Bug#1006293: bullseye-pu: package plasma-desktop/4:5.20.5-4
Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: deltaone@debian.org, debian-qt-kde@lists.debian.org
[ Reason ]
A bug in plasma-discover causes a Denial of Service attack
against the KDE servers. 3 packages needs to be patch to
mitigate the attack: knewstuff, plasma-desktop and
plasma-discover.
This update fixes bug #1006125 for bullseye and has been
fixed in unstable.
[ Impact ]
Running the old version causes considerable load for the KDE
servers.
[ Tests ]
No manual tests have been performed.
[ Risks ]
The risks are rather low as the update is a single patch.
The patch has been created by KDE upstream specifically for the
version in bullseye.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The update contains a single patch to help ease the load on
KDE servers.
[ Other info ]
It would be good if users of KDE plasma could receive the update
as quick as possible.
diffstat for plasma-desktop-5.20.5 plasma-desktop-5.20.5
changelog | 8 ++++++++
patches/plasma-desktop-dns.patch | 39 +++++++++++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 48 insertions(+)
diff -Nru plasma-desktop-5.20.5/debian/changelog plasma-desktop-5.20.5/debian/changelog
--- plasma-desktop-5.20.5/debian/changelog 2021-02-24 13:35:04.000000000 +0100
+++ plasma-desktop-5.20.5/debian/changelog 2022-02-20 18:50:03.000000000 +0100
@@ -1,3 +1,11 @@
+plasma-desktop (4:5.20.5-4+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * Cherry-pick commit to fix the Denial of Service bug in Discover
+ (Closes: #1006125).
+
+ -- Patrick Franz <deltaone@debian.org> Sun, 20 Feb 2022 18:50:03 +0100
+
plasma-desktop (4:5.20.5-4) unstable; urgency=medium
* Team upload.
diff -Nru plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch
--- plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch 1970-01-01 01:00:00.000000000 +0100
+++ plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch 2022-02-20 18:40:00.000000000 +0100
@@ -0,0 +1,39 @@
+Author: Dan Leinir Turthra Jensen <admin@leinir.dk>
+Description: Fix Denial of Service bug in Discover.
+Forwarded: not-needed
+
+---
+ attica-kde/kdeplugin/kdeplatformdependent.cpp | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/attica-kde/kdeplugin/kdeplatformdependent.cpp b/attica-kde/kdeplugin/kdeplatformdependent.cpp
+index fbc15ec4e..2c21fe7e6 100644
+--- a/attica-kde/kdeplugin/kdeplatformdependent.cpp
++++ b/attica-kde/kdeplugin/kdeplatformdependent.cpp
+@@ -125,6 +125,25 @@ QNetworkRequest KdePlatformDependent::addOAuthToRequest(const QNetworkRequest &r
+ const QString bearer = bearer_format.arg(token);
+ notConstReq.setRawHeader("Authorization", bearer.toUtf8());
+ }
++
++ // Add cache preference in a granular fashion (we will almost certainly want more of these, but...)
++ static const QStringList preferCacheEndpoints{QLatin1String{"/content/categories"}};
++ for (const QString &endpoint : preferCacheEndpoints) {
++ if (notConstReq.url().toString().endsWith(endpoint)) {
++ QNetworkCacheMetaData cacheMeta{m_accessManager->cache()->metaData(notConstReq.url())};
++ if (cacheMeta.isValid()) {
++ // If the expiration date is valid, but longer than 24 hours, don't trust that things
++ // haven't changed and check first, otherwise just use the cached version to relieve
++ // server strain and reduce network traffic.
++ const QDateTime tomorrow{QDateTime::currentDateTime().addDays(1)};
++ if (cacheMeta.expirationDate().isValid() && cacheMeta.expirationDate() < tomorrow) {
++ notConstReq.setAttribute(QNetworkRequest::CacheLoadControlAttribute, QNetworkRequest::PreferCache);
++ }
++ }
++ break;
++ }
++ }
++
+ return notConstReq;
+ }
+
+--
diff -Nru plasma-desktop-5.20.5/debian/patches/series plasma-desktop-5.20.5/debian/patches/series
--- plasma-desktop-5.20.5/debian/patches/series 2021-02-24 13:33:20.000000000 +0100
+++ plasma-desktop-5.20.5/debian/patches/series 2022-02-20 18:44:56.000000000 +0100
@@ -3,3 +3,4 @@
upstream_5.21+lts_folder_view_de-duplicate_switch_width_height_logic.patch
upstream_5.21+lts_folder_view_Fix_display_on_not-skinny_vertical_panels.patch
upstream-1be25dec-fix-crash-deleting-from-activity-manager.patch
+plasma-desktop-dns.patch
Reply to: