Bug#984977: marked as done (unblock: plasma-discover/5.20.5-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 11 Mar 2021 14:55:28 +0000
with message-id <E1lKMim-0002XU-2N@respighi.debian.org>
and subject line unblock plasma-discover
has caused the Debian Bug report #984977,
regarding unblock: plasma-discover/5.20.5-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
984977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984977
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: plasma-discover/5.20.5-3
• From: Aurélien COUDERC <coucouf@debian.org>
• Date: Thu, 11 Mar 2021 15:04:20 +0100
• Message-id: <[🔎] 161547146002.490976.14370554876736359050.reportbug@Grummly>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-qt-kde@lists.debian.org

Please unblock package plasma-discover

[ Reason ]
It fixes CVE-2021-28117 affecting bullseye.
See Security Tracker at [1].

[ Impact ]
URLs other than HTTP like smb:// or nfs:// can be opened from package
descriptions in Discover, which could be used to chain to other attack
vectors.
See KDE security advisory at [2].

[ Tests ]
Manual tests of basic Discover functionality, checking that package
descriptions are not broken by the change.

[ Risks ]
The upstream commit is a one-liner fixing the regexp pattern used to
transform URL text into clickable links in package descriptions in
Discover. I’d qualify it as very low risk.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
KDE Security Advisory:
  [1] https://kde.org/info/security/advisory-20210310-1.txt
Security Tracker:
  [2] https://security-tracker.debian.org/tracker/CVE-2021-28117

unblock plasma-discover/5.20.5-3

diff -Nru plasma-discover-5.20.5/debian/changelog plasma-discover-5.20.5/debian/changelog
--- plasma-discover-5.20.5/debian/changelog	2021-01-21 09:02:53.000000000 +0100
+++ plasma-discover-5.20.5/debian/changelog	2021-03-10 23:53:46.000000000 +0100
@@ -1,3 +1,10 @@
+plasma-discover (5.20.5-3) unstable; urgency=medium
+
+  [ Patrick Franz ]
+  * Add patch to validate URI scheme (Fixes: CVE-2021-28117).
+
+ -- Patrick Franz <patfra71@gmail.com>  Wed, 10 Mar 2021 23:53:46 +0100
+
 plasma-discover (5.20.5-2) unstable; urgency=medium
 
   * Add jcat, libjcat-dev, and any of the libcurl*-dev variants to B-D to work
diff -Nru plasma-discover-5.20.5/debian/patches/https_only_links.patch plasma-discover-5.20.5/debian/patches/https_only_links.patch
--- plasma-discover-5.20.5/debian/patches/https_only_links.patch	1970-01-01 01:00:00.000000000 +0100
+++ plasma-discover-5.20.5/debian/patches/https_only_links.patch	2021-03-10 23:53:46.000000000 +0100
@@ -0,0 +1,23 @@
+Description: Missing URI scheme validation (CVE-2021-28117)
+ Validate to only turn https(s)-links into clickable links.
+Author: upstream
+Forwarded: not-needed
+
+---
+ libdiscover/backends/KNSBackend/KNSResource.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libdiscover/backends/KNSBackend/KNSResource.cpp b/libdiscover/backends/KNSBackend/KNSResource.cpp
+index e43b2e48..0ba88032 100644
+--- a/libdiscover/backends/KNSBackend/KNSResource.cpp
++++ b/libdiscover/backends/KNSBackend/KNSResource.cpp
+@@ -87,7 +87,7 @@ QString KNSResource::longDescription()
+     ret.remove(QRegularExpression(QStringLiteral("\\[\\/?[a-z]*\\]")));
+     // Find anything that looks like a link (but which also is not some html
+     // tag value or another already) and make it a link
+-    static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)([-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption);
++    static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)(http[-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption);
+     ret.replace(urlRegExp, QStringLiteral("<a href=\"\\2\">\\2</a>"));
+     return ret;
+ }
+
diff -Nru plasma-discover-5.20.5/debian/patches/series plasma-discover-5.20.5/debian/patches/series
--- plasma-discover-5.20.5/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ plasma-discover-5.20.5/debian/patches/series	2021-03-10 23:53:46.000000000 +0100
@@ -0,0 +1 @@
+https_only_links.patch

--- End Message ---

--- Begin Message ---

• To: 984977-done@bugs.debian.org
• Subject: unblock plasma-discover
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Thu, 11 Mar 2021 14:55:28 +0000
• Message-id: <E1lKMim-0002XU-2N@respighi.debian.org>

Unblocked.

--- End Message ---