Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 777777 (CVE-2021-28117) - <kde-plasma/discover-5.20.5-r1, <kde-plasma/discover-5.21.3: no verification of link protocol (CVE-2021-28117)
Summary: <kde-plasma/discover-5.20.5-r1, <kde-plasma/discover-5.21.3: no verification ...
Status: IN_PROGRESS
Alias: CVE-2021-28117
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://kde.org/info/security/advisor...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-22 21:49 UTC by John Helmert III
Modified: 2021-06-10 15:40 UTC (History)
0 users

See Also:
Package list:
kde-plasma/discover-5.20.5-r1
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-22 21:49:44 UTC
CVE-2021-28117:

libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before 5.21.3 automatically creates links to potentially dangerous URLs (that are neither https:// nor http://) based on the content of the store.kde.org web site. (5.18.7 is also a fixed version.)

Patch: https://invent.kde.org/plasma/discover/commit/94478827aab63d2e2321f0ca9ec5553718798e60
Comment 1 Larry the Git Cow gentoo-dev 2021-04-04 13:23:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee5b2b3f04e3e3ee919334c251ae26dce7e761d2

commit ee5b2b3f04e3e3ee919334c251ae26dce7e761d2
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-04-04 12:09:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-04-04 13:19:36 +0000

    kde-plasma/discover: Fix CVE-2021-28117
    
    See also: https://kde.org/info/security/advisory-20210310-1.txt
    
    Bug: https://bugs.gentoo.org/777777
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-plasma/discover/discover-5.20.5-r1.ebuild      | 84 ++++++++++++++++++++++
 .../files/discover-5.20.5-CVE-2021-28117.patch     | 28 ++++++++
 2 files changed, 112 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2021-04-04 16:03:59 UTC
x86 stable
Comment 3 Sam James archtester gentoo-dev Security 2021-04-06 19:47:59 UTC
amd64 done
Comment 4 Sam James archtester gentoo-dev Security 2021-04-06 19:51:41 UTC
arm64 done

all arches done
Comment 5 John Helmert III gentoo-dev Security 2021-04-06 19:57:17 UTC
Please cleanup.
Comment 6 Larry the Git Cow gentoo-dev 2021-04-06 20:08:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=add9c9bd0bc97aa41016081c84cfc968c77ea10a

commit add9c9bd0bc97aa41016081c84cfc968c77ea10a
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-04-06 19:56:12 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-04-06 20:07:50 +0000

    kde-plasma/discover: Cleanup vulnerable 5.20.5
    
    Bug: https://bugs.gentoo.org/777777
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-plasma/discover/discover-5.20.5.ebuild | 82 ------------------------------
 1 file changed, 82 deletions(-)
Comment 7 NATTkA bot gentoo-dev 2021-06-10 15:36:35 UTC
Unable to check for sanity:

> no match for package: kde-plasma/discover-5.20.5-r1