--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-qt-kde@lists.debian.org
Please unblock package plasma-discover
[ Reason ]
It fixes CVE-2021-28117 affecting bullseye.
See Security Tracker at [1].
[ Impact ]
URLs other than HTTP like smb:// or nfs:// can be opened from package
descriptions in Discover, which could be used to chain to other attack
vectors.
See KDE security advisory at [2].
[ Tests ]
Manual tests of basic Discover functionality, checking that package
descriptions are not broken by the change.
[ Risks ]
The upstream commit is a one-liner fixing the regexp pattern used to
transform URL text into clickable links in package descriptions in
Discover. I’d qualify it as very low risk.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
KDE Security Advisory:
[1] https://kde.org/info/security/advisory-20210310-1.txt
Security Tracker:
[2] https://security-tracker.debian.org/tracker/CVE-2021-28117
unblock plasma-discover/5.20.5-3
diff -Nru plasma-discover-5.20.5/debian/changelog plasma-discover-5.20.5/debian/changelog
--- plasma-discover-5.20.5/debian/changelog 2021-01-21 09:02:53.000000000 +0100
+++ plasma-discover-5.20.5/debian/changelog 2021-03-10 23:53:46.000000000 +0100
@@ -1,3 +1,10 @@
+plasma-discover (5.20.5-3) unstable; urgency=medium
+
+ [ Patrick Franz ]
+ * Add patch to validate URI scheme (Fixes: CVE-2021-28117).
+
+ -- Patrick Franz <patfra71@gmail.com> Wed, 10 Mar 2021 23:53:46 +0100
+
plasma-discover (5.20.5-2) unstable; urgency=medium
* Add jcat, libjcat-dev, and any of the libcurl*-dev variants to B-D to work
diff -Nru plasma-discover-5.20.5/debian/patches/https_only_links.patch plasma-discover-5.20.5/debian/patches/https_only_links.patch
--- plasma-discover-5.20.5/debian/patches/https_only_links.patch 1970-01-01 01:00:00.000000000 +0100
+++ plasma-discover-5.20.5/debian/patches/https_only_links.patch 2021-03-10 23:53:46.000000000 +0100
@@ -0,0 +1,23 @@
+Description: Missing URI scheme validation (CVE-2021-28117)
+ Validate to only turn https(s)-links into clickable links.
+Author: upstream
+Forwarded: not-needed
+
+---
+ libdiscover/backends/KNSBackend/KNSResource.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libdiscover/backends/KNSBackend/KNSResource.cpp b/libdiscover/backends/KNSBackend/KNSResource.cpp
+index e43b2e48..0ba88032 100644
+--- a/libdiscover/backends/KNSBackend/KNSResource.cpp
++++ b/libdiscover/backends/KNSBackend/KNSResource.cpp
+@@ -87,7 +87,7 @@ QString KNSResource::longDescription()
+ ret.remove(QRegularExpression(QStringLiteral("\\[\\/?[a-z]*\\]")));
+ // Find anything that looks like a link (but which also is not some html
+ // tag value or another already) and make it a link
+- static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)([-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption);
++ static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)(http[-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption);
+ ret.replace(urlRegExp, QStringLiteral("<a href=\"\\2\">\\2</a>"));
+ return ret;
+ }
+
diff -Nru plasma-discover-5.20.5/debian/patches/series plasma-discover-5.20.5/debian/patches/series
--- plasma-discover-5.20.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ plasma-discover-5.20.5/debian/patches/series 2021-03-10 23:53:46.000000000 +0100
@@ -0,0 +1 @@
+https_only_links.patch
--- End Message ---