diff -Nru kcoreaddons-5.18.0/debian/changelog kcoreaddons-5.18.0/debian/changelog
--- kcoreaddons-5.18.0/debian/changelog	2016-03-07 16:19:12.000000000 -0600
+++ kcoreaddons-5.18.0/debian/changelog	2017-08-11 23:36:27.000000000 -0500
@@ -1,3 +1,15 @@
+kcoreaddons (5.18.0-0ubuntu1.1) xenial-security; urgency=high
+
+  * SECURITY UPDATE: KMail - HTML injection in plain text viewer
+    (LP: #1630700)
+    - CVE-2016-7966
+    - CVE-2016-7966_1.patch - 1be727 from upstream
+    - CVE-2016-7966_2.patch - 96e562 from upstream
+    - CVE-2016-7966_3.patch - a06cef from upstream
+    - CVE-2016-7966_4.patch - 5e13d2 from upstream
+
+ -- Simon Quigley <tsimonq2@ubuntu.com>  Fri, 11 Aug 2017 23:36:27 -0500
+
 kcoreaddons (5.18.0-0ubuntu1) xenial; urgency=medium
 
   [ Scarlett Clark ]
diff -Nru kcoreaddons-5.18.0/debian/control kcoreaddons-5.18.0/debian/control
--- kcoreaddons-5.18.0/debian/control	2016-03-07 16:19:12.000000000 -0600
+++ kcoreaddons-5.18.0/debian/control	2017-08-11 23:36:27.000000000 -0500
@@ -1,7 +1,8 @@
 Source: kcoreaddons
 Section: libs
 Priority: optional
-Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
 Uploaders: Maximiliano Curia <maxy@debian.org>
 Build-Depends: cmake (>= 2.8.12),
                debhelper (>= 9),
diff -Nru kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_1.patch kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_1.patch
--- kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_1.patch	1969-12-31 18:00:00.000000000 -0600
+++ kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_1.patch	2017-08-11 23:14:41.000000000 -0500
@@ -0,0 +1,92 @@
+Description: Fix very old bug when we remove space in url as "foo <<url> <url>>"
+ This is patch 1/4 fixing CVE-2016-7966, recommended by upstream.
+Author: Montel Laurent <montel@kde.org>
+Origin: upstream
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1630700
+Applied-Upstream: 1be7272373d60e4234f1a5584e676b579302b053
+Last-Update: 2017-08-11
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest)
+ 
+ Q_DECLARE_METATYPE(KTextToHTML::Options)
+ 
++#ifndef Q_OS_WIN
++void initLocale()
++{
++    setenv("LC_ALL", "en_US.utf-8", 1);
++}
++Q_CONSTRUCTOR_FUNCTION(initLocale)
++#endif
++
++
+ void KTextToHTMLTest::testGetEmailAddress()
+ {
+     // empty input
+@@ -372,6 +381,11 @@ void KTextToHTMLTest::testHtmlConvert_da
+     QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)"
+                                           << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+                                           << "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)";
++
++    // Fix url as foo <<url> <url>> when we concatened them.
++    QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>"
++                                << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                                << "foo &lt;<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a>&lt;<a href=\"http://www.kde.org/\">http://www.kde.org/</a>&gt;&gt;";
+ }
+ 
+ 
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -228,11 +228,19 @@ QString KTextToHTMLHelper::getUrl()
+ 
+         url.reserve(mMaxUrlLen);    // avoid allocs
+         int start = mPos;
++        bool previousCharIsSpace = false;
+         while ((mPos < (int)mText.length()) &&
+                 (mText[mPos].isPrint() || mText[mPos].isSpace()) &&
+                 ((afterUrl.isNull() && !mText[mPos].isSpace()) ||
+                  (!afterUrl.isNull() && mText[mPos] != afterUrl))) {
+-            if (!mText[mPos].isSpace()) {     // skip whitespace
++            if (mText[mPos].isSpace()) {
++                previousCharIsSpace = true;
++            } else { // skip whitespace
++                if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) {
++                    url.append(QLatin1Char(' '));
++                    break;
++                }
++                previousCharIsSpace = false;
+                 url.append(mText[mPos]);
+                 if (url.length() > mMaxUrlLen) {
+                     break;
+@@ -267,7 +275,6 @@ QString KTextToHTMLHelper::getUrl()
+             }
+         } while (url.length() > 1);
+     }
+-
+     return url;
+ }
+ 
+@@ -334,6 +341,7 @@ QString KTextToHTML::convertToHtml(const
+     QChar ch;
+     int x;
+     bool startOfLine = true;
++    //qDebug()<<" plainText"<<plainText;
+ 
+     for (helper.mPos = 0, x = 0; helper.mPos < (int)helper.mText.length();
+             ++helper.mPos, ++x) {
+@@ -402,6 +410,7 @@ QString KTextToHTML::convertToHtml(const
+             const int start = helper.mPos;
+             if (!(flags & IgnoreUrls)) {
+                 str = helper.getUrl();
++                //qDebug()<<" str"<<str; 
+                 if (!str.isEmpty()) {
+                     QString hyperlink;
+                     if (str.left(4) == QLatin1String("www.")) {
+@@ -455,6 +464,7 @@ QString KTextToHTML::convertToHtml(const
+ 
+         result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude);
+     }
++    //qDebug()<<" result "<<result;
+ 
+     return result;
+ }
diff -Nru kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_2.patch kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_2.patch
--- kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_2.patch	1969-12-31 18:00:00.000000000 -0600
+++ kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_2.patch	2017-08-11 23:22:09.000000000 -0500
@@ -0,0 +1,109 @@
+Description: Don't convert as url an url which has a "
+ This is patch 2/4 fixing CVE-2016-7966, recommended by upstream.
+Author: Montel Laurent <montel@kde.org>
+Origin: upstream
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1630700
+Applied-Upstream: 96e562d9138c100498da38e4c5b4091a226dde12
+Last-Update: 2017-08-11
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_da
+     QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>"
+                                 << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+                                 << "foo &lt;<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a>&lt;<a href=\"http://www.kde.org/\">http://www.kde.org/</a>&gt;&gt;";
++
++    // Fix url exploit
++    QTest::newRow("url-exec-html") << "https://\"><!--"
++                                << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                                << "https://\"><!--";
++
+ }
+ 
+ 
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl()
+              (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) {
+         return false;
+     }
+-
+     QChar ch = mText[mPos];
+     return
+         (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") ||
+@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const
+            url == QLatin1String("news://");
+ }
+ 
+-QString KTextToHTMLHelper::getUrl()
++QString KTextToHTMLHelper::getUrl(bool *badurl)
+ {
+     QString url;
+     if (atUrl()) {
+@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl()
+         url.reserve(mMaxUrlLen);    // avoid allocs
+         int start = mPos;
+         bool previousCharIsSpace = false;
++        bool previousCharIsADoubleQuote = false;
+         while ((mPos < (int)mText.length()) &&
+                 (mText[mPos].isPrint() || mText[mPos].isSpace()) &&
+                 ((afterUrl.isNull() && !mText[mPos].isSpace()) ||
+@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl()
+                     break;
+                 }
+                 previousCharIsSpace = false;
++                if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++                    //it's an invalid url
++                    if (badurl) {
++                        *badurl = true;
++                    }
++                    return QString();
++                }
++                if (mText[mPos] == QLatin1Char('"')) {
++                    previousCharIsADoubleQuote = true;
++                } else {
++                    previousCharIsADoubleQuote = false;
++                }
+                 url.append(mText[mPos]);
+                 if (url.length() > mMaxUrlLen) {
+                     break;
+@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const
+     QChar ch;
+     int x;
+     bool startOfLine = true;
+-    //qDebug()<<" plainText"<<plainText;
+ 
+     for (helper.mPos = 0, x = 0; helper.mPos < (int)helper.mText.length();
+             ++helper.mPos, ++x) {
+@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const
+         } else {
+             const int start = helper.mPos;
+             if (!(flags & IgnoreUrls)) {
+-                str = helper.getUrl();
+-                //qDebug()<<" str"<<str; 
++                bool badUrl = false;
++                str = helper.getUrl(&badUrl);
++                if (badUrl) {
++                    return helper.mText;
++                }
+                 if (!str.isEmpty()) {
+                     QString hyperlink;
+                     if (str.left(4) == QLatin1String("www.")) {
+@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const
+ 
+         result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude);
+     }
+-    //qDebug()<<" result "<<result;
+ 
+     return result;
+ }
+--- a/src/lib/text/ktexttohtml_p.h
++++ b/src/lib/text/ktexttohtml_p.h
+@@ -49,7 +49,7 @@ public:
+     QString getEmailAddress();
+     bool atUrl();
+     bool isEmptyUrl(const QString &url);
+-    QString getUrl();
++    QString getUrl(bool *badurl = Q_NULLPTR);
+     QString pngToDataUrl(const QString &pngPath);
+     QString highlightedText();
+ 
diff -Nru kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_3.patch kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_3.patch
--- kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_3.patch	1969-12-31 18:00:00.000000000 -0600
+++ kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_3.patch	2017-08-11 23:34:45.000000000 -0500
@@ -0,0 +1,31 @@
+Description: Add more autotests
+ This is patch 3/4 fixing CVE-2016-7966, recommended by upstream.
+Author: Montel Laurent <montel@kde.org>
+Origin: upstream
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1630700
+Applied-Upstream: a06cef31cc4c908bc9b76bd9d103fe9c60e0953f
+Last-Update: 2017-08-11
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -392,6 +392,21 @@ void KTextToHTMLTest::testHtmlConvert_da
+                                 << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+                                 << "https://\"><!--";
+ 
++    QTest::newRow("url-exec-html-2") << "https://192.168.1.1:\"><!--"
++                                << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                                << "https://192.168.1.1:\"><!--";
++
++    QTest::newRow("url-exec-html-3") << "https://<IP>:\"><!--"
++                                << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                                << "https://<IP>:\"><!--";
++
++    QTest::newRow("url-exec-html-4") << "https://<IP>:/\"><!--"
++                                << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                                << "https://<IP>:/\"><!--";
++
++    QTest::newRow("url-exec-html-5") << "https://<IP>:/\"><script>alert(1);</script><!--"
++                                << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                                << "https://<IP>:/\"><script>alert(1);</script><!--";
+ }
+ 
+ 
diff -Nru kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_4.patch kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_4.patch
--- kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_4.patch	1969-12-31 18:00:00.000000000 -0600
+++ kcoreaddons-5.18.0/debian/patches/CVE-2016-7966_4.patch	2017-08-11 23:36:23.000000000 -0500
@@ -0,0 +1,69 @@
+Description: Display bad url
+ This is patch 4/4 fixing CVE-2016-7966, recommended by upstream.
+Author: Montel Laurent <montel@kde.org>
+Origin: upstream
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1630700
+Applied-Upstream: 5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
+Last-Update: 2017-08-11
+--- a/autotests/ktexttohtmltest.cpp
++++ b/autotests/ktexttohtmltest.cpp
+@@ -390,23 +390,27 @@ void KTextToHTMLTest::testHtmlConvert_da
+     // Fix url exploit
+     QTest::newRow("url-exec-html") << "https://\"><!--"
+                                 << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                                << "https://\"><!--";
++                                << "https://&quot;&gt;&lt;!--";
+ 
+     QTest::newRow("url-exec-html-2") << "https://192.168.1.1:\"><!--"
+                                 << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                                << "https://192.168.1.1:\"><!--";
++                                << "https://192.168.1.1:&quot;&gt;&lt;!--";
+ 
+     QTest::newRow("url-exec-html-3") << "https://<IP>:\"><!--"
+                                 << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                                << "https://<IP>:\"><!--";
++                                << "https://&lt;IP&gt;:&quot;&gt;&lt;!--";
+ 
+     QTest::newRow("url-exec-html-4") << "https://<IP>:/\"><!--"
+                                 << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                                << "https://<IP>:/\"><!--";
++                                << "https://&lt;IP&gt;:/&quot;&gt;&lt;!--";
+ 
+     QTest::newRow("url-exec-html-5") << "https://<IP>:/\"><script>alert(1);</script><!--"
+                                 << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+-                                << "https://<IP>:/\"><script>alert(1);</script><!--";
++                                << "https://&lt;IP&gt;:/&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;&lt;!--";
++
++    QTest::newRow("url-exec-html-6") << "https://<IP>:/\"><script>alert(1);</script><!--\nTest2"
++                                << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
++                                << "https://&lt;IP&gt;:/&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;&lt;!--\nTest2";
+ }
+ 
+ 
+--- a/src/lib/text/ktexttohtml.cpp
++++ b/src/lib/text/ktexttohtml.cpp
+@@ -423,7 +423,23 @@ QString KTextToHTML::convertToHtml(const
+                 bool badUrl = false;
+                 str = helper.getUrl(&badUrl);
+                 if (badUrl) {
+-                    return helper.mText;
++                    QString resultBadUrl;
++                    const int helperTextSize(helper.mText.count());
++                    for (int i = 0; i < helperTextSize; ++i) {
++                        const QChar chBadUrl = helper.mText[i];
++                        if (chBadUrl == QLatin1Char('&')) {
++                            resultBadUrl += QLatin1String("&amp;");
++                        } else if (chBadUrl == QLatin1Char('"')) {
++                            resultBadUrl += QLatin1String("&quot;");
++                        } else if (chBadUrl == QLatin1Char('<')) {
++                            resultBadUrl += QLatin1String("&lt;");
++                        } else if (chBadUrl == QLatin1Char('>')) {
++                            resultBadUrl += QLatin1String("&gt;");
++                        } else {
++                            resultBadUrl += chBadUrl;
++                        }
++                    }
++                    return resultBadUrl;
+                 }
+                 if (!str.isEmpty()) {
+                     QString hyperlink;
diff -Nru kcoreaddons-5.18.0/debian/patches/series kcoreaddons-5.18.0/debian/patches/series
--- kcoreaddons-5.18.0/debian/patches/series	2016-03-07 16:19:12.000000000 -0600
+++ kcoreaddons-5.18.0/debian/patches/series	2017-08-11 23:27:13.000000000 -0500
@@ -0,0 +1,4 @@
+CVE-2016-7966_1.patch
+CVE-2016-7966_2.patch
+CVE-2016-7966_3.patch
+CVE-2016-7966_4.patch