Bug#1006293: bullseye-pu: package plasma-desktop/4:5.20.5-4

Tue, 22 Feb 2022 13:48:19 -0800 

Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: delta...@debian.org, debian-qt-...@lists.debian.org

[ Reason ]
A bug in plasma-discover causes a Denial of Service attack
against the KDE servers. 3 packages needs to be patch to
mitigate the attack: knewstuff, plasma-desktop and
plasma-discover.
This update fixes bug #1006125 for bullseye and has been 
fixed in unstable.

[ Impact ]
Running the old version causes considerable load for the KDE
servers.

[ Tests ]
No manual tests have been performed.

[ Risks ]
The risks are rather low as the update is a single patch.
The patch has been created by KDE upstream specifically for the
version in bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The update contains a single patch to help ease the load on
KDE servers.

[ Other info ]
It would be good if users of KDE plasma could receive the update
as quick as possible.

diffstat for plasma-desktop-5.20.5 plasma-desktop-5.20.5

 changelog                        |    8 ++++++++
 patches/plasma-desktop-dns.patch |   39 +++++++++++++++++++++++++++++++++++++++
 patches/series                   |    1 +
 3 files changed, 48 insertions(+)

diff -Nru plasma-desktop-5.20.5/debian/changelog 
plasma-desktop-5.20.5/debian/changelog
--- plasma-desktop-5.20.5/debian/changelog      2021-02-24 13:35:04.000000000 
+0100
+++ plasma-desktop-5.20.5/debian/changelog      2022-02-20 18:50:03.000000000 
+0100
@@ -1,3 +1,11 @@
+plasma-desktop (4:5.20.5-4+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * Cherry-pick commit to fix the Denial of Service bug in Discover
+    (Closes: #1006125).
+
+ -- Patrick Franz <delta...@debian.org>  Sun, 20 Feb 2022 18:50:03 +0100
+
 plasma-desktop (4:5.20.5-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch 
plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch
--- plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch       
1970-01-01 01:00:00.000000000 +0100
+++ plasma-desktop-5.20.5/debian/patches/plasma-desktop-dns.patch       
2022-02-20 18:40:00.000000000 +0100
@@ -0,0 +1,39 @@
+Author: Dan Leinir Turthra Jensen <ad...@leinir.dk>
+Description: Fix Denial of Service bug in Discover.
+Forwarded: not-needed
+
+---
+ attica-kde/kdeplugin/kdeplatformdependent.cpp | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/attica-kde/kdeplugin/kdeplatformdependent.cpp 
b/attica-kde/kdeplugin/kdeplatformdependent.cpp
+index fbc15ec4e..2c21fe7e6 100644
+--- a/attica-kde/kdeplugin/kdeplatformdependent.cpp
++++ b/attica-kde/kdeplugin/kdeplatformdependent.cpp
+@@ -125,6 +125,25 @@ QNetworkRequest 
KdePlatformDependent::addOAuthToRequest(const QNetworkRequest &r
+         const QString bearer = bearer_format.arg(token);
+         notConstReq.setRawHeader("Authorization", bearer.toUtf8());
+     }
++
++    // Add cache preference in a granular fashion (we will almost certainly 
want more of these, but...)
++    static const QStringList 
preferCacheEndpoints{QLatin1String{"/content/categories"}};
++    for (const QString &endpoint : preferCacheEndpoints) {
++        if (notConstReq.url().toString().endsWith(endpoint)) {
++            QNetworkCacheMetaData 
cacheMeta{m_accessManager->cache()->metaData(notConstReq.url())};
++            if (cacheMeta.isValid()) {
++                // If the expiration date is valid, but longer than 24 hours, 
don't trust that things
++                // haven't changed and check first, otherwise just use the 
cached version to relieve
++                // server strain and reduce network traffic.
++                const QDateTime 
tomorrow{QDateTime::currentDateTime().addDays(1)};
++                if (cacheMeta.expirationDate().isValid() && 
cacheMeta.expirationDate() < tomorrow) {
++                    
notConstReq.setAttribute(QNetworkRequest::CacheLoadControlAttribute, 
QNetworkRequest::PreferCache);
++                }
++            }
++            break;
++        }
++    }
++
+     return notConstReq;
+ }
+ 
+-- 
diff -Nru plasma-desktop-5.20.5/debian/patches/series 
plasma-desktop-5.20.5/debian/patches/series
--- plasma-desktop-5.20.5/debian/patches/series 2021-02-24 13:33:20.000000000 
+0100
+++ plasma-desktop-5.20.5/debian/patches/series 2022-02-20 18:44:56.000000000 
+0100
@@ -3,3 +3,4 @@
 upstream_5.21+lts_folder_view_de-duplicate_switch_width_height_logic.patch
 upstream_5.21+lts_folder_view_Fix_display_on_not-skinny_vertical_panels.patch
 upstream-1be25dec-fix-crash-deleting-from-activity-manager.patch
+plasma-desktop-dns.patch

Reply via email to