Bug#1036564: unblock: qt6-base/6.4.2+dfsg-9

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1036564: unblock: qt6-base/6.4.2+dfsg-9
From: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Date: Mon, 22 May 2023 14:05:57 -0300
Message-id: <[🔎] 168477515762.221755.16707538616494578793.reportbug@gryffindor>
Reply-to: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>, 1036564@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qt6-base@packages.debian.org, deltaone@debian.org, lisandro@debian.org
Control: affects -1 + src:qt6-base

Please unblock package qt6-base

[ Reason ]
Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
(not related to the one in qtsvg-opensource-src) and the other one
related to a security heade parsing in the network module.

[ Impact ]
Lack of security fixes.

[ Tests ]
Tested by upstream, do not break API/ABI, seems safe.

[ Risks ]
None that I can think of.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock qt6-base/6.4.2+dfsg-9

diff --git a/debian/changelog b/debian/changelog
index b117abd..85ce31b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+qt6-base (6.4.2+dfsg-9) unstable; urgency=medium
+
+  * Team upload.
+  * Add a patch to fix CVE-2023-32762.
+
+ -- Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>  Mon, 22 May 2023 11:40:45 -0300
+
+qt6-base (6.4.2+dfsg-8) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch for solving CVE-2023-32763.
+  * Refresh patches.
+
+ -- Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>  Mon, 22 May 2023 10:42:21 -0300
+
 qt6-base (6.4.2+dfsg-7) unstable; urgency=medium
 
   [ Patrick Franz ]
diff --git a/debian/patches/armel-noyield.patch b/debian/patches/armel-noyield.patch
index 37061fb..74b1ae2 100644
--- a/debian/patches/armel-noyield.patch
+++ b/debian/patches/armel-noyield.patch
@@ -1,8 +1,12 @@
 Description: Don't use yield on CPUs that might not support it
 
+---
+ src/corelib/global/qsimd_p.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
 --- a/src/corelib/global/qsimd_p.h
 +++ b/src/corelib/global/qsimd_p.h
-@@ -428,7 +428,9 @@ static inline void qYieldCpu()
+@@ -401,7 +401,9 @@ static inline void qYieldCpu()
           https://stackoverflow.com/a/70076751/134841
           https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105416
      */
diff --git a/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch b/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
index 2ab0f5e..bf93bca 100644
--- a/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
+++ b/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
@@ -9,22 +9,18 @@ and causes reproducibility issues when built in different paths.
 
 https://reproducible-builds.org/docs/build-path/
 ---
- cmake/QtBuildInternalsExtra.cmake.in | 3 ---
+ cmake/QtBuildInternalsExtra.cmake.in |    3 ---
  1 file changed, 3 deletions(-)
 
-diff --git a/cmake/QtBuildInternalsExtra.cmake.in b/cmake/QtBuildInternalsExtra.cmake.in
-index cbd70b1..23b2391 100644
 --- a/cmake/QtBuildInternalsExtra.cmake.in
 +++ b/cmake/QtBuildInternalsExtra.cmake.in
-@@ -53,9 +53,6 @@ endif()
+@@ -75,9 +75,6 @@ endif()
  set(QT_WILL_INSTALL @QT_WILL_INSTALL@ CACHE BOOL
      "Boolean indicating if doing a Qt prefix build (vs non-prefix build)." FORCE)
-
+ 
 -set(QT_SOURCE_TREE "@QT_SOURCE_TREE@" CACHE PATH
 -"A path to the source tree of the previously configured QtBase project." FORCE)
 -
  # Propagate decision of building tests and examples to other repositories.
  set(QT_BUILD_TESTS @QT_BUILD_TESTS@ CACHE BOOL "Build the testing tree.")
  set(QT_BUILD_EXAMPLES @QT_BUILD_EXAMPLES@ CACHE BOOL "Build Qt examples")
---
-2.35.1
diff --git a/debian/patches/cross.patch b/debian/patches/cross.patch
index 1a7ebd3..239c803 100644
--- a/debian/patches/cross.patch
+++ b/debian/patches/cross.patch
@@ -1,6 +1,11 @@
+---
+ cmake/QtBuildInternals/QtBuildInternalsConfig.cmake |    2 --
+ src/tools/configure.cmake                           |    2 +-
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
 --- a/cmake/QtBuildInternals/QtBuildInternalsConfig.cmake
 +++ b/cmake/QtBuildInternals/QtBuildInternalsConfig.cmake
-@@ -146,8 +146,6 @@
+@@ -151,8 +151,6 @@ function(qt_build_internals_disable_pkg_
      set(FEATURE_pkg_config "${pkg_config_enabled}" CACHE STRING "Using pkg-config")
      if(NOT pkg_config_enabled)
          qt_build_internals_disable_pkg_config()
@@ -11,7 +16,7 @@
  
 --- a/src/tools/configure.cmake
 +++ b/src/tools/configure.cmake
-@@ -2,7 +2,7 @@
+@@ -2,7 +2,7 @@ qt_feature("androiddeployqt" PRIVATE
      SECTION "Deployment"
      LABEL "Android deployment tool"
      PURPOSE "The Android deployment tool automates the process of creating Android packages."
diff --git a/debian/patches/cve-2023-32762.diff b/debian/patches/cve-2023-32762.diff
new file mode 100644
index 0000000..92b76fa
--- /dev/null
+++ b/debian/patches/cve-2023-32762.diff
@@ -0,0 +1,15 @@
+---
+ src/network/access/qhsts.cpp |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/network/access/qhsts.cpp
++++ b/src/network/access/qhsts.cpp
+@@ -328,7 +328,7 @@ bool QHstsHeaderParser::parse(const QLis
+ {
+     for (const auto &h : headers) {
+         // We use '==' since header name was already 'trimmed' for us:
+-        if (h.first == "Strict-Transport-Security") {
++        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
+             header = h.second;
+             // RFC6797, 8.1:
+             //
diff --git a/debian/patches/cve-2023-32763.diff b/debian/patches/cve-2023-32763.diff
new file mode 100644
index 0000000..4d0f5f9
--- /dev/null
+++ b/debian/patches/cve-2023-32763.diff
@@ -0,0 +1,58 @@
+---
+ src/gui/painting/qfixed_p.h  |   17 +++++++++++++++++
+ src/gui/text/qtextlayout.cpp |    9 ++++++---
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -18,6 +18,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include "QtCore/qnumeric.h"
+ #include "QtCore/qsize.h"
+ 
+ QT_BEGIN_NAMESPACE
+@@ -136,6 +137,22 @@ constexpr inline QFixed operator+(uint i
+ constexpr inline QFixed operator-(uint i, QFixed d) { return -(d-i); }
+ // constexpr inline QFixed operator*(qreal d, QFixed d2) { return d2*d; }
+ 
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++    int val;
++    bool result = qAddOverflow(v1.value(), v2.value(), &val);
++    r->setValue(val);
++    return result;
++}
++
++inline bool qMulOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++    int val;
++    bool result = qMulOverflow(v1.value(), v2.value(), &val);
++    r->setValue(val);
++    return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, QFixed f)
+ { return dbg << f.toReal(); }
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2105,11 +2105,14 @@ found:
+         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+     } else {
+         eng->minWidth = qMax(eng->minWidth, lbh.minw);
+-        eng->maxWidth += line.textWidth;
++        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++            eng->maxWidth = QFIXED_MAX;
+     }
+ 
+-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
+-        eng->maxWidth += lbh.spaceData.textWidth;
++    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
++            eng->maxWidth = QFIXED_MAX;
++    }
+ 
+     line.textWidth += trailingSpace;
+     if (lbh.spaceData.length) {
diff --git a/debian/patches/series b/debian/patches/series
index 9cc6c0b..5403fd0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,6 @@
 # fixed in 6.5
+cve-2023-32762.diff
+cve-2023-32763.diff
 upstream_Add-HPPA-detection.patch
 upstream_Add-M68k-detection.patch
 
diff --git a/debian/patches/upstream_Add-HPPA-detection.patch b/debian/patches/upstream_Add-HPPA-detection.patch
index 97acf71..5e3bd79 100644
--- a/debian/patches/upstream_Add-HPPA-detection.patch
+++ b/debian/patches/upstream_Add-HPPA-detection.patch
@@ -9,10 +9,10 @@ Subject: [PATCH] Add HPPA detection
 Change-Id: I5214ce64ef1fdd0ecca3d6c1694c5db9b2852a22
 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
 ---
- src/corelib/global/archdetect.cpp           | 2 ++
- src/corelib/global/qprocessordetection.h    | 9 +++++++++
- src/corelib/global/qprocessordetection.qdoc | 9 +++++++++
- src/corelib/plugin/qelfparser_p.cpp         | 3 +++
+ src/corelib/global/archdetect.cpp        |    2 ++
+ src/corelib/global/qglobal.cpp           |    9 +++++++++
+ src/corelib/global/qprocessordetection.h |    9 +++++++++
+ src/corelib/plugin/qelfparser_p.cpp      |    3 +++
  4 files changed, 23 insertions(+)
 
 --- a/src/corelib/global/archdetect.cpp
@@ -46,7 +46,7 @@ Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
      X86 is little-endian.
 --- a/src/corelib/plugin/qelfparser_p.cpp
 +++ b/src/corelib/plugin/qelfparser_p.cpp
-@@ -113,6 +113,8 @@ struct ElfMachineCheck
+@@ -118,6 +118,8 @@ struct ElfMachineCheck
              EM_AARCH64
  #elif defined(Q_PROCESSOR_BLACKFIN)
              EM_BLACKFIN
@@ -55,7 +55,7 @@ Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
  #elif defined(Q_PROCESSOR_IA64)
              EM_IA_64
  #elif defined(Q_PROCESSOR_MIPS)
-@@ -380,6 +382,7 @@ Q_DECL_UNUSED Q_DECL_COLD_FUNCTION stati
+@@ -383,6 +385,7 @@ Q_DECL_UNUSED Q_DECL_COLD_FUNCTION stati
  #endif
      case EM_IA_64:      d << ", IA-64"; break;
      case EM_MIPS:       d << ", MIPS"; break;
diff --git a/debian/patches/upstream_Add-M68k-detection.patch b/debian/patches/upstream_Add-M68k-detection.patch
index e595adc..9df96b4 100644
--- a/debian/patches/upstream_Add-M68k-detection.patch
+++ b/debian/patches/upstream_Add-M68k-detection.patch
@@ -10,10 +10,10 @@ Subject: [PATCH] Add M68k detection
 Change-Id: Ie5694abbe1ae2bfeb5692defba0ca6062c1d60ac
 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
 ---
- src/corelib/global/archdetect.cpp           | 2 ++
- src/corelib/global/qprocessordetection.h    | 9 +++++++++
- src/corelib/global/qprocessordetection.qdoc | 9 +++++++++
- src/corelib/plugin/qelfparser_p.cpp         | 3 +++
+ src/corelib/global/archdetect.cpp        |    2 ++
+ src/corelib/global/qglobal.cpp           |    9 +++++++++
+ src/corelib/global/qprocessordetection.h |    9 +++++++++
+ src/corelib/plugin/qelfparser_p.cpp      |    3 +++
  4 files changed, 23 insertions(+)
 
 --- a/src/corelib/global/archdetect.cpp
@@ -47,7 +47,7 @@ Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
      MIPS is bi-endian, use endianness auto-detection implemented below.
 --- a/src/corelib/plugin/qelfparser_p.cpp
 +++ b/src/corelib/plugin/qelfparser_p.cpp
-@@ -117,6 +117,8 @@ struct ElfMachineCheck
+@@ -122,6 +122,8 @@ struct ElfMachineCheck
              EM_PARISC
  #elif defined(Q_PROCESSOR_IA64)
              EM_IA_64
@@ -56,7 +56,7 @@ Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
  #elif defined(Q_PROCESSOR_MIPS)
              EM_MIPS
  #elif defined(Q_PROCESSOR_POWER_32)
-@@ -375,6 +377,7 @@ Q_DECL_UNUSED Q_DECL_COLD_FUNCTION stati
+@@ -378,6 +380,7 @@ Q_DECL_UNUSED Q_DECL_COLD_FUNCTION stati
      switch (r.machine) {
      // list definitely not exhaustive!
      case EM_NONE:       d << ", no machine"; break;

Reply to:

Prev by Date: Processing of qt6-svg_6.4.2-2~bpo11+1_source.changes
Next by Date: qt6-base_6.4.2+dfsg-9~bpo11+1_source.changes ACCEPTED into bullseye-backports
Previous by thread: Processing of qt6-svg_6.4.2-2~bpo11+1_source.changes
Next by thread: qt6-base_6.4.2+dfsg-9~bpo11+1_source.changes ACCEPTED into bullseye-backports
Index(es):
- Date
- Thread