Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: delta...@debian.org, debian-qt-...@lists.debian.org
[ Reason ]
A bug in plasma-discover causes a Denial of Service attack
against the KDE servers. 3 packages needs to be patch to
mitigate the attack: knewstuff, plasma-desktop and
plasma-discover.
This update fixes bug #1006124 for bullseye and has been
fixed in unstable.
[ Impact ]
Running the old version causes considerable load for the KDE
servers.
[ Tests ]
No manual tests have been performed.
[ Risks ]
The risks are rather low as the update is a single patch.
The patch has been created by KDE upstream specifically for the
version in bullseye.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The update contains a single patch to help ease the load on
KDE servers.
[ Other info ]
It would be good if users of KDE plasma could receive the update
as quick as possible.
diffstat for plasma-discover-5.20.5 plasma-discover-5.20.5
changelog | 8 ++++++++
patches/discover_dns.patch | 31 +++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 40 insertions(+)
diff -Nru plasma-discover-5.20.5/debian/changelog
plasma-discover-5.20.5/debian/changelog
--- plasma-discover-5.20.5/debian/changelog 2021-03-10 23:53:46.000000000
+0100
+++ plasma-discover-5.20.5/debian/changelog 2022-02-22 22:20:28.000000000
+0100
@@ -1,3 +1,11 @@
+plasma-discover (5.20.5-3+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * Cherry-pick commit to fix the Denial of Service bug in Discover
+ (Closes: #1006124).
+
+ -- Patrick Franz <delta...@debian.org> Tue, 22 Feb 2022 22:20:28 +0100
+
plasma-discover (5.20.5-3) unstable; urgency=medium
[ Patrick Franz ]
diff -Nru plasma-discover-5.20.5/debian/patches/discover_dns.patch
plasma-discover-5.20.5/debian/patches/discover_dns.patch
--- plasma-discover-5.20.5/debian/patches/discover_dns.patch 1970-01-01
01:00:00.000000000 +0100
+++ plasma-discover-5.20.5/debian/patches/discover_dns.patch 2022-02-22
22:17:27.000000000 +0100
@@ -0,0 +1,31 @@
+From efb34c2aa235b703bc55cb9b37fedebed0ac7df8 Mon Sep 17 00:00:00 2001
+From: Ben Cooksley <bcooks...@kde.org>
+Date: Mon, 7 Feb 2022 06:39:12 +1300
+Subject: [PATCH] Disable the building of the KNS backend until it can be
+ corrected to not cause a Denial of Service attack on KDE.org infrastructure.
+
+(cherry picked from commit f66df3531670592960167f5060feeed6d6c792be)
+---
+ libdiscover/backends/CMakeLists.txt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libdiscover/backends/CMakeLists.txt
b/libdiscover/backends/CMakeLists.txt
+index 5f87f639f..0fbdc524f 100644
+--- a/libdiscover/backends/CMakeLists.txt
++++ b/libdiscover/backends/CMakeLists.txt
+@@ -8,9 +8,9 @@ function(add_unit_test name)
+ Qt5::Test Qt5::Core ${EXTRA_LIBS})
+ endfunction()
+
+-if(KF5Attica_FOUND AND KF5NewStuff_FOUND)
+- add_subdirectory(KNSBackend)
+-endif()
++#if(KF5Attica_FOUND AND KF5NewStuff_FOUND)
++# add_subdirectory(KNSBackend)
++#endif()
+
+ if(packagekitqt5_FOUND AND AppStreamQt_FOUND)
+ add_subdirectory(PackageKitBackend)
+--
+GitLab
+
diff -Nru plasma-discover-5.20.5/debian/patches/series
plasma-discover-5.20.5/debian/patches/series
--- plasma-discover-5.20.5/debian/patches/series 2021-03-10
23:53:46.000000000 +0100
+++ plasma-discover-5.20.5/debian/patches/series 2022-02-22
22:17:51.000000000 +0100
@@ -1 +1,2 @@
https_only_links.patch
+discover_dns.patch
