diff -Nru kcoreaddons-5.26.0/debian/changelog kcoreaddons-5.26.0/debian/changelog --- kcoreaddons-5.26.0/debian/changelog 2016-09-22 13:42:27.000000000 +0100 +++ kcoreaddons-5.26.0/debian/changelog 2016-10-06 23:30:24.000000000 +0100 @@ -1,3 +1,10 @@ +kcoreaddons (5.26.0-0ubuntu2) yakkety; urgency=medium + + * Fix CVE 2016-7966 involving KMail + * Enable an autotest to check fix for CVE 2016-7966 is in place + + -- Clive Johnston Thu, 06 Oct 2016 23:30:24 +0100 + kcoreaddons (5.26.0-0ubuntu1) yakkety; urgency=medium [ Clive Johnston ] diff -Nru kcoreaddons-5.26.0/debian/patches/01-fix-cve-2016-7966-kmail-html.diff kcoreaddons-5.26.0/debian/patches/01-fix-cve-2016-7966-kmail-html.diff --- kcoreaddons-5.26.0/debian/patches/01-fix-cve-2016-7966-kmail-html.diff 1970-01-01 01:00:00.000000000 +0100 +++ kcoreaddons-5.26.0/debian/patches/01-fix-cve-2016-7966-kmail-html.diff 2016-10-06 23:30:24.000000000 +0100 @@ -0,0 +1,89 @@ +Description: Fix HTML injection vulnerability + Through a malicious URL that contained a quote character it + was possible to inject HTML code in KMail's plain text viewer. + Due to the parser used on the URL it was not possible to include + the equal sign (=) or a space into the injected HTML, which greatly + reduces the available HTML functionality. Although it is possible + to include an HTML comment indicator to hide content. +Author: Montel Laurent +Origin: upstream +Applied-Upstream: 176fee25ca79145ab5c8e2275d248f1a46a8d8cf +Last-Update: 2016-10-05 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/lib/text/ktexttohtml.cpp ++++ b/src/lib/text/ktexttohtml.cpp +@@ -156,7 +156,6 @@ + (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) { + return false; + } +- + QChar ch = mText[mPos]; + return + (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") || +@@ -192,7 +191,7 @@ + url == QLatin1String("news://"); + } + +-QString KTextToHTMLHelper::getUrl() ++QString KTextToHTMLHelper::getUrl(bool *badurl) + { + QString url; + if (atUrl()) { +@@ -228,11 +227,32 @@ + + url.reserve(mMaxUrlLen); // avoid allocs + int start = mPos; ++ bool previousCharIsSpace = false; ++ bool previousCharIsADoubleQuote = false; + while ((mPos < mText.length()) && + (mText[mPos].isPrint() || mText[mPos].isSpace()) && + ((afterUrl.isNull() && !mText[mPos].isSpace()) || + (!afterUrl.isNull() && mText[mPos] != afterUrl))) { +- if (!mText[mPos].isSpace()) { // skip whitespace ++ if (mText[mPos].isSpace()) { ++ previousCharIsSpace = true; ++ } else { // skip whitespace ++ if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) { ++ url.append(QLatin1Char(' ')); ++ break; ++ } ++ previousCharIsSpace = false; ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } + url.append(mText[mPos]); + if (url.length() > mMaxUrlLen) { + break; +@@ -267,7 +287,6 @@ + } + } while (url.length() > 1); + } +- + return url; + } + +@@ -401,7 +420,11 @@ + } else { + const int start = helper.mPos; + if (!(flags & IgnoreUrls)) { +- str = helper.getUrl(); ++ bool badUrl = false; ++ str = helper.getUrl(&badUrl); ++ if (badUrl) { ++ return helper.mText; ++ } + if (!str.isEmpty()) { + QString hyperlink; + if (str.left(4) == QLatin1String("www.")) { + + diff -Nru kcoreaddons-5.26.0/debian/patches/02-enable-test-for-cve-2016-7966.diff kcoreaddons-5.26.0/debian/patches/02-enable-test-for-cve-2016-7966.diff --- kcoreaddons-5.26.0/debian/patches/02-enable-test-for-cve-2016-7966.diff 1970-01-01 01:00:00.000000000 +0100 +++ kcoreaddons-5.26.0/debian/patches/02-enable-test-for-cve-2016-7966.diff 2016-10-06 23:30:24.000000000 +0100 @@ -0,0 +1,47 @@ +Description: Enable autotest to text fix for HTML injection vulnerability + Through a malicious URL that contained a quote character it + was possible to inject HTML code in KMail's plain text viewer. + Due to the parser used on the URL it was not possible to include + the equal sign (=) or a space into the injected HTML, which greatly + reduces the available HTML functionality. Although it is possible + to include an HTML comment indicator to hide content. +Author: Montel Laurent +Origin: upstream +Applied-Upstream: 176fee25ca79145ab5c8e2275d248f1a46a8d8cf +Last-Update: 2016-10-05 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/--- a/autotests/ktexttohtmltest.cpp +--- a/autotests/ktexttohtmltest.cpp ++++ b/autotests/ktexttohtmltest.cpp +@@ -29,6 +29,15 @@ + QTEST_MAIN(KTextToHTMLTest) + + Q_DECLARE_METATYPE(KTextToHTML::Options) ++ ++#ifndef Q_OS_WIN ++void initLocale() ++{ ++ setenv("LC_ALL", "en_US.utf-8", 1); ++} ++Q_CONSTRUCTOR_FUNCTION(initLocale) ++#endif ++ + + void KTextToHTMLTest::testGetEmailAddress() + { +@@ -372,6 +381,17 @@ + QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)" + << KTextToHTML::Options(KTextToHTML::PreserveSpaces) + << "bla (http://www.kde.org - section 5.2)"; ++ ++ // Fix url as foo < > when we concatened them. ++ QTest::newRow("url-with-url") << "foo >" ++ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) ++ << "foo <http://www.kde.org/ <http://www.kde.org/>>"; ++ ++ //Fix url exploit ++ QTest::newRow("url-exec-html") << "https://\">