diff --git a/SOURCES/kde-workspace-ksysguard-increase-cpu-buffer.patch b/SOURCES/kde-workspace-ksysguard-increase-cpu-buffer.patch new file mode 100644 index 0000000..553853c --- /dev/null +++ b/SOURCES/kde-workspace-ksysguard-increase-cpu-buffer.patch @@ -0,0 +1,13 @@ +diff --git a/ksysguard/ksysguardd/Linux/cpuinfo.c b/ksysguard/ksysguardd/Linux/cpuinfo.c +index 9427ec0..12786c5 100644 +--- a/ksysguard/ksysguardd/Linux/cpuinfo.c ++++ b/ksysguard/ksysguardd/Linux/cpuinfo.c +@@ -40,7 +40,7 @@ static int numCores = 0; /* Total # of cores */ + static int HighNumCores = 0; /* Highest # of cores ever seen */ + static float* Clocks = 0; /* Array with one entry per core */ + +-#define CPUINFOBUFSIZE (32 * 1024) ++#define CPUINFOBUFSIZE (128 * 1024) + static char CpuInfoBuf[ CPUINFOBUFSIZE ]; + static int Dirty = 0; + static struct SensorModul *CpuInfoSM; diff --git a/SOURCES/kde-workspace-sanitise-notification-html.patch b/SOURCES/kde-workspace-sanitise-notification-html.patch new file mode 100644 index 0000000..8d5e84e --- /dev/null +++ b/SOURCES/kde-workspace-sanitise-notification-html.patch @@ -0,0 +1,257 @@ +diff --git a/plasma/generic/dataengines/notifications/CMakeLists.txt b/plasma/generic/dataengines/notifications/CMakeLists.txt +index cf34971..e1d567f 100644 +--- a/plasma/generic/dataengines/notifications/CMakeLists.txt ++++ b/plasma/generic/dataengines/notifications/CMakeLists.txt +@@ -2,6 +2,7 @@ set(notifications_engine_SRCS + notificationsengine.cpp + notificationservice.cpp + notificationaction.cpp ++ notificationsanitizer.cpp + ) + + qt4_add_dbus_adaptor( notifications_engine_SRCS org.freedesktop.Notifications.xml notificationsengine.h NotificationsEngine ) +@@ -13,3 +14,15 @@ target_link_libraries(plasma_engine_notifications ${KDE4_PLASMA_LIBS} ${KDE4_KDE + install(TARGETS plasma_engine_notifications DESTINATION ${PLUGIN_INSTALL_DIR}) + install(FILES plasma-dataengine-notifications.desktop DESTINATION ${SERVICES_INSTALL_DIR} ) + install(FILES notifications.operations DESTINATION ${DATA_INSTALL_DIR}/plasma/services) ++ ++set(notificationstest_SRCS notificationsanitizer.cpp notifications_test.cpp) ++ ++kde4_add_unit_test( notificationstest ++ TESTNAME notifications-notificationstest ++ ${notificationstest_SRCS} ++) ++ ++target_link_libraries(notificationstest ++ ${QT_QTTEST_LIBRARY} ++ ${KDE4_KDECORE_LIBS} ++) +\ No newline at end of file +diff --git a/plasma/generic/dataengines/notifications/notifications_test.cpp b/plasma/generic/dataengines/notifications/notifications_test.cpp +new file mode 100644 +index 0000000..ffa5187 +--- /dev/null ++++ b/plasma/generic/dataengines/notifications/notifications_test.cpp +@@ -0,0 +1,68 @@ ++#include ++#include ++#include ++#include "notificationsanitizer.h" ++ ++class NotificationTest : public QObject ++{ ++ Q_OBJECT ++public: ++ NotificationTest() {} ++private Q_SLOTS: ++ void parse_data(); ++ void parse(); ++}; ++ ++void NotificationTest::parse_data() ++{ ++ QTest::addColumn("messageIn"); ++ QTest::addColumn("expectedOut"); ++ ++ QTest::newRow("basic no HTML") << "I am a notification" << "I am a notification"; ++ QTest::newRow("whitespace") << " I am a notification " << "I am a notification"; ++ ++ QTest::newRow("basic html") << "I am the notification" << "I am the notification"; ++ QTest::newRow("nested html") << "I am the notification" << "I am the notification"; ++ ++ QTest::newRow("no extra tags") << "I am the notification" << "I am the notification"; ++ QTest::newRow("no extra attrs") << "I am the notification" << "I am the notification"; ++ ++ QTest::newRow("newlines") << "I am\nthe\nnotification" << "I am
the
notification"; ++ QTest::newRow("multinewlines") << "I am\n\nthe\n\n\nnotification" << "I am
the
notification"; ++ ++ QTest::newRow("amp") << "me&you" << "me&you"; ++ QTest::newRow("double escape") << "foo & <bar>" << "foo & <bar>"; ++ ++ QTest::newRow("quotes") << "'foo'" << "'foo'";//as label can't handle this normally valid entity ++ ++ QTest::newRow("image normal") << "This is \"cheese\"/ and more text" << "This is \"cheese\"/ and more text"; ++ ++ //this input is technically wrong, so the output is also wrong, but QTextHtmlParser does the "right" thing ++ QTest::newRow("image normal no close") << "This is \"cheese\" and more text" << "This is \"cheese\" and more text"; ++ ++ QTest::newRow("image remote URL") << "This is \"cheese\" and more text" << "This is \"cheese\"/ and more text"; ++ ++ //more bad formatted options. To some extent actual output doesn't matter. Garbage in, garbabe out. ++ //the important thing is that it doesn't contain anything that could be parsed as the remote URL ++ QTest::newRow("image remote URL no close") << "This is \" alt=\"cheese\"> and more text" << "This is \"cheese\" and more text"; ++ QTest::newRow("image remote URL double open") << "This is <\" and more text" << "This is "; ++ QTest::newRow("image remote URL no entitiy close") << "This is \"cheese\" and more text" << "This is "; ++ ++ QTest::newRow("link") << "This is a link and more text" << "This is a link and more text"; ++} ++ ++void NotificationTest::parse() ++{ ++ QFETCH(QString, messageIn); ++ QFETCH(QString, expectedOut); ++ ++ const QString out = NotificationSanitizer::parse(messageIn); ++ expectedOut = "" + expectedOut + "\n"; ++ QCOMPARE(out, expectedOut); ++} ++ ++ ++QTEST_MAIN(NotificationTest) ++ ++#include "notificationtest.moc" +\ No newline at end of file +diff --git a/plasma/generic/dataengines/notifications/notificationsanitizer.cpp b/plasma/generic/dataengines/notifications/notificationsanitizer.cpp +new file mode 100644 +index 0000000..8750958 +--- /dev/null ++++ b/plasma/generic/dataengines/notifications/notificationsanitizer.cpp +@@ -0,0 +1,106 @@ ++/* ++ * Copyright (C) 2017 David Edmundson ++ * ++ * This program is free software you can redistribute it and/or ++ * modify it under the terms of the GNU Library General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Library General Public License for more details. ++ * ++ * You should have received a copy of the GNU Library General Public License ++ * along with this library; see the file COPYING.LIB. If not, write to ++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++*/ ++ ++#include "notificationsanitizer.h" ++ ++#include ++#include ++#include ++#include ++#include ++ ++QString NotificationSanitizer::parse(const QString &text) ++{ ++ // replace all \ns with
++ QString t = text; ++ ++ t.replace(QLatin1String("\n"), QLatin1String("
")); ++ // Now remove all inner whitespace (\ns are already
s) ++ t = t.simplified(); ++ // Finally, check if we don't have multiple
s following, ++ // can happen for example when "\n \n" is sent, this replaces ++ // all
s in succsession with just one ++ t.replace(QRegExp(QLatin1String("
\\s*
(\\s|
)*")), QLatin1String("
")); ++ // This fancy RegExp escapes every occurence of & since QtQuick Text will blatantly cut off ++ // text where it finds a stray ampersand. ++ // Only &{apos, quot, gt, lt, amp}; as well as { character references will be allowed ++ t.replace(QRegExp(QLatin1String("&(?!(?:apos|quot|[gl]t|amp);|#)")), QLatin1String("&")); ++ ++ QXmlStreamReader r(QLatin1String("") + t + QLatin1String("")); ++ QString result; ++ QXmlStreamWriter out(&result); ++ ++ QVector allowedTags; ++ allowedTags << "b" << "i" << "u" << "img" << "a" << "html"<< "br"; ++ ++ out.writeStartDocument(); ++ while (!r.atEnd()) { ++ r.readNext(); ++ ++ if (r.tokenType() == QXmlStreamReader::StartElement) { ++ const QString name = r.name().toString(); ++ if (!allowedTags.contains(name)) { ++ continue; ++ } ++ out.writeStartElement(name); ++ if (name == QLatin1String("img")) { ++ QString src = r.attributes().value("src").toString(); ++ QString alt = r.attributes().value("alt").toString(); ++ ++ const QUrl url(src); ++ if (url.isLocalFile()) { ++ out.writeAttribute(QLatin1String("src"), src); ++ } else { ++ //image denied for security reasons! Do not copy the image src here! ++ } ++ ++ out.writeAttribute(QLatin1String("alt"), alt); ++ } ++ if (name == QLatin1String("a")) { ++ out.writeAttribute(QLatin1String("href"), r.attributes().value("href").toString()); ++ } ++ } ++ ++ if (r.tokenType() == QXmlStreamReader::EndElement) { ++ const QString name = r.name().toString(); ++ if (!allowedTags.contains(name)) { ++ continue; ++ } ++ out.writeEndElement(); ++ } ++ ++ if (r.tokenType() == QXmlStreamReader::Characters) { ++ const QString text = r.text().toString(); ++ out.writeCharacters(text); //this auto escapes chars -> HTML entities ++ } ++ } ++ out.writeEndDocument(); ++ ++ if (r.hasError()) { ++ qWarning() << "Notification to send to backend contains invalid XML: " ++ << r.errorString() << "line" << r.lineNumber() ++ << "col" << r.columnNumber(); ++ } ++ ++ // The Text.StyledText format handles only html3.2 stuff and ' is html4 stuff ++ // so we need to replace it here otherwise it will not render at all. ++ result = result.replace(QLatin1String("'"), QChar('\'')); ++ ++ return result; ++} +diff --git a/plasma/generic/dataengines/notifications/notificationsanitizer.h b/plasma/generic/dataengines/notifications/notificationsanitizer.h +new file mode 100644 +index 0000000..b0c3ccd +--- /dev/null ++++ b/plasma/generic/dataengines/notifications/notificationsanitizer.h +@@ -0,0 +1,35 @@ ++/* ++ * Copyright (C) 2017 David Edmundson ++ * ++ * This program is free software you can redistribute it and/or ++ * modify it under the terms of the GNU Library General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Library General Public License for more details. ++ * ++ * You should have received a copy of the GNU Library General Public License ++ * along with this library; see the file COPYING.LIB. If not, write to ++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++*/ ++ ++#include ++ ++namespace NotificationSanitizer ++{ ++ /* ++ * This turns generic random text of either plain text of any degree of faux-HTML into HTML allowed ++ * in the notification spec namely: ++ * a, img, b, i, u and br ++ * All other tags and attributes are stripped ++ * Whitespace is stripped and converted to
++ * Double newlines are compressed ++ * ++ * Image src is only copied when referring to a local file ++ */ ++ QString parse(const QString &in); ++} diff --git a/SPECS/kde-workspace.spec b/SPECS/kde-workspace.spec index fe75ca8..12a5b3b 100755 --- a/SPECS/kde-workspace.spec +++ b/SPECS/kde-workspace.spec @@ -22,7 +22,7 @@ Summary: KDE Workspace Name: kde-workspace Version: 4.11.19 -Release: 12%{?dist} +Release: 13%{?dist} License: GPLv2 URL: https://projects.kde.org/projects/kde/kde-workspace Source0: http://download.kde.org/stable/applications/src/14.12.1/kde-workspace-%{version}.tar.xz @@ -170,6 +170,12 @@ Patch69: kde-workspace-taskmanager-grouping.patch # Bug 1333441 - System not unlocking on extended monitors when using screensaver Patch70: kde-workspace-kscreenlocker-greeter-unlock-just-once.patch +# Bug 1568853 - CVE-2018-6790 kde-workspace: Missing sanitization of notifications allows to leak client IP address via IMG element +Patch71: kde-workspace-sanitise-notification-html.patch + +# Bug 1611762 - ksysguardd: "internal buffer too small to read /proc/cpuinfo" when running with many CPUs +Patch72: kde-workspace-ksysguard-increase-cpu-buffer.patch + ## upstream patches Patch101: kde-workspace-4.10-bz#921742.patch Patch104: kde-workspace-4.10.x-bz#1001708.patch @@ -605,6 +611,8 @@ Conflicts: kde-workspace < 4.11.15-3 %patch68 -p1 -b .coverity-scan-fixes %patch69 -p1 -b .taskmanager-grouping %patch70 -p1 -b .kscreenlocker-greeter-unlock-just-once +%patch71 -p1 -b .sanitise-notification-html +%patch72 -p1 -b .ksysguard-increase-cpu-buffer # upstream patches %patch101 -p1 -b .bug921742 @@ -1372,6 +1380,13 @@ fi %endif %changelog +* Tue Feb 12 2019 Jan Grulich - 4.11-19-13 +- Sanitise notification HTML + Resolves: bz#1568853 + +- Increase cpu buffer size in ksysguard + Resolves: bz#1611762 + * Mon Oct 16 2017 Jan Grulich - 4.11.19-12 - Make sure that plasma screensaver is not used when previously configured Resolves: bz#1342560