4 files changed, 226 insertions, 1 deletions
diff --git a/kde-apps/kleopatra/Manifest b/kde-apps/kleopatra/Manifest
index b4cde40d2027..8ec75df64a61 100644
--- a/kde-apps/kleopatra/Manifest
+++ b/kde-apps/kleopatra/Manifest
@@ -1,5 +1,7 @@
+AUX kleopatra-20.04.3-CVE-2020-24972.patch 5485 BLAKE2B 1836b3783ddc67791e847f310da68837a5a5e244326514cadaea334788b1df44c2d0ab68482921f227343627b00421ef4566b79d8cba3bb2d6807e753f43ba62 SHA512 0eb8b7ce25e86e9e4733f9fe155cac62a4503db83f02f1bbb43c9c46af02c0a41cc842413f2a9d97b76e110fe2fd48cf55cf95a3be33042aba7167498cc16442
+AUX kleopatra-20.04.3-exec-w-double-dash.patch 4138 BLAKE2B 92b1512c437dce78efebf5b248fc6cb8fb2447fb37ee24aabc92a3c907f8af4bd025a6aceff2118518379ef3fde111d4d01b32b762626f380e626c3a099b58a5 SHA512 7ecc38876df91934412ea9c3a16a566d3454369504a0bbe0ff865cb5e6435a40e964d4ba49df9becee8a52d7964bf6b9f0a32d45473f9d084c831468db982df4
 DIST kleopatra-20.04.3.tar.xz 1935784 BLAKE2B 3c64c29762c06ce196149f0e9de3ec1a3c9970e2dce03dea600b4096da2100a1138548ddbc794bd0d47852e1b6e2ff962ec38f5b245a453f4a9953c1d846b909 SHA512 b72ffb37b3116525d8a531c056a0457e6fb3257081d639fc1c175c8dd4566e4f3c0989cfc696c43c92b630b43dcad90f667a9f3496fede0121065553041c554a
 DIST kleopatra-20.08.0.tar.xz 1936932 BLAKE2B 0f2d78b4f304c0ada1472671ede7898a502ff74576d820e937b39f1c454ad0a39748a26d11879202e4f0981f32f57e64fd5b7ed57d959af1d6ae6f49887d8b21 SHA512 2651432124a4327680a1c2cef0a6a06ba426c900cd8bfd90f9f56fdf0b234588be52e9c42351368a5009a441233fe5ede3a06e4273dd855793a3cba76806fd0e
-EBUILD kleopatra-20.04.3.ebuild 1491 BLAKE2B 635590513d36944ffa3a7026c7fe4fb2efb3b9a22bf24ee0b3448273d2abf7af5c91951ae1c5bdf2665c3fbbf68b0dcefd88a6242434c285cbcda61d00889f7b SHA512 3cf223f2e3ccf0a1d6ad3a383dd7bd193a508b29cabc381ddf73fefc3c00d9d852564ded72eba49d3a1e47b98af5c9a41f63a2a2ea644f29e6526cfa52d66742
+EBUILD kleopatra-20.04.3-r1.ebuild 1590 BLAKE2B 500d250a7ade1cf0883be418c53398704c48255ed9e1bc810d9ed509aef69aa361b88f9c2e764c02ac795d7298bb034836de61ca423987c42df88781f79f4703 SHA512 07fa72c5b06fde135f28f2e3d7e04213ed311ac81d311cc609a89e264b536ef2f0cdb24e62821e786f751214a2473166d05240379f63f6d87857eb3e599a11b9
 EBUILD kleopatra-20.08.0.ebuild 1494 BLAKE2B 365dfb25105e2193743aa8a47e97cec6595d1fc655f03e8cb2dbab0c0bbb92c3f8940b68793378c7ccc6400f5d718de7a83edc0f1b40b349de1e9d545b1f63ce SHA512 9c003dcf7fa6eae1b6d76d4ceece4fdd37b9bfc76e3904a5ada420b9e85faab68617b13b322d535a3c2ab9e92c4e267625e477f140fd16e5302b55c21d0ec507
 MISC metadata.xml 249 BLAKE2B ad415db89e5dee1627aa77f44ded9d4e1e5b8217d06c7ca25bbaa3fe92ce67c2b1090957c45a821b407d7927e5af798498aa6a5b903895ee1af8ee20a446c7f7 SHA512 76a5a340b13f0053ca3c5e94ed24380ea8d29b45ac8655419e22eaadb1e4a827c04d2e7e36b65145c4964e6526f656618fc6ac144e277ef53cb7373e6239e3c3
diff --git a/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch
new file mode 100644
index 000000000000..ebcbb232e08f
--- /dev/null
+++ b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch
@@ -0,0 +1,110 @@
+From b4bd63c1739900d94c04da03045e9445a5a5f54b Mon Sep 17 00:00:00 2001
+From: Andre Heinecke <aheinecke@gnupg.org>
+Date: Tue, 7 Jul 2020 14:39:29 +0200
+Subject: [PATCH] Allow safe usage of query
+
+To allow secure usage of query and search the parameters are
+no longer parsed as value but instead of positional arguments.
+
+This allows us to register "kleoptra --query -- $1" as an
+URL handler for openpgp4fpr: without the risk of command
+line injection through an unsescaped query string.
+
+Similarly the double dash should be used for file handling
+to avoid command line injection through filenames.
+---
+ src/kleopatra_options.h      | 19 ++++++++++++++-----
+ src/kleopatraapplication.cpp | 25 ++++++++++++++-----------
+ 2 files changed, 28 insertions(+), 16 deletions(-)
+
+diff --git a/src/kleopatra_options.h b/src/kleopatra_options.h
+index 661c44d7..8ce7fccf 100644
+--- a/src/kleopatra_options.h
++++ b/src/kleopatra_options.h
+@@ -79,8 +79,7 @@ static void kleopatra_options(QCommandLineParser *parser)
+                                   << QStringLiteral("D"),
+                                   i18n("Decrypt and/or verify file(s)"))
+             << QCommandLineOption(QStringList() << QStringLiteral("search"),
+-                                  i18n("Search for a certificate on a keyserver"),
+-                                  QStringLiteral("search string"))
++                                  i18n("Search for a certificate on a keyserver"))
+             << QCommandLineOption(QStringList() << QStringLiteral("checksum"),
+                                   i18n("Create or check a checksum file"))
+             << QCommandLineOption(QStringList() << QStringLiteral("query")
+@@ -88,8 +87,7 @@ static void kleopatra_options(QCommandLineParser *parser)
+                                   i18nc("If a certificate is already known it shows the certificate details dialog."
+                                         "Otherwise it brings up the certificate search dialog.",
+                                         "Show details of a local certificate or search for it on a keyserver"
+-                                        " by fingerprint"),
+-                                  QStringLiteral("fingerprint"))
++                                        " by fingerprint"))
+             << QCommandLineOption(QStringList() << QStringLiteral("gen-key"),
+                                   i18n("Create a new key pair or certificate signing request"))
+             << QCommandLineOption(QStringLiteral("parent-windowid"),
+@@ -100,8 +98,19 @@ static void kleopatra_options(QCommandLineParser *parser)
+ 
+     parser->addOptions(options);
+ 
++    /* Security note: To avoid code execution by shared library injection
++     * through e.g. -platformpluginpath any external input should be seperated
++     * by a double dash -- this is why query / search uses positional arguments.
++     *
++     * For example on Windows there is an URLhandler for openpgp4fpr:
++     * be opened with Kleopatra's query function. And while a browser should
++     * urlescape such a query there might be tricks to inject a quote character
++     * and as such inject command line options for Kleopatra in an URL. */
+     parser->addPositionalArgument(QStringLiteral("files"),
+                                   i18n("File(s) to process"),
+-                                  QStringLiteral("[files..]"));
++                                  QStringLiteral("-- [files..]"));
++    parser->addPositionalArgument(QStringLiteral("query"),
++                                  i18n("String or Fingerprint for query and search"),
++                                  QStringLiteral("-- [query..]"));
+ }
+ #endif
+diff --git a/src/kleopatraapplication.cpp b/src/kleopatraapplication.cpp
+index 989f14b4..a8c5dd08 100644
+--- a/src/kleopatraapplication.cpp
++++ b/src/kleopatraapplication.cpp
+@@ -273,13 +273,18 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser,
+ 
+     QStringList files;
+     const QDir cwd = QDir(workingDirectory);
+-    Q_FOREACH (const QString &file, parser.positionalArguments()) {
+-        // We do not check that file exists here. Better handle
+-        // these errors in the UI.
+-        if (QFileInfo(file).isAbsolute()) {
+-            files << file;
+-        } else {
+-            files << cwd.absoluteFilePath(file);
++    bool queryMode = parser.isSet(QStringLiteral("query")) || parser.isSet(QStringLiteral("search"));
++
++    // Query and Search treat positional arguments differently, see below.
++    if (!queryMode) {
++        Q_FOREACH (const QString &file, parser.positionalArguments()) {
++            // We do not check that file exists here. Better handle
++            // these errors in the UI.
++            if (QFileInfo(file).isAbsolute()) {
++                files << file;
++            } else {
++                files << cwd.absoluteFilePath(file);
++            }
+         }
+     }
+ 
+@@ -313,10 +318,8 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser,
+ 
+     // Handle openpgp4fpr URI scheme
+     QString needle;
+-    if (parser.isSet(QStringLiteral("search"))) {
+-        needle = parser.value(QStringLiteral("search"));
+-    } else if (parser.isSet(QStringLiteral("query"))) {
+-        needle = parser.value(QStringLiteral("query"));
++    if (queryMode) {
++        needle = parser.positionalArguments().join(QLatin1Char(' '));
+     }
+     if (needle.startsWith(QLatin1String("openpgp4fpr:"))) {
+         needle.remove(0, 12);
+-- 
+GitLab
+
diff --git a/kde-apps/kleopatra/files/kleopatra-20.04.3-exec-w-double-dash.patch b/kde-apps/kleopatra/files/kleopatra-20.04.3-exec-w-double-dash.patch
new file mode 100644
index 000000000000..d5ba1236c2df
--- /dev/null
+++ b/kde-apps/kleopatra/files/kleopatra-20.04.3-exec-w-double-dash.patch
@@ -0,0 +1,108 @@
+From 9abdda396818842de1d9af9a153b66a1399f7c0f Mon Sep 17 00:00:00 2001
+From: Andre Heinecke <aheinecke@gnupg.org>
+Date: Tue, 7 Jul 2020 14:46:31 +0200
+Subject: [PATCH] Add double dash for exec command for files
+
+This prevents shenannigans with file names that might
+inject command line options.
+---
+ src/data/kleopatra_decryptverifyfiles.desktop   | 2 +-
+ src/data/kleopatra_decryptverifyfolders.desktop | 2 +-
+ src/data/kleopatra_import.desktop               | 2 +-
+ src/data/kleopatra_signencryptfiles.desktop     | 8 ++++----
+ src/data/kleopatra_signencryptfolders.desktop   | 4 ++--
+ 5 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/data/kleopatra_decryptverifyfiles.desktop b/src/data/kleopatra_decryptverifyfiles.desktop
+index 5f4832fe..1bd3200e 100644
+--- a/src/data/kleopatra_decryptverifyfiles.desktop
++++ b/src/data/kleopatra_decryptverifyfiles.desktop
+@@ -102,4 +102,4 @@ Name[x-test]=xxDecrypt/Verify Filexx
+ Name[zh_CN]=解密/验证文件
+ Name[zh_TW]=解密/檢查檔案
+ Icon=kleopatra
+-Exec=kleopatra --decrypt-verify %F
++Exec=kleopatra --decrypt-verify -- %F
+diff --git a/src/data/kleopatra_decryptverifyfolders.desktop b/src/data/kleopatra_decryptverifyfolders.desktop
+index 8b6af1e2..54644c8f 100644
+--- a/src/data/kleopatra_decryptverifyfolders.desktop
++++ b/src/data/kleopatra_decryptverifyfolders.desktop
+@@ -101,4 +101,4 @@ Name[x-test]=xxDecrypt/Verify All Files In Folderxx
+ Name[zh_CN]=文件夹中的全部解密/验证文件
+ Name[zh_TW]=解密/檢查所有資料夾中的檔案
+ Icon=kleopatra
+-Exec=kleopatra --decrypt-verify %F
++Exec=kleopatra --decrypt-verify -- %F
+diff --git a/src/data/kleopatra_import.desktop b/src/data/kleopatra_import.desktop
+index 2b886b24..8a99c81d 100644
+--- a/src/data/kleopatra_import.desktop
++++ b/src/data/kleopatra_import.desktop
+@@ -1,7 +1,7 @@
+ [Desktop Entry]
+ Type=Application
+ Icon=kleopatra
+-Exec=kleopatra --import-certificate %F
++Exec=kleopatra --import-certificate -- %F
+ MimeType=application/pkcs7-mime;application/x-x509-ca-cert;application/x-pkcs12;application/pgp-keys;
+ Categories=Qt;KDE;Utility;X-KDE-Utilities-PIM;
+ 
+diff --git a/src/data/kleopatra_signencryptfiles.desktop b/src/data/kleopatra_signencryptfiles.desktop
+index d3ea5f98..8656bccb 100644
+--- a/src/data/kleopatra_signencryptfiles.desktop
++++ b/src/data/kleopatra_signencryptfiles.desktop
+@@ -103,7 +103,7 @@ Name[x-test]=xxSign & Encrypt Filexx
+ Name[zh_CN]=签名并加密文件
+ Name[zh_TW]=簽署並加密檔案
+ Icon=kleopatra
+-Exec=kleopatra --encrypt-sign %F
++Exec=kleopatra --encrypt-sign -- %F
+ 
+ [Desktop Action kleoencryptfiles]
+ Name=Encrypt File
+@@ -159,7 +159,7 @@ Name[x-test]=xxEncrypt Filexx
+ Name[zh_CN]=加密文件
+ Name[zh_TW]=加密檔案
+ Icon=kleopatra
+-Exec=kleopatra --encrypt %F
++Exec=kleopatra --encrypt -- %F
+ 
+ [Desktop Action kleosignfilesopenpgp]
+ Name=OpenPGP-Sign File
+@@ -211,7 +211,7 @@ Name[x-test]=xxOpenPGP-Sign Filexx
+ Name[zh_CN]=OpenPGP 签名文件
+ Name[zh_TW]=OpenPGP─簽署檔案
+ Icon=kleopatra
+-Exec=kleopatra --openpgp --sign %F
++Exec=kleopatra --openpgp --sign -- %F
+ 
+ [Desktop Action kleosignfilescms]
+ Name=S/MIME-Sign File
+@@ -263,5 +263,5 @@ Name[x-test]=xxS/MIME-Sign Filexx
+ Name[zh_CN]=S/MIME 签名文件
+ Name[zh_TW]=S/MIME─簽署檔案
+ Icon=kleopatra
+-Exec=kleopatra --cms --sign %F
++Exec=kleopatra --cms --sign -- %F
+ 
+diff --git a/src/data/kleopatra_signencryptfolders.desktop b/src/data/kleopatra_signencryptfolders.desktop
+index 5ef802ce..b9146d5a 100644
+--- a/src/data/kleopatra_signencryptfolders.desktop
++++ b/src/data/kleopatra_signencryptfolders.desktop
+@@ -100,7 +100,7 @@ Name[x-test]=xxArchive, Sign && Encrypt Folderxx
+ Name[zh_CN]=归档、签名并加密文件夹
+ Name[zh_TW]=歸檔，簽署與加密資料夾
+ Icon=kleopatra
+-Exec=kleopatra --encrypt-sign %F
++Exec=kleopatra --encrypt-sign -- %F
+ 
+ [Desktop Action kleoencryptfolder]
+ Name=Archive && Encrypt Folder
+@@ -151,4 +151,4 @@ Name[x-test]=xxArchive && Encrypt Folderxx
+ Name[zh_CN]=归档并加密文件夹
+ Name[zh_TW]=歸檔並加密資料夾
+ Icon=kleopatra
+-Exec=kleopatra --encrypt %F
++Exec=kleopatra --encrypt -- %F
+-- 
+GitLab
+
diff --git a/kde-apps/kleopatra/kleopatra-20.04.3.ebuild b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild
index 3799bd46d123..57574a47f59b 100644
--- a/kde-apps/kleopatra/kleopatra-20.04.3.ebuild
+++ b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild
@@ -53,3 +53,8 @@ RDEPEND="${DEPEND}
 
 # tests completely broken, bug #641720
 RESTRICT+=" test"
+
+PATCHES=(
+	"${FILESDIR}/${P}-CVE-2020-24972.patch"
+	"${FILESDIR}/${P}-exec-w-double-dash.patch"
+)