibs-4.14.2/debian/libkpimutils4.symbols	2016-10-14 18:09:02.000000000 +0200
@@ -7,6 +7,7 @@
  _ZN9KPIMUtils11LinkLocator15getEmailAddressEv@Base 4:4.3.4
  _ZN9KPIMUtils11LinkLocator15highlightedTextEv@Base 4:4.3.4
  _ZN9KPIMUtils11LinkLocator16setMaxAddressLenEi@Base 4:4.3.4
+ _ZN9KPIMUtils11LinkLocator23getUrlAndCheckValidHrefEPb@Base 4:4.14.2-2+deb8u1
  _ZN9KPIMUtils11LinkLocator6getUrlEv@Base 4:4.3.4
  _ZN9KPIMUtils11LinkLocatorC1ERK7QStringi@Base 4:4.3.4
  _ZN9KPIMUtils11LinkLocatorC2ERK7QStringi@Base 4:4.3.4
diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff
--- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff	1970-01-01 01:00:00.000000000 +0100
+++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966.diff	2016-10-14 16:59:11.000000000 +0200
@@ -0,0 +1,89 @@
+From: Montel Laurent <montel@kde.org>
+Date: Fri, 30 Sep 2016 13:55:35 +0000
+Subject: Backport avoid to transform as a url when we have a quote
+X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
+---
+Backport avoid to transform as a url when we have a quote
+---
+
+
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -94,6 +94,12 @@
+ }
+ 
+ QString LinkLocator::getUrl()
++{
++    return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
+ {
+   QString url;
+   if ( atUrl() ) {
+@@ -129,13 +135,26 @@
+ 
+     url.reserve( maxUrlLen() );  // avoid allocs
+     int start = mPos;
++    bool previousCharIsADoubleQuote = false;
+     while ( ( mPos < (int)mText.length() ) &&
+             ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+             ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+               ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+       if ( !mText[mPos].isSpace() ) {   // skip whitespace
+-        url.append( mText[mPos] );
+-        if ( url.length() > maxUrlLen() ) {
++          if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++              //it's an invalid url
++              if (badurl) {
++                  *badurl = true;
++              }
++              return QString();
++          }
++          if (mText[mPos] == QLatin1Char('"')) {
++              previousCharIsADoubleQuote = true;
++          } else {
++              previousCharIsADoubleQuote = false;
++          }
++          url.append( mText[mPos] );
++          if ( url.length() > maxUrlLen() ) {
+           break;
+         }
+       }
+@@ -367,7 +386,12 @@
+     } else {
+       const int start = locator.mPos;
+       if ( !( flags & IgnoreUrls ) ) {
+-        str = locator.getUrl();
++        bool badUrl = false;
++        str = locator.getUrlAndCheckValidHref(&badUrl);
++        if (badUrl) {
++            return locator.mText;
++        }
++
+         if ( !str.isEmpty() ) {
+           QString hyperlink;
+           if ( str.left( 4 ) == QLatin1String("www.") ) {
+
+--- a/kpimutils/linklocator.h
++++ b/kpimutils/linklocator.h
+@@ -107,6 +107,7 @@
+       @return The URL at the current scan position, or an empty string.
+     */
+     QString getUrl();
++    QString getUrlAndCheckValidHref(bool *badurl = 0);
+ 
+     /**
+       Attempts to grab an email address. If there is an @ symbol at the
+@@ -155,7 +156,7 @@
+     */
+     static QString pngToDataUrl( const QString & iconPath );
+ 
+-  protected:
++protected:
+     /**
+       The plaintext string being scanned for URLs and email addresses.
+     */
+
+
diff -Nru kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff
--- kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff	1970-01-01 01:00:00.000000000 +0100
+++ kdepimlibs-4.14.2/debian/patches/CVE-2016-7966_part2.diff	2016-10-14 17:11:34.000000000 +0200
@@ -0,0 +1,27 @@
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( cons
+         bool badUrl = false;
+         str = locator.getUrlAndCheckValidHref(&badUrl);
+         if (badUrl) {
+-            return locator.mText;
++            QString resultBadUrl;
++            const int helperTextSize(locator.mText.count());
++            for (int i = 0; i < helperTextSize; ++i) {
++                const QChar chBadUrl = locator.mText[i];
++                if (chBadUrl == QLatin1Char('&')) {
++                    resultBadUrl += QLatin1String("&amp;");
++                } else if (chBadUrl == QLatin1Char('"')) {
++                    resultBadUrl += QLatin1String("&quot;");
++                } else if (chBadUrl == QLatin1Char('<')) {
++                    resultBadUrl += QLatin1String("&lt;");
++                } else if (chBadUrl == QLatin1Char('>')) {
++                    resultBadUrl += QLatin1String("&gt;");
++                } else {
++                    resultBadUrl += chBadUrl;
++                }
++            }
++            return resultBadUrl;
+         }
+ 
+         if ( !str.isEmpty() ) {
diff -Nru kdepimlibs-4.14.2/debian/patches/series kdepimlibs-4.14.2/debian/patches/series
--- kdepimlibs-4.14.2/debian/patches/series	2014-11-17 04:40:13.000000000 +0100
+++ kdepimlibs-4.14.2/debian/patches/series	2016-10-14 17:08:07.000000000 +0200
@@ -1,3 +1,5 @@
 add_soname_to_xsd_file
 sslv2_disabled.patch
 tlscancelled.patch
+CVE-2016-7966.diff
+CVE-2016-7966_part2.diff

Attachment: signature.asc
Description: This is a digitally signed message part.