kde-misc/kdeconnect: Fix CVE-2020-26164

See also: https://kde.org/info/security/advisory-20201002-1.txt

Bug: https://bugs.gentoo.org/746401
Package-Manager: Portage-3.0.8, Repoman-3.0.1
Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

12 files changed, 683 insertions, 0 deletions

diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch
new file mode 100644
index 000000000000..cafeb9501cd8
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch
@@ -0,0 +1,65 @@
+From f183b5447bad47655c21af87214579f03bf3a163 Mon Sep 17 00:00:00 2001
+From: Albert Vaca Cintora <albertvaka@gmail.com>
+Date: Thu, 24 Sep 2020 16:59:22 +0200
+Subject: [PATCH 01/10] Do not ignore SSL errors, except for self-signed cert
+ errors.
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/backends/lan/lanlinkprovider.cpp | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
+index d9a7d8fa..fc005cee 100644
+--- a/core/backends/lan/lanlinkprovider.cpp
++++ b/core/backends/lan/lanlinkprovider.cpp
+@@ -297,9 +297,7 @@ void LanLinkProvider::tcpSocketConnected()
+ 
+             connect(socket, &QSslSocket::encrypted, this, &LanLinkProvider::encrypted);
+ 
+-            if (isDeviceTrusted) {
+-                connect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);
+-            }
++            connect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);
+ 
+             socket->startServerEncryption();
+ 
+@@ -326,8 +324,6 @@ void LanLinkProvider::encrypted()
+ 
+     QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
+     if (!socket) return;
+-    // TODO delete me?
+-    disconnect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);
+ 
+     Q_ASSERT(socket->mode() != QSslSocket::UnencryptedMode);
+     LanDeviceLink::ConnectionStarted connectionOrigin = (socket->mode() == QSslSocket::SslClientMode)? LanDeviceLink::Locally : LanDeviceLink::Remotely;
+@@ -346,14 +342,20 @@ void LanLinkProvider::sslErrors(const QList<QSslError>& errors)
+     QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
+     if (!socket) return;
+ 
+-    qCDebug(KDECONNECT_CORE) << "Failing due to " << errors;
+-    Device* device = Daemon::instance()->getDevice(socket->peerVerifyName());
+-    if (device) {
+-        device->unpair();
++    bool fatal = false;
++    for (const QSslError& error : errors) {
++        if (error.error() != QSslError::SelfSignedCertificate) {
++            qCCritical(KDECONNECT_CORE) << "Disconnecting due to fatal SSL Error: " << error;
++            fatal = true;
++        } else {
++            qCDebug(KDECONNECT_CORE) << "Ignoring self-signed cert error";
++        }
+     }
+ 
+-    delete m_receivedIdentityPackets.take(socket).np;
+-    // Socket disconnects itself on ssl error and will be deleted by deleteLater slot, no need to delete manually
++    if (fatal) {
++        socket->disconnectFromHost();
++        delete m_receivedIdentityPackets.take(socket).np;
++    }
+ }
+ 
+ //I'm the new device and this is the answer to my UDP identity packet (no data received yet). They are connecting to us through TCP, and they should send an identity.
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-02-Do-not-leak-the-local-user-in-the-device-name.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-02-Do-not-leak-the-local-user-in-the-device-name.patch
new file mode 100644
index 000000000000..b374d001036c
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-02-Do-not-leak-the-local-user-in-the-device-name.patch
@@ -0,0 +1,32 @@
+From b279c52101d3f7cc30a26086d58de0b5f1c547fa Mon Sep 17 00:00:00 2001
+From: Albert Vaca Cintora <albertvaka@gmail.com>
+Date: Thu, 24 Sep 2020 17:01:03 +0200
+Subject: [PATCH 02/10] Do not leak the local user in the device name.
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/kdeconnectconfig.cpp | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/core/kdeconnectconfig.cpp b/core/kdeconnectconfig.cpp
+index 91719303..a8dbcf5c 100644
+--- a/core/kdeconnectconfig.cpp
++++ b/core/kdeconnectconfig.cpp
+@@ -90,13 +90,7 @@ KdeConnectConfig::KdeConnectConfig()
+ 
+ QString KdeConnectConfig::name()
+ {
+-    QString username;
+-    #ifdef Q_OS_WIN
+-        username = QString::fromLatin1(qgetenv("USERNAME"));
+-    #else
+-        username = QString::fromLatin1(qgetenv("USER"));
+-    #endif
+-    QString defaultName = username + QStringLiteral("@") + QHostInfo::localHostName();
++    QString defaultName = QHostInfo::localHostName();
+     QString name = d->m_config->value(QStringLiteral("name"), defaultName).toString();
+     return name;
+ }
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch
new file mode 100644
index 000000000000..52fb9057b930
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch
@@ -0,0 +1,28 @@
+From d35b88c1b25fe13715f9170f18674d476ca9acdc Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Thu, 24 Sep 2020 17:03:06 +0200
+Subject: [PATCH 03/10] Fix use after free in LanLinkProvider::connectError()
+
+If QSslSocket::connectToHost() hasn't finished running.
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/backends/lan/lanlinkprovider.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
+index fc005cee..235c221f 100644
+--- a/core/backends/lan/lanlinkprovider.cpp
++++ b/core/backends/lan/lanlinkprovider.cpp
+@@ -252,7 +252,7 @@ void LanLinkProvider::connectError(QAbstractSocket::SocketError socketError)
+     //The socket we created didn't work, and we didn't manage
+     //to create a LanDeviceLink from it, deleting everything.
+     delete m_receivedIdentityPackets.take(socket).np;
+-    delete socket;
++    socket->deleteLater();
+ }
+ 
+ //We received a UDP packet and answered by connecting to them by TCP. This gets called on a successful connection.
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-04-Limit-identity-packets-to-8KiB.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-04-Limit-identity-packets-to-8KiB.patch
new file mode 100644
index 000000000000..e083f5896def
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-04-Limit-identity-packets-to-8KiB.patch
@@ -0,0 +1,36 @@
+From b496e66899e5bc9547b6537a7f44ab44dd0aaf38 Mon Sep 17 00:00:00 2001
+From: Aleix Pol <aleixpol@kde.org>
+Date: Wed, 16 Sep 2020 02:28:58 +0200
+Subject: [PATCH 04/10] Limit identity packets to 8KiB
+
+Healthy identity packages shouldn't be that big and we don't want to
+allow systems around us to send us ever humongous packages that will
+just leave us without any memory.
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/backends/lan/lanlinkprovider.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
+index 235c221f..1fd3870e 100644
+--- a/core/backends/lan/lanlinkprovider.cpp
++++ b/core/backends/lan/lanlinkprovider.cpp
+@@ -381,6 +381,14 @@ void LanLinkProvider::newConnection()
+ void LanLinkProvider::dataReceived()
+ {
+     QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
++    //the size here is arbitrary and is now at 8192 bytes. It needs to be considerably long as it includes the capabilities but there needs to be a limit
++    //Tested between my systems and I get around 2000 per identity package.
++    if (socket->bytesAvailable() > 8192) {
++        qCWarning(KDECONNECT_CORE) << "LanLinkProvider/newConnection: Suspiciously long identity package received. Closing connection." << socket->peerAddress() << socket->bytesAvailable();
++        socket->disconnectFromHost();
++        return;
++    }
++
+ #if QT_VERSION < QT_VERSION_CHECK(5,7,0)
+     if (!socket->canReadLine())
+         return;
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch
new file mode 100644
index 000000000000..1465ce48b989
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch
@@ -0,0 +1,37 @@
+From 5310eae85dbdf92fba30375238a2481f2e34943e Mon Sep 17 00:00:00 2001
+From: Aleix Pol <aleixpol@kde.org>
+Date: Wed, 16 Sep 2020 02:44:38 +0200
+Subject: [PATCH 05/10] Do not let lanlink connections stay open for long
+ without authenticating
+
+If there's no information received, close the socket to try again.
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/backends/lan/lanlinkprovider.cpp | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
+index 1fd3870e..a4942c65 100644
+--- a/core/backends/lan/lanlinkprovider.cpp
++++ b/core/backends/lan/lanlinkprovider.cpp
+@@ -374,6 +374,16 @@ void LanLinkProvider::newConnection()
+         connect(socket, &QIODevice::readyRead,
+                 this, &LanLinkProvider::dataReceived);
+ 
++        QTimer* timer = new QTimer(socket);
++        timer->setSingleShot(true);
++        timer->setInterval(1000);
++        connect(socket, &QSslSocket::encrypted,
++                timer, &QObject::deleteLater);
++        connect(timer, &QTimer::timeout, socket, [socket] {
++            qCWarning(KDECONNECT_CORE) << "LanLinkProvider/newConnection: Host timed out without sending any identity." << socket->peerAddress();
++            socket->disconnectFromHost();
++        });
++        timer->start();
+     }
+ }
+ 
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-06-Don-t-brute-force-reading-the-socket.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-06-Don-t-brute-force-reading-the-socket.patch
new file mode 100644
index 000000000000..7bb674a8e8f2
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-06-Don-t-brute-force-reading-the-socket.patch
@@ -0,0 +1,102 @@
+From 721ba9faafb79aac73973410ee1dd3624ded97a5 Mon Sep 17 00:00:00 2001
+From: Aleix Pol <aleixpol@kde.org>
+Date: Wed, 16 Sep 2020 02:27:13 +0200
+Subject: [PATCH 06/10] Don't brute-force reading the socket
+
+The package will arrive eventually, and dataReceived will be emitted.
+Otherwise we just end up calling dataReceived to no end.
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/backends/lan/socketlinereader.cpp |  8 -------
+ tests/testsocketlinereader.cpp         | 31 ++++++++++++++++++++++++--
+ 2 files changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/core/backends/lan/socketlinereader.cpp b/core/backends/lan/socketlinereader.cpp
+index f67fdf3f..da77052a 100644
+--- a/core/backends/lan/socketlinereader.cpp
++++ b/core/backends/lan/socketlinereader.cpp
+@@ -38,14 +38,6 @@ void SocketLineReader::dataReceived()
+         }
+     }
+ 
+-    //If we still have things to read from the socket, call dataReceived again
+-    //We do this manually because we do not trust readyRead to be emitted again
+-    //So we call this method again just in case.
+-    if (m_socket->bytesAvailable() > 0) {
+-        QMetaObject::invokeMethod(this, "dataReceived", Qt::QueuedConnection);
+-        return;
+-    }
+-
+     //If we have any packets, tell it to the world.
+     if (!m_packets.isEmpty()) {
+         Q_EMIT readyRead();
+diff --git a/tests/testsocketlinereader.cpp b/tests/testsocketlinereader.cpp
+index 75584556..b6425b03 100644
+--- a/tests/testsocketlinereader.cpp
++++ b/tests/testsocketlinereader.cpp
+@@ -25,16 +25,19 @@
+ #include <QProcess>
+ #include <QEventLoop>
+ #include <QTimer>
++#include <QSignalSpy>
+ 
+ class TestSocketLineReader : public QObject
+ {
+     Q_OBJECT
+ public Q_SLOTS:
+-    void initTestCase();
++    void init();
++    void cleanup() { delete m_server; }
+     void newPacket();
+ 
+ private Q_SLOTS:
+     void socketLineReader();
++    void badData();
+ 
+ private:
+     QTimer m_timer;
+@@ -45,8 +48,9 @@ private:
+     SocketLineReader* m_reader;
+ };
+ 
+-void TestSocketLineReader::initTestCase()
++void TestSocketLineReader::init()
+ {
++    m_packets.clear();
+     m_server = new Server(this);
+ 
+     QVERIFY2(m_server->listen(QHostAddress::LocalHost, 8694), "Failed to create local tcp server");
+@@ -97,6 +101,29 @@ void TestSocketLineReader::socketLineReader()
+     }
+ }
+ 
++void TestSocketLineReader::badData()
++{
++    const QList<QByteArray> dataToSend = { "data1\n", "data" }; //does not end in a \n
++    for (const QByteArray& line : qAsConst(dataToSend)) {
++        m_conn->write(line);
++    }
++    m_conn->flush();
++
++    QSignalSpy spy(m_server, &QTcpServer::newConnection);
++    QVERIFY(m_server->hasPendingConnections() || spy.wait(1000));
++    QSslSocket* sock = m_server->nextPendingConnection();
++
++    QVERIFY2(sock != nullptr, "Could not open a connection to the client");
++
++    m_reader = new SocketLineReader(sock, this);
++    connect(m_reader, &SocketLineReader::readyRead, this, &TestSocketLineReader::newPacket);
++    m_timer.start();
++    m_loop.exec();
++
++    QCOMPARE(m_packets.count(), 1);
++    QCOMPARE(m_packets[0], dataToSend[0]);
++}
++
+ void TestSocketLineReader::newPacket()
+ {
+     if (!m_reader->bytesAvailable()) {
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch
new file mode 100644
index 000000000000..6a6bdb01cb96
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch
@@ -0,0 +1,42 @@
+From ae58b9dec49c809b85b5404cee17946116f8a706 Mon Sep 17 00:00:00 2001
+From: Albert Vaca Cintora <albertvaka@gmail.com>
+Date: Thu, 24 Sep 2020 17:13:34 +0200
+Subject: [PATCH 07/10] Limit number of connected sockets from unpaired devices
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/backends/lan/lanlinkprovider.cpp | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
+index a4942c65..770e7866 100644
+--- a/core/backends/lan/lanlinkprovider.cpp
++++ b/core/backends/lan/lanlinkprovider.cpp
+@@ -46,6 +46,8 @@
+ 
+ #define MIN_VERSION_WITH_SSL_SUPPORT 6
+ 
++static const int MAX_UNPAIRED_CONNECTIONS = 42;
++
+ LanLinkProvider::LanLinkProvider(
+         bool testMode,
+         quint16 udpBroadcastPort,
+@@ -555,6 +557,15 @@ void LanLinkProvider::addLink(const QString& deviceId, QSslSocket* socket, Netwo
+         deviceLink->reset(socket, connectionOrigin);
+     } else {
+         deviceLink = new LanDeviceLink(deviceId, this, socket, connectionOrigin);
++        // Socket disconnection will now be handled by LanDeviceLink
++        disconnect(socket, &QAbstractSocket::disconnected, socket, &QObject::deleteLater);
++        bool isDeviceTrusted = KdeConnectConfig::instance().trustedDevices().contains(deviceId);
++        if (!isDeviceTrusted && m_links.size() > MAX_UNPAIRED_CONNECTIONS) {
++            qCWarning(KDECONNECT_CORE) << "Too many unpaired devices to remember them all. Ignoring " << deviceId;
++            socket->disconnectFromHost();
++            socket->deleteLater();
++            return;
++        }
+         connect(deviceLink, &QObject::destroyed, this, &LanLinkProvider::deviceLinkDestroyed);
+         m_links[deviceId] = deviceLink;
+         if (m_pairingHandlers.contains(deviceId)) {
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch
new file mode 100644
index 000000000000..36d612e9cbc1
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch
@@ -0,0 +1,54 @@
+From 66c768aa9e7fba30b119c8b801efd49ed1270b0a Mon Sep 17 00:00:00 2001
+From: Albert Vaca Cintora <albertvaka@gmail.com>
+Date: Thu, 24 Sep 2020 17:16:02 +0200
+Subject: [PATCH 08/10] Do not remember more than a few identity packets at a
+ time
+
+To prevent the kdeconnect process from using too much memory.
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/backends/lan/lanlinkprovider.cpp | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
+index 770e7866..6afb8552 100644
+--- a/core/backends/lan/lanlinkprovider.cpp
++++ b/core/backends/lan/lanlinkprovider.cpp
+@@ -47,6 +47,7 @@
+ #define MIN_VERSION_WITH_SSL_SUPPORT 6
+ 
+ static const int MAX_UNPAIRED_CONNECTIONS = 42;
++static const int MAX_REMEMBERED_IDENTITY_PACKETS = 42;
+ 
+ LanLinkProvider::LanLinkProvider(
+         bool testMode,
+@@ -225,6 +226,12 @@ void LanLinkProvider::udpBroadcastReceived()
+ 
+         //qCDebug(KDECONNECT_CORE) << "Received Udp identity packet from" << sender << " asking for a tcp connection on port " << tcpPort;
+ 
++        if (m_receivedIdentityPackets.size() > MAX_REMEMBERED_IDENTITY_PACKETS) {
++            qCWarning(KDECONNECT_CORE) << "Too many remembered identities, ignoring" << receivedPacket->get<QString>(QStringLiteral("deviceId")) << "received via UDP";
++            delete receivedPacket;
++            continue;
++        }
++
+         QSslSocket* socket = new QSslSocket(this);
+         socket->setProxy(QNetworkProxy::NoProxy);
+         m_receivedIdentityPackets[socket].np = receivedPacket;
+@@ -435,6 +442,12 @@ void LanLinkProvider::dataReceived()
+         return;
+     }
+ 
++    if (m_receivedIdentityPackets.size() > MAX_REMEMBERED_IDENTITY_PACKETS) {
++        qCWarning(KDECONNECT_CORE) << "Too many remembered identities, ignoring" << np->get<QString>(QStringLiteral("deviceId")) << "received via TCP";
++        delete np;
++        return;
++    }
++
+     // Needed in "encrypted" if ssl is used, similar to "tcpSocketConnected"
+     m_receivedIdentityPackets[socket].np = np;
+ 
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch
new file mode 100644
index 000000000000..c108144632ca
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch
@@ -0,0 +1,32 @@
+From 85b691e40f525e22ca5cc4ebe79c361d71d7dc05 Mon Sep 17 00:00:00 2001
+From: Albert Vaca Cintora <albertvaka@gmail.com>
+Date: Thu, 24 Sep 2020 17:18:06 +0200
+Subject: [PATCH 09/10] Limit the ports we try to connect to to the port range
+ of KDE Connect
+
+So we can't trigger connections to other services.
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/backends/lan/lanlinkprovider.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
+index 6afb8552..f3d6801d 100644
+--- a/core/backends/lan/lanlinkprovider.cpp
++++ b/core/backends/lan/lanlinkprovider.cpp
+@@ -223,6 +223,11 @@ void LanLinkProvider::udpBroadcastReceived()
+         }
+ 
+         int tcpPort = receivedPacket->get<int>(QStringLiteral("tcpPort"));
++        if (tcpPort < MIN_TCP_PORT || tcpPort > MAX_TCP_PORT) {
++            qCDebug(KDECONNECT_CORE) << "TCP port outside of kdeconnect's range";
++            delete receivedPacket;
++            continue;
++        }
+ 
+         //qCDebug(KDECONNECT_CORE) << "Received Udp identity packet from" << sender << " asking for a tcp connection on port " << tcpPort;
+ 
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch
new file mode 100644
index 000000000000..d10f0193dacc
--- /dev/null
+++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch
@@ -0,0 +1,58 @@
+From 48180b46552d40729a36b7431e97bbe2b5379306 Mon Sep 17 00:00:00 2001
+From: Albert Vaca Cintora <albertvaka@gmail.com>
+Date: Thu, 24 Sep 2020 18:46:57 +0200
+Subject: [PATCH 10/10] Do not replace connections for a given deviceId if the
+ certs have changed
+
+Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
+---
+ core/backends/lan/landevicelink.cpp   | 5 +++++
+ core/backends/lan/landevicelink.h     | 1 +
+ core/backends/lan/lanlinkprovider.cpp | 6 ++++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/core/backends/lan/landevicelink.cpp b/core/backends/lan/landevicelink.cpp
+index 8a65fb92..41af6f0e 100644
+--- a/core/backends/lan/landevicelink.cpp
++++ b/core/backends/lan/landevicelink.cpp
+@@ -192,3 +192,8 @@ bool LanDeviceLink::linkShouldBeKeptAlive() {
+     //return (mConnectionSource == ConnectionStarted::Remotely || pairStatus() == Paired);
+ 
+ }
++
++QSslCertificate LanDeviceLink::certificate() const
++{
++    return m_socketLineReader->peerCertificate();
++}
+diff --git a/core/backends/lan/landevicelink.h b/core/backends/lan/landevicelink.h
+index 28f63db2..485c58b5 100644
+--- a/core/backends/lan/landevicelink.h
++++ b/core/backends/lan/landevicelink.h
+@@ -56,6 +56,7 @@ public:
+     bool linkShouldBeKeptAlive() override;
+ 
+     QHostAddress hostAddress() const;
++    QSslCertificate certificate() const;
+ 
+ private Q_SLOTS:
+     void dataReceived();
+diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
+index f3d6801d..372cdc8f 100644
+--- a/core/backends/lan/lanlinkprovider.cpp
++++ b/core/backends/lan/lanlinkprovider.cpp
+@@ -345,6 +345,12 @@ void LanLinkProvider::encrypted()
+     NetworkPacket* receivedPacket = m_receivedIdentityPackets[socket].np;
+     const QString& deviceId = receivedPacket->get<QString>(QStringLiteral("deviceId"));
+ 
++    if (m_links.contains(deviceId) && m_links[deviceId]->certificate() != socket->peerCertificate()) {
++        socket->disconnectFromHost();
++        qCWarning(KDECONNECT_CORE) << "Got connection for the same deviceId but certificates don't match. Ignoring " << deviceId;
++        return;
++    }
++
+     addLink(deviceId, socket, receivedPacket, connectionOrigin);
+ 
+     // Copied from tcpSocketConnected slot, now delete received packet
+-- 
+2.28.0
+
diff --git a/kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild b/kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild
new file mode 100644
index 000000000000..1729d66f2f84
--- /dev/null
+++ b/kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild
@@ -0,0 +1,98 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+ECM_HANDBOOK="optional"
+ECM_TEST="true"
+KDE_ORG_NAME="${PN}-kde"
+KDE_RELEASE_SERVICE="true"
+KDE_SELINUX_MODULE="${PN}"
+KFMIN=5.70.0
+QTMIN=5.14.2
+inherit ecm kde.org
+
+DESCRIPTION="Adds communication between KDE Plasma and your smartphone"
+HOMEPAGE="https://kdeconnect.kde.org/
+https://kde.org/applications/en/kdeconnect.kcm"
+
+LICENSE="GPL-2+"
+SLOT="5"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE="bluetooth pulseaudio wayland X"
+
+DEPEND="
+	>=app-crypt/qca-2.3.0:2[ssl]
+	>=dev-qt/qtdbus-${QTMIN}:5
+	>=dev-qt/qtdeclarative-${QTMIN}:5
+	>=dev-qt/qtgui-${QTMIN}:5
+	>=dev-qt/qtmultimedia-${QTMIN}:5
+	>=dev-qt/qtnetwork-${QTMIN}:5
+	>=dev-qt/qtwidgets-${QTMIN}:5
+	>=kde-frameworks/kcmutils-${KFMIN}:5
+	>=kde-frameworks/kconfig-${KFMIN}:5
+	>=kde-frameworks/kconfigwidgets-${KFMIN}:5
+	>=kde-frameworks/kcoreaddons-${KFMIN}:5
+	>=kde-frameworks/kdbusaddons-${KFMIN}:5
+	>=kde-frameworks/ki18n-${KFMIN}:5
+	>=kde-frameworks/kiconthemes-${KFMIN}:5
+	>=kde-frameworks/kio-${KFMIN}:5
+	>=kde-frameworks/kirigami-${KFMIN}:5
+	>=kde-frameworks/knotifications-${KFMIN}:5
+	>=kde-frameworks/kpeople-${KFMIN}:5
+	>=kde-frameworks/kservice-${KFMIN}:5
+	>=kde-frameworks/kwidgetsaddons-${KFMIN}:5
+	>=kde-frameworks/plasma-${KFMIN}:5
+	bluetooth? ( >=dev-qt/qtbluetooth-${QTMIN}:5 )
+	X? (
+		>=dev-qt/qtx11extras-${QTMIN}:5
+		x11-libs/libfakekey
+		x11-libs/libX11
+		x11-libs/libXtst
+	)
+	pulseaudio? ( media-libs/pulseaudio-qt )
+	wayland? ( >=kde-frameworks/kwayland-${KFMIN}:5 )
+"
+RDEPEND="${DEPEND}
+	dev-libs/kpeoplevcard
+	>=dev-qt/qtgraphicaleffects-${QTMIN}:5
+	>=dev-qt/qtquickcontrols2-${QTMIN}:5
+	>=kde-frameworks/kdeclarative-${KFMIN}:5
+	net-fs/sshfs
+"
+
+RESTRICT+=" test"
+
+PATCHES=(
+	# CVE-2020-26164, bug 746401
+	"${FILESDIR}"/${P}-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch
+	"${FILESDIR}"/${P}-02-Do-not-leak-the-local-user-in-the-device-name.patch
+	"${FILESDIR}"/${P}-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch
+	"${FILESDIR}"/${P}-04-Limit-identity-packets-to-8KiB.patch
+	"${FILESDIR}"/${P}-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch
+	"${FILESDIR}"/${P}-06-Don-t-brute-force-reading-the-socket.patch
+	"${FILESDIR}"/${P}-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch
+	"${FILESDIR}"/${P}-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch
+	"${FILESDIR}"/${P}-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch
+	"${FILESDIR}"/${P}-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch
+)
+
+src_configure() {
+	local mycmakeargs=(
+		-DBLUETOOTH_ENABLED=$(usex bluetooth)
+		$(cmake_use_find_package pulseaudio KF5PulseAudioQt)
+		$(cmake_use_find_package wayland KF5Wayland)
+		$(cmake_use_find_package X LibFakeKey)
+	)
+
+	ecm_src_configure
+}
+
+pkg_postinst(){
+	ecm_pkg_postinst
+
+	elog "The Android .apk file is available via"
+	elog "https://play.google.com/store/apps/details?id=org.kde.kdeconnect_tp"
+	elog "or via"
+	elog "https://f-droid.org/repository/browse/?fdid=org.kde.kdeconnect_tp"
+}
diff --git a/kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild b/kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild
new file mode 100644
index 000000000000..a43c4f2bd59f
--- /dev/null
+++ b/kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild
@@ -0,0 +1,99 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+ECM_HANDBOOK="optional"
+ECM_TEST="true"
+KDE_ORG_NAME="${PN}-kde"
+KDE_RELEASE_SERVICE="true"
+KDE_SELINUX_MODULE="${PN}"
+KFMIN=5.72.0
+QTMIN=5.14.2
+inherit ecm kde.org
+
+DESCRIPTION="Adds communication between KDE Plasma and your smartphone"
+HOMEPAGE="https://kdeconnect.kde.org/
+https://kde.org/applications/en/kdeconnect.kcm"
+
+LICENSE="GPL-2+"
+SLOT="5"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE="bluetooth pulseaudio wayland X"
+
+DEPEND="
+	>=app-crypt/qca-2.3.0:2[ssl]
+	>=dev-qt/qtdbus-${QTMIN}:5
+	>=dev-qt/qtdeclarative-${QTMIN}:5
+	>=dev-qt/qtgui-${QTMIN}:5
+	>=dev-qt/qtmultimedia-${QTMIN}:5
+	>=dev-qt/qtnetwork-${QTMIN}:5
+	>=dev-qt/qtwidgets-${QTMIN}:5
+	>=kde-frameworks/kcmutils-${KFMIN}:5
+	>=kde-frameworks/kconfig-${KFMIN}:5
+	>=kde-frameworks/kconfigwidgets-${KFMIN}:5
+	>=kde-frameworks/kcoreaddons-${KFMIN}:5
+	>=kde-frameworks/kdbusaddons-${KFMIN}:5
+	>=kde-frameworks/ki18n-${KFMIN}:5
+	>=kde-frameworks/kiconthemes-${KFMIN}:5
+	>=kde-frameworks/kio-${KFMIN}:5
+	>=kde-frameworks/kirigami-${KFMIN}:5
+	>=kde-frameworks/knotifications-${KFMIN}:5
+	>=kde-frameworks/kpeople-${KFMIN}:5
+	>=kde-frameworks/kservice-${KFMIN}:5
+	>=kde-frameworks/kwidgetsaddons-${KFMIN}:5
+	>=kde-frameworks/plasma-${KFMIN}:5
+	>=kde-frameworks/solid-${KFMIN}:5
+	bluetooth? ( >=dev-qt/qtbluetooth-${QTMIN}:5 )
+	X? (
+		>=dev-qt/qtx11extras-${QTMIN}:5
+		x11-libs/libfakekey
+		x11-libs/libX11
+		x11-libs/libXtst
+	)
+	pulseaudio? ( media-libs/pulseaudio-qt )
+	wayland? ( >=kde-frameworks/kwayland-${KFMIN}:5 )
+"
+RDEPEND="${DEPEND}
+	dev-libs/kpeoplevcard
+	>=dev-qt/qtgraphicaleffects-${QTMIN}:5
+	>=dev-qt/qtquickcontrols2-${QTMIN}:5
+	>=kde-frameworks/kdeclarative-${KFMIN}:5
+	net-fs/sshfs
+"
+
+RESTRICT+=" test"
+
+PATCHES=(
+	# CVE-2020-26164, bug 746401
+	"${FILESDIR}"/${PN}-20.04.3-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch
+	"${FILESDIR}"/${PN}-20.04.3-02-Do-not-leak-the-local-user-in-the-device-name.patch
+	"${FILESDIR}"/${PN}-20.04.3-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch
+	"${FILESDIR}"/${PN}-20.04.3-04-Limit-identity-packets-to-8KiB.patch
+	"${FILESDIR}"/${PN}-20.04.3-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch
+	"${FILESDIR}"/${PN}-20.04.3-06-Don-t-brute-force-reading-the-socket.patch
+	"${FILESDIR}"/${PN}-20.04.3-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch
+	"${FILESDIR}"/${PN}-20.04.3-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch
+	"${FILESDIR}"/${PN}-20.04.3-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch
+	"${FILESDIR}"/${PN}-20.04.3-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch
+)
+
+src_configure() {
+	local mycmakeargs=(
+		-DBLUETOOTH_ENABLED=$(usex bluetooth)
+		$(cmake_use_find_package pulseaudio KF5PulseAudioQt)
+		$(cmake_use_find_package wayland KF5Wayland)
+		$(cmake_use_find_package X LibFakeKey)
+	)
+
+	ecm_src_configure
+}
+
+pkg_postinst(){
+	ecm_pkg_postinst
+
+	elog "The Android .apk file is available via"
+	elog "https://play.google.com/store/apps/details?id=org.kde.kdeconnect_tp"
+	elog "or via"
+	elog "https://f-droid.org/repository/browse/?fdid=org.kde.kdeconnect_tp"
+}