[arch-commits] Commit in kcoreaddons/trunk (CVE-2016-7966.patch PKGBUILD)
Antonio Rojas
arojas at archlinux.org
Fri Oct 7 06:18:58 UTC 2016
Date: Friday, October 7, 2016 @ 06:18:57
Author: arojas
Revision: 277860
Fix CVE-2016-7966
Added:
kcoreaddons/trunk/CVE-2016-7966.patch
Modified:
kcoreaddons/trunk/PKGBUILD
---------------------+
CVE-2016-7966.patch | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 10 ++++---
2 files changed, 78 insertions(+), 3 deletions(-)
Added: CVE-2016-7966.patch
===================================================================
--- CVE-2016-7966.patch (rev 0)
+++ CVE-2016-7966.patch 2016-10-07 06:18:57 UTC (rev 277860)
@@ -0,0 +1,71 @@
+diff --git a/autotests/kjobtest.cpp b/autotests/kjobtest.cpp
+index 88be4ac..139b9be 100644
+--- a/autotests/kjobtest.cpp
++++ b/autotests/kjobtest.cpp
+@@ -276,6 +276,7 @@ void KJobTest::testDelegateUsage()
+ TestJob *job1 = new TestJob;
+ TestJob *job2 = new TestJob;
+ TestJobUiDelegate *delegate = new TestJobUiDelegate;
++ QPointer<TestJobUiDelegate> guard(delegate);
+
+ QVERIFY(job1->uiDelegate() == 0);
+ job1->setUiDelegate(delegate);
+@@ -284,6 +285,10 @@ void KJobTest::testDelegateUsage()
+ QVERIFY(job2->uiDelegate() == 0);
+ job2->setUiDelegate(delegate);
+ QVERIFY(job2->uiDelegate() == 0);
++
++ delete job1;
++ delete job2;
++ QVERIFY(guard.isNull()); // deleted by job1
+ }
+
+ void KJobTest::testNestedExec()
+diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
+index 474f0ca..c5690e8 100644
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest)
+
+ Q_DECLARE_METATYPE(KTextToHTML::Options)
+
++#ifndef Q_OS_WIN
++void initLocale()
++{
++ setenv("LC_ALL", "en_US.utf-8", 1);
++}
++Q_CONSTRUCTOR_FUNCTION(initLocale)
++#endif
++
++
+ void KTextToHTMLTest::testGetEmailAddress()
+ {
+ // empty input
+@@ -372,6 +381,17 @@ void KTextToHTMLTest::testHtmlConvert_data()
+ QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)"
+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+ << "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)";
++
++ // Fix url as foo <<url> <url>> when we concatened them.
++ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>"
++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++ << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>";
++
++ //Fix url exploit
++ QTest::newRow("url-exec-html") << "https://\"><!--"
++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++ << "https://\"><!--";
++
+ }
+
+
+diff --git a/autotests/kurlmimedatatest.cpp b/autotests/kurlmimedatatest.cpp
+index 5e55d9e..264879f 100644
+--- a/autotests/kurlmimedatatest.cpp
++++ b/autotests/kurlmimedatatest.cpp
+@@ -135,4 +135,5 @@ void KUrlMimeDataTest::testMostLocalUrlList()
+ QCOMPARE(qurls[i], static_cast<QUrl>(localUrls[i]));
+ }
+
++ delete mimeData;
+ }
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2016-10-07 05:11:39 UTC (rev 277859)
+++ PKGBUILD 2016-10-07 06:18:57 UTC (rev 277860)
@@ -4,7 +4,7 @@
pkgname=kcoreaddons
pkgver=5.26.0
-pkgrel=1
+pkgrel=2
pkgdesc='Addons to QtCore'
arch=('i686' 'x86_64')
url='https://community.kde.org/Frameworks'
@@ -12,11 +12,15 @@
depends=('qt5-base' 'shared-mime-info')
makedepends=('extra-cmake-modules' 'qt5-tools')
groups=('kf5')
-source=("http://download.kde.org/stable/frameworks/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz")
-md5sums=('263530a26fd0b80238827d2d97225e7b')
+source=("http://download.kde.org/stable/frameworks/${pkgver%.*}/${pkgname}-${pkgver}.tar.xz" CVE-2016-7966.patch)
+md5sums=('263530a26fd0b80238827d2d97225e7b'
+ '2078f5ef9f761df6f7701ba96c046125')
prepare() {
mkdir -p build
+
+ cd $pkgname-$pkgver
+ patch -p1 -i ../CVE-2016-7966.patch # https://www.kde.org/info/security/advisory-20161006-1.txt
}
build() {
More information about the arch-commits
mailing list