community/okular: security upgrade to 19.08.3-r1

author: Bart Ribbers <bribbers@disroot.org> 2020-03-12 20:52:55 +0100
committer: Leo <thinkabit.ukim@gmail.com> 2020-03-14 14:33:14 -0300
commit: 6253a98c558a2be7f91db6f2582b52cd6a0fcbf0 (patch)
tree: 1534367d0857ffa889251c4c5ad491913941a24d
parent: ca6e5756c35ec262e609f36f858abc504aba0fe1 (diff)
download: alpine_aports-6253a98c558a2be7f91db6f2582b52cd6a0fcbf0.tar.bz2
alpine_aports-6253a98c558a2be7f91db6f2582b52cd6a0fcbf0.tar.xz
alpine_aports-6253a98c558a2be7f91db6f2582b52cd6a0fcbf0.zip
2 files changed, 37 insertions, 3 deletions
diff --git a/community/okular/APKBUILD b/community/okular/APKBUILD
index 5a11c239eb..91c14fba55 100644
--- a/community/okular/APKBUILD
+++ b/community/okular/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Bart Ribbers <bribbers@disroot.org>
 pkgname=okular
 pkgver=19.08.3
-pkgrel=0
+pkgrel=1
 arch="all"
 url="https://kde.org/applications/office/org.kde.okular"
 pkgdesc="A universal document viewer"
@@ -14,9 +14,15 @@ makedepends="extra-cmake-modules qt5-qtbase-dev qt5-qtspeech-dev karchive-dev
        kactivities-dev phonon-dev purpose-dev zlib-dev poppler-qt5-dev
        kirigami2-dev qca-dev kpty-dev"
 checkdepends="xvfb-run"
-source="https://download.kde.org/stable/applications/$pkgver/src/okular-$pkgver.tar.xz"
+source="https://download.kde.org/stable/applications/$pkgver/src/okular-$pkgver.tar.xz
+        CVE-2020-9359.patch
+        "
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-mobile"
+# secfixes:
+#   19.08.3-r1:
+#     - CVE-2020-9359
 prepare() {
        default_prepare
@@ -59,4 +65,5 @@ mobile() {
        mv "$pkgdir"/usr/share/applications/org.kde.mobile.okular_plucker.desktop "$subpkgdir"/usr/share/applications/
 }
-sha512sums="2fffce8023d9b0d08ec03cc51d21827772ed07c3004fcf8a23589211e7f676b61253dc39c8a41da5d9c4764ac9895c1a0e16c72c7157213b2e79ccaf35db77fa  okular-19.08.3.tar.xz"
+sha512sums="2fffce8023d9b0d08ec03cc51d21827772ed07c3004fcf8a23589211e7f676b61253dc39c8a41da5d9c4764ac9895c1a0e16c72c7157213b2e79ccaf35db77fa  okular-19.08.3.tar.xz
+2d8870f1aa63defcf2ecfd42c0dfb0d474af6885c2448566704795d7caa2e9c20e5ede284db58139ea5736d5d0074d23c023a89f359d09fd6051d1f03f561903  CVE-2020-9359.patch"
diff --git a/community/okular/CVE-2020-9359.patch b/community/okular/CVE-2020-9359.patch
new file mode 100644
index 0000000000..e7d7248762
--- /dev/null
+++ b/community/okular/CVE-2020-9359.patch
@@ -0,0 +1,27 @@
+From 6a93a033b4f9248b3cd4d04689b8391df754e244 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 10 Mar 2020 23:07:24 +0100
+Subject: [PATCH] Document::processAction: If the url points to a binary, don't
+ run it
+---
+ core/document.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/core/document.cpp b/core/document.cpp
+index 3215a1abc..0aa5b6980 100644
+--- a/core/document.cpp
+++ b/core/document.cpp
+@@ -4388,7 +4388,8 @@ void Document::processAction( const Action * action )
+                 {
+                     const QUrl realUrl = KIO::upUrl(d->m_url).resolved(url);
+                     // KRun autodeletes
+-                    new KRun( realUrl, d->m_widget );
+                    KRun *r = new KRun( realUrl, d->m_widget );
+                    r->setRunExecutables(false);
+                 }
+             }
+             } break;
+-- 
+2.24.1
author	Bart Ribbers <bribbers@disroot.org>	2020-03-12 20:52:55 +0100
committer	Leo <thinkabit.ukim@gmail.com>	2020-03-14 14:33:14 -0300
commit	6253a98c558a2be7f91db6f2582b52cd6a0fcbf0 (patch)
tree	1534367d0857ffa889251c4c5ad491913941a24d
parent	ca6e5756c35ec262e609f36f858abc504aba0fe1 (diff)
download	alpine_aports-6253a98c558a2be7f91db6f2582b52cd6a0fcbf0.tar.bz2 alpine_aports-6253a98c558a2be7f91db6f2582b52cd6a0fcbf0.tar.xz alpine_aports-6253a98c558a2be7f91db6f2582b52cd6a0fcbf0.zip

diff --git a/community/okular/APKBUILD b/community/okular/APKBUILD index 5a11c239eb..91c14fba55 100644 --- a/community/okular/APKBUILD +++ b/community/okular/APKBUILD
@@ -2,7 +2,7 @@
2	# Maintainer: Bart Ribbers <bribbers@disroot.org>	2	# Maintainer: Bart Ribbers <bribbers@disroot.org>
3	pkgname=okular	3	pkgname=okular
4	pkgver=19.08.3	4	pkgver=19.08.3
5	pkgrel=0	5	pkgrel=1
6	arch="all"	6	arch="all"
7	url="https://kde.org/applications/office/org.kde.okular"	7	url="https://kde.org/applications/office/org.kde.okular"
8	pkgdesc="A universal document viewer"	8	pkgdesc="A universal document viewer"
@@ -14,9 +14,15 @@ makedepends="extra-cmake-modules qt5-qtbase-dev qt5-qtspeech-dev karchive-dev
14	kactivities-dev phonon-dev purpose-dev zlib-dev poppler-qt5-dev	14	kactivities-dev phonon-dev purpose-dev zlib-dev poppler-qt5-dev
15	kirigami2-dev qca-dev kpty-dev"	15	kirigami2-dev qca-dev kpty-dev"
16	checkdepends="xvfb-run"	16	checkdepends="xvfb-run"
17	source="https://download.kde.org/stable/applications/$pkgver/src/okular-$pkgver.tar.xz"	17	source="https://download.kde.org/stable/applications/$pkgver/src/okular-$pkgver.tar.xz
		18	CVE-2020-9359.patch
		19	"
18	subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-mobile"	20	subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-mobile"
19		21
		22	# secfixes:
		23	# 19.08.3-r1:
		24	# - CVE-2020-9359
		25
20	prepare() {	26	prepare() {
21	default_prepare	27	default_prepare
22		28
@@ -59,4 +65,5 @@ mobile() {
59	mv "$pkgdir"/usr/share/applications/org.kde.mobile.okular_plucker.desktop "$subpkgdir"/usr/share/applications/	65	mv "$pkgdir"/usr/share/applications/org.kde.mobile.okular_plucker.desktop "$subpkgdir"/usr/share/applications/
60	}	66	}
61		67
62	sha512sums="2fffce8023d9b0d08ec03cc51d21827772ed07c3004fcf8a23589211e7f676b61253dc39c8a41da5d9c4764ac9895c1a0e16c72c7157213b2e79ccaf35db77fa okular-19.08.3.tar.xz"	68	sha512sums="2fffce8023d9b0d08ec03cc51d21827772ed07c3004fcf8a23589211e7f676b61253dc39c8a41da5d9c4764ac9895c1a0e16c72c7157213b2e79ccaf35db77fa okular-19.08.3.tar.xz
		69	2d8870f1aa63defcf2ecfd42c0dfb0d474af6885c2448566704795d7caa2e9c20e5ede284db58139ea5736d5d0074d23c023a89f359d09fd6051d1f03f561903 CVE-2020-9359.patch"


diff --git a/community/okular/CVE-2020-9359.patch b/community/okular/CVE-2020-9359.patch new file mode 100644 index 0000000000..e7d7248762 --- /dev/null +++ b/community/okular/CVE-2020-9359.patch
@@ -0,0 +1,27 @@
		1	From 6a93a033b4f9248b3cd4d04689b8391df754e244 Mon Sep 17 00:00:00 2001
		2	From: Albert Astals Cid <aacid@kde.org>
		3	Date: Tue, 10 Mar 2020 23:07:24 +0100
		4	Subject: [PATCH] Document::processAction: If the url points to a binary, don't
		5	run it
		6
		7	---
		8	core/document.cpp \| 3 ++-
		9	1 file changed, 2 insertions(+), 1 deletion(-)
		10
		11	diff --git a/core/document.cpp b/core/document.cpp
		12	index 3215a1abc..0aa5b6980 100644
		13	--- a/core/document.cpp
		14	+++ b/core/document.cpp
		15	@@ -4388,7 +4388,8 @@ void Document::processAction( const Action * action )
		16	{
		17	const QUrl realUrl = KIO::upUrl(d->m_url).resolved(url);
		18	// KRun autodeletes
		19	- new KRun( realUrl, d->m_widget );
		20	+ KRun *r = new KRun( realUrl, d->m_widget );
		21	+ r->setRunExecutables(false);
		22	}
		23	}
		24	} break;
		25	--
		26	2.24.1
		27