diff -Nru kdepimlibs-4.13.3/debian/changelog kdepimlibs-4.13.3/debian/changelog --- kdepimlibs-4.13.3/debian/changelog 2014-11-21 12:59:31.000000000 +0000 +++ kdepimlibs-4.13.3/debian/changelog 2017-08-21 13:59:53.000000000 +0000 @@ -1,3 +1,26 @@ +kdepimlibs (4:4.13.3-0ubuntu0.4) trusty-security; urgency=high + + * SECURITY UPDATE: KMail: HTML injection in plain text viewer (LP: #1630700) + - CVE-2016-7966 + - The security vulnerability was not completely fixed in the last update. + This upload applies one additional commit from upstream to completely + fix it. + - Split CVE-2016-7966.diff into CVE-2016-7966_1.patch and + CVE-2016-7966_2.patch and add DEP-3 meta-information to make it clear + that to fix the CVE, two patches are needed. + + -- Simon Quigley Thu, 10 Aug 2017 17:52:29 -0500 + +kdepimlibs (4:4.13.3-0ubuntu0.3) trusty-security; urgency=high + + * SECURITY UPDATE: KMail: HTML injection in plain text viewer + * References (LP: #1631237) + * CVE-2016-7966 + * Avoid transforming as a url in plain text mode when there is a quote + * Add debian/patches/CVE-2016-7966.diff from upstream + + -- Scott Kitterman Thu, 06 Oct 2016 23:50:44 -0400 + kdepimlibs (4:4.13.3-0ubuntu0.2) trusty-security; urgency=medium * No change rebuild in the -security pocket. diff -Nru kdepimlibs-4.13.3/debian/patches/CVE-2016-7966_1.patch kdepimlibs-4.13.3/debian/patches/CVE-2016-7966_1.patch --- kdepimlibs-4.13.3/debian/patches/CVE-2016-7966_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ kdepimlibs-4.13.3/debian/patches/CVE-2016-7966_1.patch 2017-08-21 13:59:53.000000000 +0000 @@ -0,0 +1,95 @@ +Description: KMail: HTML injection in plain text viewer + Through a malicious URL that contained a quote character it + was possible to inject HTML code in KMail's plain text viewer. + Due to the parser used on the URL it was not possible to include + the equal sign (=) or a space into the injected HTML, which greatly + reduces the available HTML functionality. Although it is possible + to include an HTML comment indicator to hide content. + . + This is the initial fix for CVE-2016-7966. +Author: Montel Laurent +Origin: upstream +Bug: https://www.kde.org/info/security/advisory-20161006-1.txt +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1630700 +Applied-Upstream: 176fee25ca79145ab5c8e2275d248f1a46a8d8cf +Last-Update: 2017-08-12 +--- a/kpimutils/linklocator.cpp ++++ b/kpimutils/linklocator.cpp +@@ -94,6 +94,12 @@ + } + + QString LinkLocator::getUrl() ++{ ++ return getUrlAndCheckValidHref(); ++} ++ ++ ++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) + { + QString url; + if ( atUrl() ) { +@@ -129,13 +135,26 @@ + + url.reserve( maxUrlLen() ); // avoid allocs + int start = mPos; ++ bool previousCharIsADoubleQuote = false; + while ( ( mPos < (int)mText.length() ) && + ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && + ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || + ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { + if ( !mText[mPos].isSpace() ) { // skip whitespace +- url.append( mText[mPos] ); +- if ( url.length() > maxUrlLen() ) { ++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { ++ //it's an invalid url ++ if (badurl) { ++ *badurl = true; ++ } ++ return QString(); ++ } ++ if (mText[mPos] == QLatin1Char('"')) { ++ previousCharIsADoubleQuote = true; ++ } else { ++ previousCharIsADoubleQuote = false; ++ } ++ url.append( mText[mPos] ); ++ if ( url.length() > maxUrlLen() ) { + break; + } + } +@@ -367,7 +386,12 @@ + } else { + const int start = locator.mPos; + if ( !( flags & IgnoreUrls ) ) { +- str = locator.getUrl(); ++ bool badUrl = false; ++ str = locator.getUrlAndCheckValidHref(&badUrl); ++ if (badUrl) { ++ return locator.mText; ++ } ++ + if ( !str.isEmpty() ) { + QString hyperlink; + if ( str.left( 4 ) == QLatin1String("www.") ) { + +--- a/kpimutils/linklocator.h ++++ b/kpimutils/linklocator.h +@@ -107,6 +107,7 @@ + @return The URL at the current scan position, or an empty string. + */ + QString getUrl(); ++ QString getUrlAndCheckValidHref(bool *badurl = 0); + + /** + Attempts to grab an email address. If there is an @ symbol at the +@@ -155,7 +156,7 @@ + */ + static QString pngToDataUrl( const QString & iconPath ); + +- protected: ++protected: + /** + The plaintext string being scanned for URLs and email addresses. + */ + + diff -Nru kdepimlibs-4.13.3/debian/patches/CVE-2016-7966_2.patch kdepimlibs-4.13.3/debian/patches/CVE-2016-7966_2.patch --- kdepimlibs-4.13.3/debian/patches/CVE-2016-7966_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ kdepimlibs-4.13.3/debian/patches/CVE-2016-7966_2.patch 2017-08-21 13:59:53.000000000 +0000 @@ -0,0 +1,35 @@ +Description: Backport show bad url text + This is a follow-up patch to completely fix CVE-2016-7966. +Author: Montel Laurent +Origin: upstream +Bug: https://www.kde.org/info/security/advisory-20161006-1.txt +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1630700 +Applied-Upstream: 8bbe1bd3fdc55f609340edc667ff154b3d2aaab1 +Last-Update: 2017-08-12 +--- a/kpimutils/linklocator.cpp ++++ b/kpimutils/linklocator.cpp +@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( cons + bool badUrl = false; + str = locator.getUrlAndCheckValidHref(&badUrl); + if (badUrl) { +- return locator.mText; ++ QString resultBadUrl; ++ const int helperTextSize(locator.mText.count()); ++ for (int i = 0; i < helperTextSize; ++i) { ++ const QChar chBadUrl = locator.mText[i]; ++ if (chBadUrl == QLatin1Char('&')) { ++ resultBadUrl += QLatin1String("&"); ++ } else if (chBadUrl == QLatin1Char('"')) { ++ resultBadUrl += QLatin1String("""); ++ } else if (chBadUrl == QLatin1Char('<')) { ++ resultBadUrl += QLatin1String("<"); ++ } else if (chBadUrl == QLatin1Char('>')) { ++ resultBadUrl += QLatin1String(">"); ++ } else { ++ resultBadUrl += chBadUrl; ++ } ++ } ++ return resultBadUrl; + } + + if ( !str.isEmpty() ) { diff -Nru kdepimlibs-4.13.3/debian/patches/series kdepimlibs-4.13.3/debian/patches/series --- kdepimlibs-4.13.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ kdepimlibs-4.13.3/debian/patches/series 2017-08-21 13:59:53.000000000 +0000 @@ -0,0 +1,2 @@ +CVE-2016-7966_1.patch +CVE-2016-7966_2.patch