Bug#1006294: bullseye-pu: package knewstuff/5.78.0-4
Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: deltaone@debian.org, debian-qt-kde@lists.debian.org
[ Reason ]
A bug in plasma-discover causes a Denial of Service attack
against the KDE servers. 3 packages needs to be patch to
mitigate the attack: knewstuff, plasma-desktop and
plasma-discover.
This update fixes bug #1006126 for bullseye and has been
fixed in unstable in version 5.90.0-1 for knewstuff.
[ Impact ]
Running the old version causes considerable load for the KDE
servers.
[ Tests ]
No manual tests have been performed.
[ Risks ]
The risks are rather low as the update is a single patch.
The patch has been created by KDE upstream specifically for the
version in bullseye.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The update contains a single patch to help ease the load on
KDE servers.
[ Other info ]
It would be good if users of KDE plasma could receive the update
as quick as possible.
diffstat for knewstuff-5.78.0 knewstuff-5.78.0
changelog | 8 ++++++++
patches/knewstuff_dns.patch | 28 ++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 37 insertions(+)
diff -Nru knewstuff-5.78.0/debian/changelog knewstuff-5.78.0/debian/changelog
--- knewstuff-5.78.0/debian/changelog 2021-02-24 23:04:55.000000000 +0100
+++ knewstuff-5.78.0/debian/changelog 2022-02-22 22:02:10.000000000 +0100
@@ -1,3 +1,11 @@
+knewstuff (5.78.0-4+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * Cherry-pick commit to fix the Denial of Service bug in Discover
+ (Closes: #1006126).
+
+ -- Patrick Franz <deltaone@debian.org> Tue, 22 Feb 2022 22:02:10 +0100
+
knewstuff (5.78.0-4) unstable; urgency=medium
* Team upload.
diff -Nru knewstuff-5.78.0/debian/patches/knewstuff_dns.patch knewstuff-5.78.0/debian/patches/knewstuff_dns.patch
--- knewstuff-5.78.0/debian/patches/knewstuff_dns.patch 1970-01-01 01:00:00.000000000 +0100
+++ knewstuff-5.78.0/debian/patches/knewstuff_dns.patch 2022-02-22 21:57:05.000000000 +0100
@@ -0,0 +1,28 @@
+From abaa25340b96307fcc7e586ed00bfde67500b57d Mon Sep 17 00:00:00 2001
+From: Aleix Pol <aleixpol@kde.org>
+Date: Tue, 8 Feb 2022 11:48:11 +0100
+Subject: [PATCH] Engine: Ensure we are not using the wrong ProvidersUrl
+
+---
+ src/core/engine.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/engine.cpp b/src/core/engine.cpp
+index c5894747..30fdf2bb 100644
+--- a/src/core/engine.cpp
++++ b/src/core/engine.cpp
+@@ -237,7 +237,10 @@ bool Engine::init(const QString &configfile)
+
+ qCDebug(KNEWSTUFFCORE) << "Categories: " << m_categories;
+ m_providerFileUrl = group.readEntry("ProvidersUrl");
+-
++ if (m_providerFileUrl == QLatin1String("https://download.kde.org/ocs/providers.xml")) {
++ m_providerFileUrl = QStringLiteral("https://autoconfig.kde.org/ocs/providers.xml");
++ qCWarning(KNEWSTUFFCORE) << "Please make sure" << configfile << "has ProvidersUrl=https://autoconfig.kde.org/ocs/providers.xml";
++ }
+ d->tagFilter = group.readEntry("TagFilter", QStringList(QStringLiteral("ghns_excluded!=1")));
+ d->downloadTagFilter = group.readEntry("DownloadTagFilter", QStringList());
+
+--
+GitLab
+
diff -Nru knewstuff-5.78.0/debian/patches/series knewstuff-5.78.0/debian/patches/series
--- knewstuff-5.78.0/debian/patches/series 2021-02-24 11:36:14.000000000 +0100
+++ knewstuff-5.78.0/debian/patches/series 2022-02-22 21:57:39.000000000 +0100
@@ -1 +1,2 @@
upstream-a3050ecf-qtquickengine-check-knscore-engine-is-valid-before-search.patch
+knewstuff_dns.patch
Reply to: