[gentoo-commits] repo/gentoo:master commit in: kde-apps/kleopatra/, kde-apps/kleopatra/files/

[gentoo-commits] repo/gentoo:master commit in: kde-apps/kleopatra/, kde-apps/kleopatra/files/

[Andreas Sturmlechner]

commit:     16bb6578f08e3f00144e693e60e2df5e9ccd598a
Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Tue May  2 21:48:51 2017 +0000
Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Tue May  2 22:32:36 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16bb6578

kde-apps/kleopatra: Fix build with GCC-6.3

Package-Manager: Portage-2.3.5, Repoman-2.3.1

 .../files/kleopatra-4.4.2017.04-gcc-6.3.patch      | 36 ++++++++++++++++++++++
 kde-apps/kleopatra/kleopatra-4.4.2017.04.ebuild    |  2 ++
 2 files changed, 38 insertions(+)

diff --git a/kde-apps/kleopatra/files/kleopatra-4.4.2017.04-gcc-6.3.patch b/kde-apps/kleopatra/files/kleopatra-4.4.2017.04-gcc-6.3.patch
new file mode 100644
index 00000000000..2960166dfb7
--- /dev/null
+++ b/kde-apps/kleopatra/files/kleopatra-4.4.2017.04-gcc-6.3.patch
@@ -0,0 +1,36 @@
+commit 0e75bb7dff48261f8754005586e3d1b22ecfc4d2
+Author: Andreas Sturmlechner <andreas.sturmlechner@gmail.com>
+Date:   Tue May 2 23:41:46 2017 +0200
+
+    kleopatra: Fix build with GCC 6.3.0
+    
+    Signed-off-by: Andreas Sturmlechner <andreas.sturmlechner@gmail.com>
+
+diff --git a/kleopatra/utils/stl_util.h b/kleopatra/utils/stl_util.h
+index 35024d398f..c02188608e 100644
+--- a/kleopatra/utils/stl_util.h
++++ b/kleopatra/utils/stl_util.h
+@@ -347,7 +347,7 @@ namespace kdtools {
+     template <typename O, typename I, typename P>
+     O copy_if( const I & i, P p ) {
+         O o;
+-        copy_if( boost::begin( i ), boost::end( i ), std::back_inserter( o ), p );
++        kdtools::copy_if( boost::begin( i ), boost::end( i ), std::back_inserter( o ), p );
+         return o;
+     }
+ 
+@@ -385,12 +385,12 @@ namespace kdtools {
+ 
+     template <typename C>
+     bool none_of( const C & c ) {
+-        return none_of( boost::begin( c ), boost::end( c ) );
++        return kdtools::none_of( boost::begin( c ), boost::end( c ) );
+     }
+ 
+     template <typename C, typename P>
+     bool none_of( const C & c, P p ) {
+-        return none_of( boost::begin( c ), boost::end( c ), p );
++        return kdtools::none_of( boost::begin( c ), boost::end( c ), p );
+     }
+ 
+     template <typename C, typename B>

diff --git a/kde-apps/kleopatra/kleopatra-4.4.2017.04.ebuild b/kde-apps/kleopatra/kleopatra-4.4.2017.04.ebuild
index 8cb2925d73b..7336129e706 100644
--- a/kde-apps/kleopatra/kleopatra-4.4.2017.04.ebuild
+++ b/kde-apps/kleopatra/kleopatra-4.4.2017.04.ebuild
@@ -34,6 +34,8 @@ KMEXTRACTONLY="
 "
 KMLOADLIBS="libkleo"
 
+PATCHES=( "${FILESDIR}/${P}-gcc-6.3.patch" )
+
 src_unpack() {
 	if use handbook; then
 		KMEXTRA="

[gentoo-commits] repo/gentoo:master commit in: kde-apps/kleopatra/, kde-apps/kleopatra/files/

[Andreas Sturmlechner]

commit:     bcbbc28935e68cd159ba8c04fac867cc8f284ce5
Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Sun Aug 30 07:54:06 2020 +0000
Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Sun Aug 30 07:58:22 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcbbc289

kde-apps/kleopatra: Fix CVE-2020-24972

Bug: https://bugs.gentoo.org/739556
Package-Manager: Portage-3.0.4, Repoman-3.0.1
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>

 .../files/kleopatra-20.04.3-CVE-2020-24972.patch   | 110 +++++++++++++++++++++
 kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild     |  57 +++++++++++
 2 files changed, 167 insertions(+)

diff --git a/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch
new file mode 100644
index 00000000000..ebcbb232e08
--- /dev/null
+++ b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch
@@ -0,0 +1,110 @@
+From b4bd63c1739900d94c04da03045e9445a5a5f54b Mon Sep 17 00:00:00 2001
+From: Andre Heinecke <aheinecke@gnupg.org>
+Date: Tue, 7 Jul 2020 14:39:29 +0200
+Subject: [PATCH] Allow safe usage of query
+
+To allow secure usage of query and search the parameters are
+no longer parsed as value but instead of positional arguments.
+
+This allows us to register "kleoptra --query -- $1" as an
+URL handler for openpgp4fpr: without the risk of command
+line injection through an unsescaped query string.
+
+Similarly the double dash should be used for file handling
+to avoid command line injection through filenames.
+---
+ src/kleopatra_options.h      | 19 ++++++++++++++-----
+ src/kleopatraapplication.cpp | 25 ++++++++++++++-----------
+ 2 files changed, 28 insertions(+), 16 deletions(-)
+
+diff --git a/src/kleopatra_options.h b/src/kleopatra_options.h
+index 661c44d7..8ce7fccf 100644
+--- a/src/kleopatra_options.h
++++ b/src/kleopatra_options.h
+@@ -79,8 +79,7 @@ static void kleopatra_options(QCommandLineParser *parser)
+                                   << QStringLiteral("D"),
+                                   i18n("Decrypt and/or verify file(s)"))
+             << QCommandLineOption(QStringList() << QStringLiteral("search"),
+-                                  i18n("Search for a certificate on a keyserver"),
+-                                  QStringLiteral("search string"))
++                                  i18n("Search for a certificate on a keyserver"))
+             << QCommandLineOption(QStringList() << QStringLiteral("checksum"),
+                                   i18n("Create or check a checksum file"))
+             << QCommandLineOption(QStringList() << QStringLiteral("query")
+@@ -88,8 +87,7 @@ static void kleopatra_options(QCommandLineParser *parser)
+                                   i18nc("If a certificate is already known it shows the certificate details dialog."
+                                         "Otherwise it brings up the certificate search dialog.",
+                                         "Show details of a local certificate or search for it on a keyserver"
+-                                        " by fingerprint"),
+-                                  QStringLiteral("fingerprint"))
++                                        " by fingerprint"))
+             << QCommandLineOption(QStringList() << QStringLiteral("gen-key"),
+                                   i18n("Create a new key pair or certificate signing request"))
+             << QCommandLineOption(QStringLiteral("parent-windowid"),
+@@ -100,8 +98,19 @@ static void kleopatra_options(QCommandLineParser *parser)
+ 
+     parser->addOptions(options);
+ 
++    /* Security note: To avoid code execution by shared library injection
++     * through e.g. -platformpluginpath any external input should be seperated
++     * by a double dash -- this is why query / search uses positional arguments.
++     *
++     * For example on Windows there is an URLhandler for openpgp4fpr:
++     * be opened with Kleopatra's query function. And while a browser should
++     * urlescape such a query there might be tricks to inject a quote character
++     * and as such inject command line options for Kleopatra in an URL. */
+     parser->addPositionalArgument(QStringLiteral("files"),
+                                   i18n("File(s) to process"),
+-                                  QStringLiteral("[files..]"));
++                                  QStringLiteral("-- [files..]"));
++    parser->addPositionalArgument(QStringLiteral("query"),
++                                  i18n("String or Fingerprint for query and search"),
++                                  QStringLiteral("-- [query..]"));
+ }
+ #endif
+diff --git a/src/kleopatraapplication.cpp b/src/kleopatraapplication.cpp
+index 989f14b4..a8c5dd08 100644
+--- a/src/kleopatraapplication.cpp
++++ b/src/kleopatraapplication.cpp
+@@ -273,13 +273,18 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser,
+ 
+     QStringList files;
+     const QDir cwd = QDir(workingDirectory);
+-    Q_FOREACH (const QString &file, parser.positionalArguments()) {
+-        // We do not check that file exists here. Better handle
+-        // these errors in the UI.
+-        if (QFileInfo(file).isAbsolute()) {
+-            files << file;
+-        } else {
+-            files << cwd.absoluteFilePath(file);
++    bool queryMode = parser.isSet(QStringLiteral("query")) || parser.isSet(QStringLiteral("search"));
++
++    // Query and Search treat positional arguments differently, see below.
++    if (!queryMode) {
++        Q_FOREACH (const QString &file, parser.positionalArguments()) {
++            // We do not check that file exists here. Better handle
++            // these errors in the UI.
++            if (QFileInfo(file).isAbsolute()) {
++                files << file;
++            } else {
++                files << cwd.absoluteFilePath(file);
++            }
+         }
+     }
+ 
+@@ -313,10 +318,8 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser,
+ 
+     // Handle openpgp4fpr URI scheme
+     QString needle;
+-    if (parser.isSet(QStringLiteral("search"))) {
+-        needle = parser.value(QStringLiteral("search"));
+-    } else if (parser.isSet(QStringLiteral("query"))) {
+-        needle = parser.value(QStringLiteral("query"));
++    if (queryMode) {
++        needle = parser.positionalArguments().join(QLatin1Char(' '));
+     }
+     if (needle.startsWith(QLatin1String("openpgp4fpr:"))) {
+         needle.remove(0, 12);
+-- 
+GitLab
+

diff --git a/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild
new file mode 100644
index 00000000000..3953432cb0f
--- /dev/null
+++ b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+ECM_HANDBOOK="optional"
+ECM_TEST="forceoptional"
+PVCUT=$(ver_cut 1-3)
+KFMIN=5.70.0
+QTMIN=5.14.2
+VIRTUALX_REQUIRED="test"
+inherit ecm kde.org
+
+DESCRIPTION="Certificate manager and GUI for OpenPGP and CMS cryptography"
+HOMEPAGE="https://kde.org/applications/utilities/org.kde.kleopatra"
+
+LICENSE="GPL-2+ handbook? ( FDL-1.2+ )"
+SLOT="5"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE=""
+
+DEPEND="
+	>=app-crypt/gpgme-1.11.1[cxx,qt5]
+	dev-libs/boost:=
+	dev-libs/libassuan
+	dev-libs/libgpg-error
+	>=dev-qt/qtdbus-${QTMIN}:5
+	>=dev-qt/qtgui-${QTMIN}:5
+	>=dev-qt/qtnetwork-${QTMIN}:5
+	>=dev-qt/qtprintsupport-${QTMIN}:5
+	>=dev-qt/qtwidgets-${QTMIN}:5
+	>=kde-apps/kmime-${PVCUT}:5
+	>=kde-apps/libkleo-${PVCUT}:5
+	>=kde-frameworks/kcmutils-${KFMIN}:5
+	>=kde-frameworks/kcodecs-${KFMIN}:5
+	>=kde-frameworks/kconfig-${KFMIN}:5
+	>=kde-frameworks/kconfigwidgets-${KFMIN}:5
+	>=kde-frameworks/kcoreaddons-${KFMIN}:5
+	>=kde-frameworks/kdbusaddons-${KFMIN}:5
+	>=kde-frameworks/ki18n-${KFMIN}:5
+	>=kde-frameworks/kiconthemes-${KFMIN}:5
+	>=kde-frameworks/kitemmodels-${KFMIN}:5
+	>=kde-frameworks/knotifications-${KFMIN}:5
+	>=kde-frameworks/ktextwidgets-${KFMIN}:5
+	>=kde-frameworks/kwidgetsaddons-${KFMIN}:5
+	>=kde-frameworks/kwindowsystem-${KFMIN}:5
+	>=kde-frameworks/kxmlgui-${KFMIN}:5
+"
+RDEPEND="${DEPEND}
+	>=app-crypt/gnupg-2.1
+	app-crypt/paperkey
+"
+
+# tests completely broken, bug #641720
+RESTRICT+=" test"
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2020-24972.patch" )