diff -Nru kdepimlibs-4.8.5/debian/changelog kdepimlibs-4.8.5/debian/changelog --- kdepimlibs-4.8.5/debian/changelog 2014-11-05 13:28:45.000000000 -0600 +++ kdepimlibs-4.8.5/debian/changelog 2016-10-05 20:10:01.000000000 -0500 @@ -1,3 +1,9 @@ +kdepimlibs (4:4.8.5-0ubuntu0.3) precise-security; urgency=medium + + * Fix CVE involving KMail + + -- Simon Quigley Wed, 05 Oct 2016 20:10:01 -0500 + kdepimlibs (4:4.8.5-0ubuntu0.2) precise-security; urgency=medium * No change rebuild for security diff -Nru kdepimlibs-4.8.5/debian/patches/01-fix-cve-kmail-html.diff kdepimlibs-4.8.5/debian/patches/01-fix-cve-kmail-html.diff --- kdepimlibs-4.8.5/debian/patches/01-fix-cve-kmail-html.diff 1969-12-31 18:00:00.000000000 -0600 +++ kdepimlibs-4.8.5/debian/patches/01-fix-cve-kmail-html.diff 2016-10-05 19:34:47.000000000 -0500 @@ -0,0 +1,93 @@ +Description: Fix HTML injection vulnerability + Through a malicious URL that contained a quote character it + was possible to inject HTML code in KMail's plain text viewer. + Due to the parser used on the URL it was not possible to include + the equal sign (=) or a space into the injected HTML, which greatly + reduces the available HTML functionality. Although it is possible + to include an HTML comment indicator to hide content. +Author: Montel Laurent +Origin: upstream +Applied-Upstream: 176fee25ca79145ab5c8e2275d248f1a46a8d8cf +Last-Update: 2016-10-05 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/kpimutils/linklocator.cpp ++++ b/kpimutils/linklocator.cpp +@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const + + QString LinkLocator::getUrl() + { ++ return getUrlAndCheckValidHref(); ++} ++ ++ ++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) ++{ + QString url; + if ( atUrl() ) { + // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C +@@ -129,15 +135,28 @@ QString LinkLocator::getUrl() + + url.reserve( maxUrlLen() ); // avoid allocs + int start = mPos; ++ bool previousCharIsADoubleQuote = false; + while ( ( mPos < (int)mText.length() ) && + ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && + ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || + ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { + if ( !mText[mPos].isSpace() ) { // skip whitespace +- url.append( mText[mPos] ); +- if ( url.length() > maxUrlLen() ) { +- break; +- } ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } ++ url.append( mText[mPos] ); ++ if ( url.length() > maxUrlLen() ) { ++ break; ++ } + } + + mPos++; +@@ -366,7 +385,11 @@ QString LinkLocator::convertToHtml( cons + } else { + const int start = locator.mPos; + if ( !( flags & IgnoreUrls ) ) { +- str = locator.getUrl(); ++ bool badUrl = false; ++ str = locator.getUrlAndCheckValidHref(&badUrl); ++ if (badUrl) { ++ return locator.mText; ++ } + if ( !str.isEmpty() ) { + QString hyperlink; + if ( str.left( 4 ) == "www." ) { +--- a/kpimutils/linklocator.h ++++ b/kpimutils/linklocator.h +@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator + @return The URL at the current scan position, or an empty string. + */ + QString getUrl(); ++ QString getUrlAndCheckValidHref(bool *badurl = 0); + + /** + Attempts to grab an email address. If there is an @ symbol at the +@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator + */ + static QString pngToDataUrl( const QString & iconPath ); + +- protected: ++protected: + /** + The plaintext string being scanned for URLs and email addresses. + */ diff -Nru kdepimlibs-4.8.5/debian/patches/series kdepimlibs-4.8.5/debian/patches/series --- kdepimlibs-4.8.5/debian/patches/series 2012-04-30 15:14:41.000000000 -0500 +++ kdepimlibs-4.8.5/debian/patches/series 2016-10-05 19:22:52.000000000 -0500 @@ -1 +1,2 @@ 03_hide_akonadi_progressbar.diff +01-fix-cve-kmail-html.diff