summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Sturmlechner <asturm@gentoo.org>2021-04-04 14:09:16 +0200
committerAndreas Sturmlechner <asturm@gentoo.org>2021-04-04 15:19:36 +0200
commitee5b2b3f04e3e3ee919334c251ae26dce7e761d2 (patch)
tree71912086b8bd90935bedfeebb5f845a19d2cbdb4
parentapp-office/calligra: Fix invalid CMake argument (diff)
downloadgentoo-ee5b2b3f04e3e3ee919334c251ae26dce7e761d2.tar.gz
gentoo-ee5b2b3f04e3e3ee919334c251ae26dce7e761d2.tar.bz2
gentoo-ee5b2b3f04e3e3ee919334c251ae26dce7e761d2.zip
kde-plasma/discover: Fix CVE-2021-28117
See also: https://kde.org/info/security/advisory-20210310-1.txt Bug: https://bugs.gentoo.org/777777 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
-rw-r--r--kde-plasma/discover/discover-5.20.5-r1.ebuild84
-rw-r--r--kde-plasma/discover/files/discover-5.20.5-CVE-2021-28117.patch28
2 files changed, 112 insertions, 0 deletions
diff --git a/kde-plasma/discover/discover-5.20.5-r1.ebuild b/kde-plasma/discover/discover-5.20.5-r1.ebuild
new file mode 100644
index 00000000000..a6b37d443f8
--- /dev/null
+++ b/kde-plasma/discover/discover-5.20.5-r1.ebuild
@@ -0,0 +1,84 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+ECM_TEST="forceoptional"
+KFMIN=5.74.0
+QTMIN=5.15.1
+VIRTUALX_REQUIRED="test"
+inherit ecm kde.org
+
+DESCRIPTION="KDE Plasma resources management GUI"
+HOMEPAGE="https://userbase.kde.org/Discover"
+
+LICENSE="GPL-2" # TODO: CHECK
+SLOT="5"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86"
+IUSE="+firmware flatpak telemetry"
+
+# libmarkdown (app-text/discount) only used in PackageKitBackend
+DEPEND="
+ >=dev-qt/qtconcurrent-${QTMIN}:5
+ >=dev-qt/qtdbus-${QTMIN}:5
+ >=dev-qt/qtdeclarative-${QTMIN}:5
+ >=dev-qt/qtgui-${QTMIN}:5
+ >=dev-qt/qtnetwork-${QTMIN}:5
+ >=dev-qt/qtwidgets-${QTMIN}:5
+ >=dev-qt/qtxml-${QTMIN}:5
+ >=kde-frameworks/attica-${KFMIN}:5
+ >=kde-frameworks/kconfig-${KFMIN}:5
+ >=kde-frameworks/kconfigwidgets-${KFMIN}:5
+ >=kde-frameworks/kcoreaddons-${KFMIN}:5
+ >=kde-frameworks/kcrash-${KFMIN}:5
+ >=kde-frameworks/kdbusaddons-${KFMIN}:5
+ >=kde-frameworks/kdeclarative-${KFMIN}:5
+ >=kde-frameworks/ki18n-${KFMIN}:5
+ >=kde-frameworks/kio-${KFMIN}:5
+ >=kde-frameworks/kirigami-${KFMIN}:5
+ >=kde-frameworks/kitemmodels-${KFMIN}:5
+ >=kde-frameworks/knewstuff-${KFMIN}:5
+ >=kde-frameworks/knotifications-${KFMIN}:5
+ >=kde-frameworks/kwidgetsaddons-${KFMIN}:5
+ >=kde-frameworks/kxmlgui-${KFMIN}:5
+ firmware? ( sys-apps/fwupd )
+ flatpak? (
+ dev-libs/appstream:=
+ sys-apps/flatpak
+ )
+ telemetry? ( dev-libs/kuserfeedback:5 )
+"
+RDEPEND="${DEPEND}
+ >=dev-qt/qtquickcontrols2-${QTMIN}:5
+ >=kde-frameworks/kirigami-${KFMIN}:5
+"
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2021-28117.patch" ) # bug 777777
+
+src_prepare() {
+ ecm_src_prepare
+ # we don't need it with PackageKitBackend off
+ ecm_punt_bogus_dep KF5 Archive
+}
+
+src_configure() {
+ local mycmakeargs=(
+ -DCMAKE_DISABLE_FIND_PACKAGE_packagekitqt5=ON
+ -DCMAKE_DISABLE_FIND_PACKAGE_Snapd=ON
+ -DBUILD_FlatpakBackend=$(usex flatpak)
+ $(cmake_use_find_package flatpak AppStreamQt)
+ -DBUILD_FwupdBackend=$(usex firmware)
+ $(cmake_use_find_package telemetry KUserFeedback)
+ )
+
+ ecm_src_configure
+}
+
+src_test() {
+ # bug 686392: needs network connection
+ local myctestargs=(
+ -E "(knsbackendtest)"
+ )
+
+ ecm_src_test
+}
diff --git a/kde-plasma/discover/files/discover-5.20.5-CVE-2021-28117.patch b/kde-plasma/discover/files/discover-5.20.5-CVE-2021-28117.patch
new file mode 100644
index 00000000000..1a2685dbc8d
--- /dev/null
+++ b/kde-plasma/discover/files/discover-5.20.5-CVE-2021-28117.patch
@@ -0,0 +1,28 @@
+From 94478827aab63d2e2321f0ca9ec5553718798e60 Mon Sep 17 00:00:00 2001
+From: Aleix Pol <aleixpol@kde.org>
+Date: Wed, 10 Mar 2021 21:48:53 +0100
+Subject: [PATCH] Only turn http[s] links into clickable links
+
+CVE-2021-28117
+
+(cherry picked from commit d375031ff0262cedac7d6ee2b26d6a164ddebb67)
+---
+ libdiscover/backends/KNSBackend/KNSResource.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libdiscover/backends/KNSBackend/KNSResource.cpp b/libdiscover/backends/KNSBackend/KNSResource.cpp
+index 4394d5df..f7670c55 100644
+--- a/libdiscover/backends/KNSBackend/KNSResource.cpp
++++ b/libdiscover/backends/KNSBackend/KNSResource.cpp
+@@ -87,7 +87,7 @@ QString KNSResource::longDescription()
+ ret.remove(QRegularExpression(QStringLiteral("\\[\\/?[a-z]*\\]")));
+ // Find anything that looks like a link (but which also is not some html
+ // tag value or another already) and make it a link
+- static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)([-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption);
++ static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)(http[-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption);
+ ret.replace(urlRegExp, QStringLiteral("<a href=\"\\2\">\\2</a>"));
+ return ret;
+ }
+--
+GitLab
+