Bug#858362: unblock: kde-runtime/4:16.08.3-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#858362: unblock: kde-runtime/4:16.08.3-2
From: Maximiliano Curia <maxy@debian.org>
Date: Tue, 21 Mar 2017 16:46:01 +0100
Message-id: <[🔎] 149011116151.12902.5139963675074970154.reportbug@amadeus.gnuservers.com.ar>
Reply-to: Maximiliano Curia <maxy@debian.org>, 858362@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

kdesu's CVE (CVE-2016-7787) was fixed in the new version of kdesu (which is 
part of the kde-cli-tools), but the one in kde-runtime (which might still be 
used by some kde4 apps) was still affected by this.

I backported the change and uploaded 4:16.08.3-2 with it. kde-runtime already 
built in all the release arches. This fixes #842498 for kde-runtime.

I'm attaching the corresponding debdiff.

Please unblock package kde-runtime

Happy hacking,

unblock kde-runtime/4:16.08.3-2

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

diff -Nru kde-runtime-16.08.3/debian/changelog kde-runtime-16.08.3/debian/changelog
--- kde-runtime-16.08.3/debian/changelog	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/changelog	2017-03-21 11:25:21.000000000 +0100
@@ -1,3 +1,11 @@
+kde-runtime (4:16.08.3-2) unstable; urgency=medium
+
+  * Add new patch: Make-sure-people-are-not-trying-to-sneak-invisible-charac.patch.
+    Thanks to Moritz Mühlenhoff for the follow ups to the kde-cli-tools' bug
+    (Closes: 842498) See: CVE-2016-7787
+
+ -- Maximiliano Curia <maxy@gnuservers.com.ar>  Tue, 21 Mar 2017 11:25:21 +0100
+
 kde-runtime (4:16.08.3-1) unstable; urgency=medium
 
   * New upstream release (16.08.3)
diff -Nru kde-runtime-16.08.3/debian/patches/add_glib_for_nm kde-runtime-16.08.3/debian/patches/add_glib_for_nm
--- kde-runtime-16.08.3/debian/patches/add_glib_for_nm	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/add_glib_for_nm	2017-03-21 11:25:21.000000000 +0100
@@ -7,7 +7,7 @@
  1 file changed, 6 insertions(+)
 
 diff --git a/solid-networkstatus/kded/CMakeLists.txt b/solid-networkstatus/kded/CMakeLists.txt
-index 633c7f1..5dfcbf4 100644
+index 633c7f1394..5dfcbf4f8d 100644
 --- a/solid-networkstatus/kded/CMakeLists.txt
 +++ b/solid-networkstatus/kded/CMakeLists.txt
 @@ -16,6 +16,12 @@ set_package_properties(NetworkManager PROPERTIES DESCRIPTION "The NetworkManager
diff -Nru kde-runtime-16.08.3/debian/patches/disable_flacky_tests kde-runtime-16.08.3/debian/patches/disable_flacky_tests
--- kde-runtime-16.08.3/debian/patches/disable_flacky_tests	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/disable_flacky_tests	2017-03-21 11:25:21.000000000 +0100
@@ -7,7 +7,7 @@
  1 file changed, 7 insertions(+), 7 deletions(-)
 
 diff --git a/kurifilter-plugins/tests/kurifiltertest.cpp b/kurifilter-plugins/tests/kurifiltertest.cpp
-index 32f968c..13c8e36 100644
+index 32f968c278..13c8e3696f 100644
 --- a/kurifilter-plugins/tests/kurifiltertest.cpp
 +++ b/kurifilter-plugins/tests/kurifiltertest.cpp
 @@ -256,7 +256,7 @@ void KUriFilterTest::shortUris()
diff -Nru kde-runtime-16.08.3/debian/patches/disable_kwalletd_autotests kde-runtime-16.08.3/debian/patches/disable_kwalletd_autotests
--- kde-runtime-16.08.3/debian/patches/disable_kwalletd_autotests	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/disable_kwalletd_autotests	2017-03-21 11:25:21.000000000 +0100
@@ -7,7 +7,7 @@
  1 file changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/kwalletd/autotests/CMakeLists.txt b/kwalletd/autotests/CMakeLists.txt
-index c9af385..cd5f59e 100644
+index c9af3854e2..cd5f59ebc8 100644
 --- a/kwalletd/autotests/CMakeLists.txt
 +++ b/kwalletd/autotests/CMakeLists.txt
 @@ -1,11 +1,11 @@
diff -Nru kde-runtime-16.08.3/debian/patches/disable_usr_lib_install_rpath.diff kde-runtime-16.08.3/debian/patches/disable_usr_lib_install_rpath.diff
--- kde-runtime-16.08.3/debian/patches/disable_usr_lib_install_rpath.diff	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/disable_usr_lib_install_rpath.diff	2017-03-21 11:25:21.000000000 +0100
@@ -12,7 +12,7 @@
  1 file changed, 2 deletions(-)
 
 diff --git a/phonon/platform_kde/CMakeLists.txt b/phonon/platform_kde/CMakeLists.txt
-index f41a4dc..3d3df10 100644
+index f41a4dc58b..3d3df10e96 100644
 --- a/phonon/platform_kde/CMakeLists.txt
 +++ b/phonon/platform_kde/CMakeLists.txt
 @@ -19,10 +19,8 @@ endif(ALSA_FOUND)
diff -Nru kde-runtime-16.08.3/debian/patches/hurd.diff kde-runtime-16.08.3/debian/patches/hurd.diff
--- kde-runtime-16.08.3/debian/patches/hurd.diff	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/hurd.diff	2017-03-21 11:25:21.000000000 +0100
@@ -13,7 +13,7 @@
  1 file changed, 3 insertions(+)
 
 diff --git a/kioslave/nfs/nfsv3.cpp b/kioslave/nfs/nfsv3.cpp
-index 0640212..2240e7e 100644
+index 06402120f9..2240e7ed38 100644
 --- a/kioslave/nfs/nfsv3.cpp
 +++ b/kioslave/nfs/nfsv3.cpp
 @@ -59,6 +59,9 @@
diff -Nru kde-runtime-16.08.3/debian/patches/kubuntu_nodisplay_knetattach.diff kde-runtime-16.08.3/debian/patches/kubuntu_nodisplay_knetattach.diff
--- kde-runtime-16.08.3/debian/patches/kubuntu_nodisplay_knetattach.diff	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/kubuntu_nodisplay_knetattach.diff	2017-03-21 11:25:21.000000000 +0100
@@ -7,7 +7,7 @@
  1 file changed, 1 insertion(+)
 
 diff --git a/knetattach/knetattach.desktop b/knetattach/knetattach.desktop
-index 88b5585..f61827f 100755
+index 88b5585c1c..f61827f58d 100755
 --- a/knetattach/knetattach.desktop
 +++ b/knetattach/knetattach.desktop
 @@ -186,3 +186,4 @@ X-KDE-StartupNotify=true
diff -Nru kde-runtime-16.08.3/debian/patches/kubuntu_shutup_shutup_shutup.diff kde-runtime-16.08.3/debian/patches/kubuntu_shutup_shutup_shutup.diff
--- kde-runtime-16.08.3/debian/patches/kubuntu_shutup_shutup_shutup.diff	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/kubuntu_shutup_shutup_shutup.diff	2017-03-21 11:25:21.000000000 +0100
@@ -7,7 +7,7 @@
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/attica/kdeplugin/kdeplatformdependent.cpp b/attica/kdeplugin/kdeplatformdependent.cpp
-index d0041b8..fde029c 100644
+index d0041b8a0e..fde029c654 100644
 --- a/attica/kdeplugin/kdeplatformdependent.cpp
 +++ b/attica/kdeplugin/kdeplatformdependent.cpp
 @@ -221,7 +221,7 @@ QList<QUrl> KdePlatformDependent::getDefaultProviderFiles() const
diff -Nru kde-runtime-16.08.3/debian/patches/Make-sure-people-are-not-trying-to-sneak-invisible-charac.patch kde-runtime-16.08.3/debian/patches/Make-sure-people-are-not-trying-to-sneak-invisible-charac.patch
--- kde-runtime-16.08.3/debian/patches/Make-sure-people-are-not-trying-to-sneak-invisible-charac.patch	1970-01-01 01:00:00.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/Make-sure-people-are-not-trying-to-sneak-invisible-charac.patch	2017-03-21 11:25:21.000000000 +0100
@@ -0,0 +1,40 @@
+From: Maximiliano Curia <maxy@gnuservers.com.ar>
+Date: Mon, 20 Mar 2017 16:54:06 +0100
+Subject: Make sure people are not trying to sneak invisible characters on the
+ kdesu label
+
+This is a backport of
+5eda179a099ba68a20dc21dc0da63e85a565a171#diff-281a78cc7558547bc7507f1cabd3cfc9
+from kde-cli-tools to kde-runtime in order to close CVE-2016-7787.
+---
+ kdesu/kdesu/kdesu.cpp | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/kdesu/kdesu/kdesu.cpp b/kdesu/kdesu/kdesu.cpp
+index e3fe99c690..c03a3b2745 100644
+--- a/kdesu/kdesu/kdesu.cpp
++++ b/kdesu/kdesu/kdesu.cpp
+@@ -141,6 +141,10 @@ int main(int argc, char *argv[])
+     {
+         KMessageBox::sorry(0, i18n("Cannot execute command '%1'.", QString::fromLocal8Bit(command)));
+     }
++    if (result == -2)
++    {
++        KMessageBox::sorry(0, i18n("Cannot execute command '%1'. It contains invalid characters.", QString::fromLocal8Bit(command)));
++    }
+ 
+     return result;
+ }
+@@ -367,6 +371,12 @@ static int startApp()
+         kDebug() << "Don't need password!!\n";
+     }
+ 
++    for (const QChar character : QString::fromLocal8Bit(command)) {
++        if (!character.isPrint() && character.category() != QChar::Other_Surrogate) {
++            return -2;
++        }
++    }
++
+     // Start the dialog
+     QString password;
+     if (needpw)
diff -Nru kde-runtime-16.08.3/debian/patches/series kde-runtime-16.08.3/debian/patches/series
--- kde-runtime-16.08.3/debian/patches/series	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/series	2017-03-21 11:25:21.000000000 +0100
@@ -7,3 +7,4 @@
 kubuntu_shutup_shutup_shutup.diff
 add_glib_for_nm
 hurd.diff
+Make-sure-people-are-not-trying-to-sneak-invisible-charac.patch
diff -Nru kde-runtime-16.08.3/debian/patches/use_always_present_path_to_test.patch kde-runtime-16.08.3/debian/patches/use_always_present_path_to_test.patch
--- kde-runtime-16.08.3/debian/patches/use_always_present_path_to_test.patch	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/use_always_present_path_to_test.patch	2017-03-21 11:25:21.000000000 +0100
@@ -1,10 +1,6 @@
-From: =?utf-8?q?Lisandro_Dami=C3=A1n_Nicanor_P=C3=A9rez_Meyer?=
- <lisandro@debian.org>
+From: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
 Date: Wed, 13 Apr 2016 13:53:28 +0200
 Subject: use_always_present_path_to_test
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
 
 Description: use a path that's always there
  Or at least in Debian ;)
@@ -20,7 +16,7 @@
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/kioslave/trash/tests/testtrash.cpp b/kioslave/trash/tests/testtrash.cpp
-index f99f0f0..bb4e87f 100644
+index f99f0f02e8..bb4e87f081 100644
 --- a/kioslave/trash/tests/testtrash.cpp
 +++ b/kioslave/trash/tests/testtrash.cpp
 @@ -894,8 +894,8 @@ void TestTrash::moveDirectoryFromTrash()
diff -Nru kde-runtime-16.08.3/debian/patches/use_the_correct_locale.patch kde-runtime-16.08.3/debian/patches/use_the_correct_locale.patch
--- kde-runtime-16.08.3/debian/patches/use_the_correct_locale.patch	2016-11-23 21:07:35.000000000 +0100
+++ kde-runtime-16.08.3/debian/patches/use_the_correct_locale.patch	2017-03-21 11:25:21.000000000 +0100
@@ -1,10 +1,6 @@
-From: =?utf-8?q?Lisandro_Dami=C3=A1n_Nicanor_P=C3=A9rez_Meyer?=
- <lisandro@debian.org>
+From: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
 Date: Wed, 13 Apr 2016 13:53:28 +0200
 Subject: use_the_correct_locale
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
 
 Description: Use the correct locale.
  The test was expecting a specific locale. Everything seems to indicate
@@ -18,7 +14,7 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/kioslave/trash/tests/testtrash.cpp b/kioslave/trash/tests/testtrash.cpp
-index bccb0e5..f99f0f0 100644
+index bccb0e5a57..f99f0f02e8 100644
 --- a/kioslave/trash/tests/testtrash.cpp
 +++ b/kioslave/trash/tests/testtrash.cpp
 @@ -58,7 +58,7 @@ int initLocale()

Reply to:

Prev by Date: Bug#858334: Dolphin KDE rendering bug
Next by Date: Processing of ktp-common-internals_15.08.3-1.1_source.changes
Previous by thread: Bug#858334: marked as done (Dolphin KDE rendering bug)
Next by thread: Processing of ktp-common-internals_15.08.3-1.1_source.changes
Index(es):
- Date
- Thread