diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2018-02-11 16:09:52 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2018-02-11 16:09:52 +0000 |
| commit | f78108598211053d41752a83e0345441bb9014ae (patch) | |
| tree | dd2fc7ae0a1aea7bda4942ab0c453d1e55284b37 /kde-plasma/plasma-workspace | |
| parent | dc45b83b28fb83e9659492066e347b8dc60bc9e3 (diff) | |
gentoo resync : 11.02.2018
Diffstat (limited to 'kde-plasma/plasma-workspace')
5 files changed, 793 insertions, 0 deletions
diff --git a/kde-plasma/plasma-workspace/Manifest b/kde-plasma/plasma-workspace/Manifest index c813471b9fac..b82e32075df0 100644 --- a/kde-plasma/plasma-workspace/Manifest +++ b/kde-plasma/plasma-workspace/Manifest @@ -2,7 +2,12 @@ AUX 10-agent-shutdown.sh 395 BLAKE2B ee85e72fcdf07b483b0506ee4155f2623f03052ef40 AUX 10-agent-startup.sh 2140 BLAKE2B 510b47dd9072893a8733d75e6154bf6a2400a7cc07a6a24866db79aea084d9a70237251a802fc697c7ed467944d0a557a25fa6dbe36b6ed84f0031d885943cef SHA512 487ae7c94ba40ab9818a8410f0da83d50c5125e10d76ecf15b316e624efd2f80398bbcdc957792153eea5c786ef0d24d7d0ce6c934a904ff3434215b73c0c133 AUX plasma-workspace-5.10-startplasmacompositor-script.patch 1213 BLAKE2B 2558a43db9cc65706fe2c3382918e47552ad702e9ac6a5071ae3c620bc05097306046e0cd3f74de68985d787120013ce76697cbe107bc3b0c5ace5d5d03a05c1 SHA512 eb7126ec8a7991c59c1c056c81d9b8d6934cf9c702cc70534a97b585eaf1ea3e33499e5525e821ce4e8682573a09538ed1d59db561c58a7464a144e9a24c5275 AUX plasma-workspace-5.10.4-unused-dep.patch 804 BLAKE2B 7c77a4f64185f718da3e8a64540cf651f860ed6312423fce6e42ce0e86f8c7d3c4759acf206bdeeb4df5d4221c937e6771d32bb2fca05fb6cfc311f2fe2b1b96 SHA512 9718f0577ca468a6ec1eed7a665d3c0de236408b7aac442775daef4795040104a422b3c8325e5f2b9bc9e38da3f6d0dedf13826f49d3921a84960a0833557528 +AUX plasma-workspace-5.11.5-CVE-2018-6790.patch 17967 BLAKE2B e9c65a902dc68f579f8b9a1f99400ae9d9b70c9c9e3e3692fd2f8d7c67638dd6527ea863ea6bfcd3afcc797ad4926a48a1de690ff7b066e547a1501481306106 SHA512 84e84b54e12ed696644ed87891056c923bafc1aa311b6f18970656e6942388557f330867a87f803c55aa212fde24fb5906e23e1d2931506ee21c0c1ca44dc2aa +AUX plasma-workspace-5.11.5-CVE-2018-6791.patch 1087 BLAKE2B d388f92343bca64a810da32a12ff2572e6c2100b1ef86107f43b4e7f8e29a36764c272ba5814228c45ac671b31e35d67135e8e5d4e8df4c92037985d0f800a29 SHA512 dcdc58fe65f72325c851ff361cf47f5521f0b58e8ba2fe0715b8dc0e214b7cbff2c2e653cd06189e394c0bcdf980395942d06dbc281eb8131e228739fbdf3777 AUX plasma-workspace-5.4-startkde-script.patch 1090 BLAKE2B bb2b0f20bbc2ed467994c98840ffeefc71d4f621713e413ff09a855689bde66b81a61e607457b3fa1ae51a67a3a3e47049193fec530448483c6f87e63f713981 SHA512 45149d5a3db48d77da7a74fd0a5faf14c8f99aaceddc725c9056cac315fd3bae78506e7cd74f6548045e4daf73bf2a605a712311018ff11a4a26c7d9f2afee84 DIST plasma-workspace-5.11.5.tar.xz 6494360 BLAKE2B de4e3608382ab827f68d61b5095d05168a03fe8da65b219ec5b53e28506e21d5105fce0874d840eb23be1253f3bd3fb3e4ee7d0e3c5e15c895fb4b9f133c062d SHA512 6f15e529665a5fbe24ee0420d1c8fe96ff97dbd2788ae120cd1834889b307b5979ca2aedd4f97d3cadcc7ed5cdb06c0e5f9c704ec732468db4b8ecf89270826f +DIST plasma-workspace-5.12.0.tar.xz 4571240 BLAKE2B 817d227cee4e1c4a47fd0c948534d24dec77eb71e9f09ec8a9b226264678d86682234431102133e02342cf61627f981d24289fa9b210da20ff475b2775edcb53 SHA512 9bcdca74cbcff539f4431b8f888143ff278ed79c5b24033c0f81124a4e2eb5538eec959d5ad9e52aa553f2803634ff189957358d83d78a3d76122699a8add6ce +EBUILD plasma-workspace-5.11.5-r1.ebuild 4832 BLAKE2B 3b7b7acede03964572ec1e52db23cc0a89adcaeb4e4b6396fe79c69b58eed6a8a752109959a9f1a90f9e52ed4525310586051eb66867f5fcef1194226238a115 SHA512 9a241cf2ac52bc98c9a6256aad76521dfacd81b1ba24cd78dd715754994e1ef745dd9ca82e267f7ea53e8c00c0c80222ee2d33de3ae3db99fc7aa366aca963ee EBUILD plasma-workspace-5.11.5.ebuild 4711 BLAKE2B 4a7988bcc0f5db27a0d15f3729ad3bc35f802ff9e12446b3451987348c3e8ffbcae8716e44327ef780d7a1e7f82e7b899a1ca14d3b34d6391916c1a9f7dadef4 SHA512 77e5c787120550e45e9d716885b6ca575551918b3b3b7769386e22a2f3e0567c0b2fa9e50a1cf8ca3bc4744b6a292eef3489ee1d8e03c1aa7c972154056b5833 +EBUILD plasma-workspace-5.12.0.ebuild 4752 BLAKE2B 68aaf50c264b02fc83142956e631f5c4c84f2fdbd11d985d959bc2b3293c500c097f1a748b5581091fdfe0456962462219a8a43629b00ff28a94464850166168 SHA512 57f58407321dc8e9bfd21dcd4a3d76f4c182dc61f5377a9ab3f862410632c72a179a71713181a0bb80d51cc0a44431256bcf21f08f7442d7435a06b9169ea055 MISC metadata.xml 583 BLAKE2B f9b40b080569e6ec92f7a4f23bd6c7e7fb7711b44d3a00cef525478e9ad9a1b2eda3fe0a4686d625cf8530b6f7aa36b6f70eb71401a06ef2856ef3d0c068e11f SHA512 8b7b81edd1518c2b1ee18d609288c209d197d35f869d687e1019a10f29a2360bd071218ad3facf65217665287b3ceab84a78341e6cd799a7326fd3da2336958f diff --git a/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch new file mode 100644 index 000000000000..b424e397a802 --- /dev/null +++ b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch @@ -0,0 +1,409 @@ +From f1e9a1c458ea44e9169c7e79b90a57fb7c65135f Mon Sep 17 00:00:00 2001 +From: David Edmundson <kde@davidedmundson.co.uk> +Date: Wed, 31 Jan 2018 14:28:17 +0000 +Subject: [PATCH 1/2] Sanitise notification HTML + +Summary: +Qt labels support a HTML subset, using a completely internal parser in +QTextDocument. + +The Notification spec support an even smaller subset of notification +elements. + +It's important to strip out irrelevant tags that could potentially load +remote information without user interaction, such as img +src or even <b style="background:url... + +But we want to maintain the basic rich text formatting of bold and +italics and links. + +This parser iterates reads the XML, copying only permissable tags and +attributes. + +A future obvious improvement would be to merge the original regular +expressions into this stream parser, but I'm trying to minimise +breakages to get this into 5.12. + +Test Plan: +Moved code into it's own class for easy unit testing +Tried a bunch of things, including what the old regexes were doing + +Also ran notify send with a few options to make sure things worked + +Reviewers: #plasma, fvogt + +Reviewed By: fvogt + +Subscribers: aacid, fvogt, plasma-devel + +Tags: #plasma + +Differential Revision: https://phabricator.kde.org/D10188 +--- + dataengines/notifications/CMakeLists.txt | 8 ++ + dataengines/notifications/notifications_test.cpp | 68 +++++++++++++ + .../notifications/notificationsanitizer.cpp | 106 +++++++++++++++++++++ + dataengines/notifications/notificationsanitizer.h | 35 +++++++ + dataengines/notifications/notificationsengine.cpp | 19 +--- + 5 files changed, 219 insertions(+), 17 deletions(-) + create mode 100644 dataengines/notifications/notifications_test.cpp + create mode 100644 dataengines/notifications/notificationsanitizer.cpp + create mode 100644 dataengines/notifications/notificationsanitizer.h + +diff --git a/dataengines/notifications/CMakeLists.txt b/dataengines/notifications/CMakeLists.txt +index 4fd3ee76..ad6e2120 100644 +--- a/dataengines/notifications/CMakeLists.txt ++++ b/dataengines/notifications/CMakeLists.txt +@@ -4,6 +4,7 @@ set(notifications_engine_SRCS + notificationsengine.cpp + notificationservice.cpp + notificationaction.cpp ++ notificationsanitizer.cpp + ) + + qt5_add_dbus_adaptor( notifications_engine_SRCS org.freedesktop.Notifications.xml notificationsengine.h NotificationsEngine ) +@@ -26,3 +27,10 @@ kcoreaddons_desktop_to_json(plasma_engine_notifications plasma-dataengine-notifi + install(TARGETS plasma_engine_notifications DESTINATION ${KDE_INSTALL_PLUGINDIR}/plasma/dataengine) + install(FILES plasma-dataengine-notifications.desktop DESTINATION ${KDE_INSTALL_KSERVICES5DIR} ) + install(FILES notifications.operations DESTINATION ${PLASMA_DATA_INSTALL_DIR}/services) ++ ++ ++#unit test ++ ++add_executable(notification_test notificationsanitizer.cpp notifications_test.cpp) ++target_link_libraries(notification_test Qt5::Test Qt5::Core) ++ecm_mark_as_test(notification_test) +diff --git a/dataengines/notifications/notifications_test.cpp b/dataengines/notifications/notifications_test.cpp +new file mode 100644 +index 00000000..58399746 +--- /dev/null ++++ b/dataengines/notifications/notifications_test.cpp +@@ -0,0 +1,68 @@ ++#include <QtTest> ++#include <QObject> ++#include <QDebug> ++#include "notificationsanitizer.h" ++ ++class NotificationTest : public QObject ++{ ++ Q_OBJECT ++public: ++ NotificationTest() {} ++private Q_SLOTS: ++ void parse_data(); ++ void parse(); ++}; ++ ++void NotificationTest::parse_data() ++{ ++ QTest::addColumn<QString>("messageIn"); ++ QTest::addColumn<QString>("expectedOut"); ++ ++ QTest::newRow("basic no HTML") << "I am a notification" << "I am a notification"; ++ QTest::newRow("whitespace") << " I am a notification " << "I am a notification"; ++ ++ QTest::newRow("basic html") << "I am <b>the</b> notification" << "I am <b>the</b> notification"; ++ QTest::newRow("nested html") << "I am <i><b>the</b></i> notification" << "I am <i><b>the</b></i> notification"; ++ ++ QTest::newRow("no extra tags") << "I am <blink>the</blink> notification" << "I am the notification"; ++ QTest::newRow("no extra attrs") << "I am <b style=\"font-weight:20\">the</b> notification" << "I am <b>the</b> notification"; ++ ++ QTest::newRow("newlines") << "I am\nthe\nnotification" << "I am<br/>the<br/>notification"; ++ QTest::newRow("multinewlines") << "I am\n\nthe\n\n\nnotification" << "I am<br/>the<br/>notification"; ++ ++ QTest::newRow("amp") << "me&you" << "me&you"; ++ QTest::newRow("double escape") << "foo & <bar>" << "foo & <bar>"; ++ ++ QTest::newRow("quotes") << "'foo'" << "'foo'";//as label can't handle this normally valid entity ++ ++ QTest::newRow("image normal") << "This is <img src=\"file:://foo/boo.png\" alt=\"cheese\"/> and more text" << "This is <img src=\"file:://foo/boo.png\" alt=\"cheese\"/> and more text"; ++ ++ //this input is technically wrong, so the output is also wrong, but QTextHtmlParser does the "right" thing ++ QTest::newRow("image normal no close") << "This is <img src=\"file:://foo/boo.png\" alt=\"cheese\"> and more text" << "This is <img src=\"file:://foo/boo.png\" alt=\"cheese\"> and more text</img>"; ++ ++ QTest::newRow("image remote URL") << "This is <img src=\"http://foo.com/boo.png\" alt=\"cheese\" /> and more text" << "This is <img alt=\"cheese\"/> and more text"; ++ ++ //more bad formatted options. To some extent actual output doesn't matter. Garbage in, garbabe out. ++ //the important thing is that it doesn't contain anything that could be parsed as the remote URL ++ QTest::newRow("image remote URL no close") << "This is <img src=\"http://foo.com/boo.png>\" alt=\"cheese\"> and more text" << "This is <img alt=\"cheese\"> and more text</img>"; ++ QTest::newRow("image remote URL double open") << "This is <<img src=\"http://foo.com/boo.png>\" and more text" << "This is "; ++ QTest::newRow("image remote URL no entitiy close") << "This is <img src=\"http://foo.com/boo.png\" and more text" << "This is "; ++ QTest::newRow("image remote URL space in element name") << "This is < img src=\"http://foo.com/boo.png\" alt=\"cheese\" /> and more text" << "This is "; ++ ++ QTest::newRow("link") << "This is a link <a href=\"http://foo.com/boo\"/> and more text" << "This is a link <a href=\"http://foo.com/boo\"/> and more text"; ++} ++ ++void NotificationTest::parse() ++{ ++ QFETCH(QString, messageIn); ++ QFETCH(QString, expectedOut); ++ ++ const QString out = NotificationSanitizer::parse(messageIn); ++ expectedOut = "<?xml version=\"1.0\"?><html>" + expectedOut + "</html>\n"; ++ QCOMPARE(out, expectedOut); ++} ++ ++ ++QTEST_GUILESS_MAIN(NotificationTest) ++ ++#include "notifications_test.moc" +diff --git a/dataengines/notifications/notificationsanitizer.cpp b/dataengines/notifications/notificationsanitizer.cpp +new file mode 100644 +index 00000000..5410132c +--- /dev/null ++++ b/dataengines/notifications/notificationsanitizer.cpp +@@ -0,0 +1,106 @@ ++/* ++ * Copyright (C) 2017 David Edmundson <davidedmundson@kde.org> ++ * ++ * This program is free software you can redistribute it and/or ++ * modify it under the terms of the GNU Library General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Library General Public License for more details. ++ * ++ * You should have received a copy of the GNU Library General Public License ++ * along with this library; see the file COPYING.LIB. If not, write to ++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++*/ ++ ++#include "notificationsanitizer.h" ++ ++#include <QXmlStreamReader> ++#include <QXmlStreamWriter> ++#include <QRegularExpression> ++#include <QDebug> ++#include <QUrl> ++ ++QString NotificationSanitizer::parse(const QString &text) ++{ ++ // replace all \ns with <br/> ++ QString t = text; ++ ++ t.replace(QLatin1String("\n"), QStringLiteral("<br/>")); ++ // Now remove all inner whitespace (\ns are already <br/>s) ++ t = t.simplified(); ++ // Finally, check if we don't have multiple <br/>s following, ++ // can happen for example when "\n \n" is sent, this replaces ++ // all <br/>s in succsession with just one ++ t.replace(QRegularExpression(QStringLiteral("<br/>\\s*<br/>(\\s|<br/>)*")), QLatin1String("<br/>")); ++ // This fancy RegExp escapes every occurence of & since QtQuick Text will blatantly cut off ++ // text where it finds a stray ampersand. ++ // Only &{apos, quot, gt, lt, amp}; as well as { character references will be allowed ++ t.replace(QRegularExpression(QStringLiteral("&(?!(?:apos|quot|[gl]t|amp);|#)")), QLatin1String("&")); ++ ++ QXmlStreamReader r(QStringLiteral("<html>") + t + QStringLiteral("</html>")); ++ QString result; ++ QXmlStreamWriter out(&result); ++ ++ const QVector<QString> allowedTags = {"b", "i", "u", "img", "a", "html", "br"}; ++ ++ out.writeStartDocument(); ++ while (!r.atEnd()) { ++ r.readNext(); ++ ++ if (r.tokenType() == QXmlStreamReader::StartElement) { ++ const QString name = r.name().toString(); ++ if (!allowedTags.contains(name)) { ++ continue; ++ } ++ out.writeStartElement(name); ++ if (name == QLatin1String("img")) { ++ auto src = r.attributes().value("src").toString(); ++ auto alt = r.attributes().value("alt").toString(); ++ ++ const QUrl url(src); ++ if (url.isLocalFile()) { ++ out.writeAttribute(QStringLiteral("src"), src); ++ } else { ++ //image denied for security reasons! Do not copy the image src here! ++ } ++ ++ out.writeAttribute(QStringLiteral("alt"), alt); ++ } ++ if (name == QLatin1String("a")) { ++ out.writeAttribute(QStringLiteral("href"), r.attributes().value("href").toString()); ++ } ++ } ++ ++ if (r.tokenType() == QXmlStreamReader::EndElement) { ++ const QString name = r.name().toString(); ++ if (!allowedTags.contains(name)) { ++ continue; ++ } ++ out.writeEndElement(); ++ } ++ ++ if (r.tokenType() == QXmlStreamReader::Characters) { ++ const auto text = r.text().toString(); ++ out.writeCharacters(text); //this auto escapes chars -> HTML entities ++ } ++ } ++ out.writeEndDocument(); ++ ++ if (r.hasError()) { ++ qWarning() << "Notification to send to backend contains invalid XML: " ++ << r.errorString() << "line" << r.lineNumber() ++ << "col" << r.columnNumber(); ++ } ++ ++ // The Text.StyledText format handles only html3.2 stuff and ' is html4 stuff ++ // so we need to replace it here otherwise it will not render at all. ++ result = result.replace(QLatin1String("'"), QChar('\'')); ++ ++ ++ return result; ++} +diff --git a/dataengines/notifications/notificationsanitizer.h b/dataengines/notifications/notificationsanitizer.h +new file mode 100644 +index 00000000..561a84b7 +--- /dev/null ++++ b/dataengines/notifications/notificationsanitizer.h +@@ -0,0 +1,35 @@ ++/* ++ * Copyright (C) 2017 David Edmundson <davidedmundson@kde.org> ++ * ++ * This program is free software you can redistribute it and/or ++ * modify it under the terms of the GNU Library General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Library General Public License for more details. ++ * ++ * You should have received a copy of the GNU Library General Public License ++ * along with this library; see the file COPYING.LIB. If not, write to ++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++*/ ++ ++#include <QString> ++ ++namespace NotificationSanitizer ++{ ++ /* ++ * This turns generic random text of either plain text of any degree of faux-HTML into HTML allowed ++ * in the notification spec namely: ++ * a, img, b, i, u and br ++ * All other tags and attributes are stripped ++ * Whitespace is stripped and converted to <br/> ++ * Double newlines are compressed ++ * ++ * Image src is only copied when referring to a local file ++ */ ++ QString parse(const QString &in); ++} +diff --git a/dataengines/notifications/notificationsengine.cpp b/dataengines/notifications/notificationsengine.cpp +index 72338aeb..caf310e5 100644 +--- a/dataengines/notifications/notificationsengine.cpp ++++ b/dataengines/notifications/notificationsengine.cpp +@@ -20,6 +20,7 @@ + #include "notificationsengine.h" + #include "notificationservice.h" + #include "notificationsadaptor.h" ++#include "notificationsanitizer.h" + + #include <QDebug> + #include <KConfigGroup> +@@ -281,23 +282,7 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + + const QString source = QStringLiteral("notification %1").arg(id); + +- // First trim whitespace from beginning and end +- bodyFinal = bodyFinal.trimmed(); +- // Now replace all \ns with <br/> +- bodyFinal = bodyFinal.replace(QLatin1String("\n"), QLatin1String("<br/>")); +- // Now remove all inner whitespace (\ns are already <br/>s +- bodyFinal = bodyFinal.simplified(); +- // Finally, check if we don't have multiple <br/>s following, +- // can happen for example when "\n \n" is sent, this replaces +- // all <br/>s in succsession with just one +- bodyFinal.replace(QRegularExpression(QStringLiteral("<br/>\\s*<br/>(\\s|<br/>)*")), QLatin1String("<br/>")); +- // This fancy RegExp escapes every occurence of & since QtQuick Text will blatantly cut off +- // text where it finds a stray ampersand. +- // Only &{apos, quot, gt, lt, amp}; as well as { character references will be allowed +- bodyFinal.replace(QRegularExpression(QStringLiteral("&(?!(?:apos|quot|[gl]t|amp);|#)")), QLatin1String("&")); +- // The Text.StyledText format handles only html3.2 stuff and ' is html4 stuff +- // so we need to replace it here otherwise it will not render at all. +- bodyFinal.replace(QLatin1String("'"), QChar('\'')); ++ bodyFinal = NotificationSanitizer::parse(bodyFinal); + + Plasma::DataEngine::Data notificationData; + notificationData.insert(QStringLiteral("id"), QString::number(id)); +-- +2.13.6 + +From cb791b571aed1ea6976e0a6906df3e35dea657ef Mon Sep 17 00:00:00 2001 +From: Kai Uwe Broulik <kde@privat.broulik.de> +Date: Mon, 5 Feb 2018 13:53:17 +0100 +Subject: [PATCH 2/2] [Notifications] Fix grouping + +Sanitize the body before doing anything else. +Cleanup grouping logic. + +Differential Revision: https://phabricator.kde.org/D10315 +--- + dataengines/notifications/notificationsengine.cpp | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/dataengines/notifications/notificationsengine.cpp b/dataengines/notifications/notificationsengine.cpp +index caf310e5..bc48deed 100644 +--- a/dataengines/notifications/notificationsengine.cpp ++++ b/dataengines/notifications/notificationsengine.cpp +@@ -217,7 +217,7 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + qDebug() << "Currrent active notifications:" << m_activeNotifications; + qDebug() << "Guessing partOf as:" << partOf; + qDebug() << " New Notification: " << summary << body << timeout << "& Part of:" << partOf; +- QString bodyFinal = body; ++ QString bodyFinal = NotificationSanitizer::parse(body); + QString summaryFinal = summary; + + if (partOf > 0) { +@@ -225,13 +225,13 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + Plasma::DataContainer *container = containerForSource(source); + if (container) { + // append the body text +- QString _body = container->data()[QStringLiteral("body")].toString(); +- if (_body != body) { +- _body.append("\n").append(body); +- } else { +- _body = body; ++ const QString previousBody = container->data()[QStringLiteral("body")].toString(); ++ if (previousBody != bodyFinal) { ++ // FIXME: This will just append the entire old XML document to another one, leading to: ++ // <?xml><html>old</html><br><?xml><html>new</html> ++ // It works but is not very clean. ++ bodyFinal = previousBody + QStringLiteral("<br/>") + bodyFinal; + } +- bodyFinal = _body; + + replaces_id = partOf; + +@@ -267,7 +267,7 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + + const int AVERAGE_WORD_LENGTH = 6; + const int WORD_PER_MINUTE = 250; +- int count = summary.length() + body.length(); ++ int count = summary.length() + body.length() - strlen("<?xml version=\"1.0\"><html></html>"); + + // -1 is "server default", 0 is persistent with "server default" display time, + // anything more should honor the setting +@@ -282,8 +282,6 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + + const QString source = QStringLiteral("notification %1").arg(id); + +- bodyFinal = NotificationSanitizer::parse(bodyFinal); +- + Plasma::DataEngine::Data notificationData; + notificationData.insert(QStringLiteral("id"), QString::number(id)); + notificationData.insert(QStringLiteral("eventId"), eventId); +-- +2.13.6 + diff --git a/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch new file mode 100644 index 000000000000..621687c59d24 --- /dev/null +++ b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch @@ -0,0 +1,31 @@ +From f32002ce50edc3891f1fa41173132c820b917d57 Mon Sep 17 00:00:00 2001 +From: Marco Martin <notmart@gmail.com> +Date: Mon, 5 Feb 2018 13:12:51 +0100 +Subject: [PATCH] Make sure device paths are quoted + +in the case a vfat removable device has $() or `` in its label, +such as $(touch foo) the quoted command may get executed, +leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote +to make sure everything is quoted and not interpreted as a command + +BUG:389815 +--- + soliduiserver/deviceserviceaction.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/soliduiserver/deviceserviceaction.cpp b/soliduiserver/deviceserviceaction.cpp +index f49c967a..738b27c8 100644 +--- a/soliduiserver/deviceserviceaction.cpp ++++ b/soliduiserver/deviceserviceaction.cpp +@@ -158,7 +158,7 @@ void DelayedExecutor::delayedExecute(const QString &udi) + + QString exec = m_service.exec(); + MacroExpander mx(device); +- mx.expandMacros(exec); ++ mx.expandMacrosShellQuote(exec); + + KRun::runCommand(exec, QString(), m_service.icon(), 0); + deleteLater(); +-- +2.13.6 + diff --git a/kde-plasma/plasma-workspace/plasma-workspace-5.11.5-r1.ebuild b/kde-plasma/plasma-workspace/plasma-workspace-5.11.5-r1.ebuild new file mode 100644 index 000000000000..0f048e46823a --- /dev/null +++ b/kde-plasma/plasma-workspace/plasma-workspace-5.11.5-r1.ebuild @@ -0,0 +1,175 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +KDE_HANDBOOK="forceoptional" +KDE_TEST="forceoptional" +VIRTUALX_REQUIRED="test" +inherit kde5 qmake-utils + +DESCRIPTION="KDE Plasma workspace" +KEYWORDS="~amd64 ~arm ~arm64 ~x86" +IUSE="appstream +calendar geolocation gps prison qalculate +semantic-desktop systemd" + +REQUIRED_USE="gps? ( geolocation )" + +COMMON_DEPEND=" + $(add_frameworks_dep kactivities) + $(add_frameworks_dep kauth) + $(add_frameworks_dep kbookmarks) + $(add_frameworks_dep kcompletion) + $(add_frameworks_dep kconfig) + $(add_frameworks_dep kconfigwidgets) + $(add_frameworks_dep kcoreaddons) + $(add_frameworks_dep kcrash) + $(add_frameworks_dep kdbusaddons) + $(add_frameworks_dep kdeclarative) + $(add_frameworks_dep kdelibs4support) + $(add_frameworks_dep kglobalaccel) + $(add_frameworks_dep kguiaddons) + $(add_frameworks_dep ki18n) + $(add_frameworks_dep kiconthemes) + $(add_frameworks_dep kidletime) + $(add_frameworks_dep kio) + $(add_frameworks_dep kitemmodels) + $(add_frameworks_dep kitemviews) + $(add_frameworks_dep kjobwidgets) + $(add_frameworks_dep kjs) + $(add_frameworks_dep kjsembed) + $(add_frameworks_dep knewstuff) + $(add_frameworks_dep knotifications) + $(add_frameworks_dep knotifyconfig) + $(add_frameworks_dep kpackage) + $(add_frameworks_dep krunner) + $(add_frameworks_dep kservice) + $(add_frameworks_dep ktexteditor) + $(add_frameworks_dep ktextwidgets) + $(add_frameworks_dep kwallet) + $(add_frameworks_dep kwayland) + $(add_frameworks_dep kwidgetsaddons) + $(add_frameworks_dep kwindowsystem) + $(add_frameworks_dep kxmlgui) + $(add_frameworks_dep plasma) + $(add_frameworks_dep solid) + $(add_plasma_dep kscreenlocker) + $(add_plasma_dep kwin) + $(add_plasma_dep libksysguard) + $(add_qt_dep qtdbus) + $(add_qt_dep qtdeclarative 'widgets') + $(add_qt_dep qtgui 'jpeg') + $(add_qt_dep qtnetwork) + $(add_qt_dep qtscript) + $(add_qt_dep qtsql) + $(add_qt_dep qtwidgets) + $(add_qt_dep qtx11extras) + $(add_qt_dep qtxml) + media-libs/phonon[qt5(+)] + sys-libs/zlib + x11-libs/libICE + x11-libs/libSM + x11-libs/libX11 + x11-libs/libXau + x11-libs/libxcb + x11-libs/libXfixes + x11-libs/libXrender + x11-libs/libXtst + x11-libs/xcb-util + x11-libs/xcb-util-image + appstream? ( dev-libs/appstream[qt5] ) + calendar? ( || ( $(add_frameworks_dep kholidays) $(add_kdeapps_dep kholidays) ) ) + geolocation? ( $(add_frameworks_dep networkmanager-qt) ) + gps? ( sci-geosciences/gpsd ) + prison? ( $(add_frameworks_dep prison) ) + qalculate? ( sci-libs/libqalculate:= ) + semantic-desktop? ( $(add_frameworks_dep baloo) ) +" +RDEPEND="${COMMON_DEPEND} + $(add_frameworks_dep kded) + $(add_frameworks_dep kdesu) + $(add_kdeapps_dep kio-extras) + $(add_plasma_dep kde-cli-tools) + $(add_plasma_dep ksysguard) + $(add_plasma_dep milou) + $(add_plasma_dep plasma-integration) + $(add_qt_dep qdbus) + $(add_qt_dep qtgraphicaleffects) + $(add_qt_dep qtpaths) + $(add_qt_dep qtquickcontrols 'widgets') + app-text/iso-codes + x11-apps/mkfontdir + x11-apps/xmessage + x11-apps/xprop + x11-apps/xrdb + x11-apps/xset + x11-apps/xsetroot + systemd? ( sys-apps/dbus[user-session] ) + !systemd? ( sys-apps/dbus ) + !dev-libs/xembed-sni-proxy + !kde-plasma/freespacenotifier:4 + !kde-plasma/libtaskmanager:4 + !kde-plasma/kcminit:4 + !kde-plasma/kdebase-startkde:4 + !kde-plasma/klipper:4 + !kde-plasma/krunner:4 + !kde-plasma/ksmserver:4 + !kde-plasma/ksplash:4 + !kde-plasma/plasma-workspace:4 +" +DEPEND="${COMMON_DEPEND} + $(add_qt_dep qtconcurrent) + x11-proto/xproto +" + +PATCHES=( + "${FILESDIR}/${PN}-5.4-startkde-script.patch" + "${FILESDIR}/${PN}-5.10-startplasmacompositor-script.patch" + "${FILESDIR}/${PN}-5.10.4-unused-dep.patch" + "${FILESDIR}/${P}-CVE-2018-6790.patch" + "${FILESDIR}/${P}-CVE-2018-6791.patch" +) + +RESTRICT+=" test" + +src_prepare() { + kde5_src_prepare + + sed -e "s|\`qtpaths|\`$(qt5_get_bindir)/qtpaths|" \ + -i startkde/startkde.cmake startkde/startplasmacompositor.cmake || die +} + +src_configure() { + local mycmakeargs=( + $(cmake-utils_use_find_package appstream AppStreamQt) + $(cmake-utils_use_find_package calendar KF5Holidays) + $(cmake-utils_use_find_package geolocation KF5NetworkManagerQt) + $(cmake-utils_use_find_package prison KF5Prison) + $(cmake-utils_use_find_package qalculate Qalculate) + $(cmake-utils_use_find_package semantic-desktop KF5Baloo) + ) + + use gps && mycmakeargs+=( $(cmake-utils_use_find_package gps libgps) ) + + kde5_src_configure +} + +src_install() { + kde5_src_install + + # startup and shutdown scripts + insinto /etc/plasma/startup + doins "${FILESDIR}/10-agent-startup.sh" + + insinto /etc/plasma/shutdown + doins "${FILESDIR}/10-agent-shutdown.sh" +} + +pkg_postinst () { + kde5_pkg_postinst + + echo + elog "To enable gpg-agent and/or ssh-agent in Plasma sessions," + elog "edit ${EPREFIX}/etc/plasma/startup/10-agent-startup.sh and" + elog "${EPREFIX}/etc/plasma/shutdown/10-agent-shutdown.sh" + echo +} diff --git a/kde-plasma/plasma-workspace/plasma-workspace-5.12.0.ebuild b/kde-plasma/plasma-workspace/plasma-workspace-5.12.0.ebuild new file mode 100644 index 000000000000..dcc548329a32 --- /dev/null +++ b/kde-plasma/plasma-workspace/plasma-workspace-5.12.0.ebuild @@ -0,0 +1,173 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +KDE_HANDBOOK="forceoptional" +KDE_TEST="forceoptional" +VIRTUALX_REQUIRED="test" +inherit kde5 qmake-utils + +DESCRIPTION="KDE Plasma workspace" +KEYWORDS="~amd64 ~arm ~arm64 ~x86" +IUSE="appstream +calendar geolocation gps prison qalculate +semantic-desktop systemd" + +REQUIRED_USE="gps? ( geolocation )" + +COMMON_DEPEND=" + $(add_frameworks_dep kactivities) + $(add_frameworks_dep kauth) + $(add_frameworks_dep kbookmarks) + $(add_frameworks_dep kcompletion) + $(add_frameworks_dep kconfig) + $(add_frameworks_dep kconfigwidgets) + $(add_frameworks_dep kcoreaddons) + $(add_frameworks_dep kcrash) + $(add_frameworks_dep kdbusaddons) + $(add_frameworks_dep kdeclarative) + $(add_frameworks_dep kdelibs4support) + $(add_frameworks_dep kglobalaccel) + $(add_frameworks_dep kguiaddons) + $(add_frameworks_dep ki18n) + $(add_frameworks_dep kiconthemes) + $(add_frameworks_dep kidletime) + $(add_frameworks_dep kio) + $(add_frameworks_dep kitemmodels) + $(add_frameworks_dep kitemviews) + $(add_frameworks_dep kjobwidgets) + $(add_frameworks_dep kjs) + $(add_frameworks_dep kjsembed) + $(add_frameworks_dep knewstuff) + $(add_frameworks_dep knotifications) + $(add_frameworks_dep knotifyconfig) + $(add_frameworks_dep kpackage) + $(add_frameworks_dep krunner) + $(add_frameworks_dep kservice) + $(add_frameworks_dep ktexteditor) + $(add_frameworks_dep ktextwidgets) + $(add_frameworks_dep kwallet) + $(add_frameworks_dep kwayland) + $(add_frameworks_dep kwidgetsaddons) + $(add_frameworks_dep kwindowsystem) + $(add_frameworks_dep kxmlgui) + $(add_frameworks_dep plasma) + $(add_frameworks_dep solid) + $(add_plasma_dep kscreenlocker) + $(add_plasma_dep kwin) + $(add_plasma_dep libksysguard) + $(add_qt_dep qtdbus) + $(add_qt_dep qtdeclarative 'widgets') + $(add_qt_dep qtgui 'jpeg') + $(add_qt_dep qtnetwork) + $(add_qt_dep qtscript) + $(add_qt_dep qtsql) + $(add_qt_dep qtwidgets) + $(add_qt_dep qtx11extras) + $(add_qt_dep qtxml) + media-libs/phonon[qt5(+)] + sys-libs/zlib + x11-libs/libICE + x11-libs/libSM + x11-libs/libX11 + x11-libs/libXau + x11-libs/libxcb + x11-libs/libXfixes + x11-libs/libXrender + x11-libs/libXtst + x11-libs/xcb-util + x11-libs/xcb-util-image + appstream? ( dev-libs/appstream[qt5] ) + calendar? ( || ( $(add_frameworks_dep kholidays) $(add_kdeapps_dep kholidays) ) ) + geolocation? ( $(add_frameworks_dep networkmanager-qt) ) + gps? ( sci-geosciences/gpsd ) + prison? ( $(add_frameworks_dep prison) ) + qalculate? ( sci-libs/libqalculate:= ) + semantic-desktop? ( $(add_frameworks_dep baloo) ) +" +RDEPEND="${COMMON_DEPEND} + $(add_frameworks_dep kded) + $(add_frameworks_dep kdesu) + $(add_kdeapps_dep kio-extras) + $(add_plasma_dep kde-cli-tools) + $(add_plasma_dep ksysguard) + $(add_plasma_dep milou) + $(add_plasma_dep plasma-integration) + $(add_qt_dep qdbus) + $(add_qt_dep qtgraphicaleffects) + $(add_qt_dep qtpaths) + $(add_qt_dep qtquickcontrols 'widgets') + app-text/iso-codes + x11-apps/mkfontdir + x11-apps/xmessage + x11-apps/xprop + x11-apps/xrdb + x11-apps/xset + x11-apps/xsetroot + systemd? ( sys-apps/dbus[user-session] ) + !systemd? ( sys-apps/dbus ) + !dev-libs/xembed-sni-proxy + !kde-plasma/freespacenotifier:4 + !kde-plasma/libtaskmanager:4 + !kde-plasma/kcminit:4 + !kde-plasma/kdebase-startkde:4 + !kde-plasma/klipper:4 + !kde-plasma/krunner:4 + !kde-plasma/ksmserver:4 + !kde-plasma/ksplash:4 + !kde-plasma/plasma-workspace:4 +" +DEPEND="${COMMON_DEPEND} + $(add_qt_dep qtconcurrent) + x11-proto/xproto +" + +PATCHES=( + "${FILESDIR}/${PN}-5.4-startkde-script.patch" + "${FILESDIR}/${PN}-5.10-startplasmacompositor-script.patch" + "${FILESDIR}/${PN}-5.10.4-unused-dep.patch" +) + +RESTRICT+=" test" + +src_prepare() { + kde5_src_prepare + + sed -e "s|\`qtpaths|\`$(qt5_get_bindir)/qtpaths|" \ + -i startkde/startkde.cmake startkde/startplasmacompositor.cmake || die +} + +src_configure() { + local mycmakeargs=( + $(cmake-utils_use_find_package appstream AppStreamQt) + $(cmake-utils_use_find_package calendar KF5Holidays) + $(cmake-utils_use_find_package geolocation KF5NetworkManagerQt) + $(cmake-utils_use_find_package prison KF5Prison) + $(cmake-utils_use_find_package qalculate Qalculate) + $(cmake-utils_use_find_package semantic-desktop KF5Baloo) + ) + + use gps && mycmakeargs+=( $(cmake-utils_use_find_package gps libgps) ) + + kde5_src_configure +} + +src_install() { + kde5_src_install + + # startup and shutdown scripts + insinto /etc/plasma/startup + doins "${FILESDIR}/10-agent-startup.sh" + + insinto /etc/plasma/shutdown + doins "${FILESDIR}/10-agent-shutdown.sh" +} + +pkg_postinst () { + kde5_pkg_postinst + + echo + elog "To enable gpg-agent and/or ssh-agent in Plasma sessions," + elog "edit ${EPREFIX}/etc/plasma/startup/10-agent-startup.sh and" + elog "${EPREFIX}/etc/plasma/shutdown/10-agent-shutdown.sh" + echo +} |