Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10
From: Patrick Franz <deltaone@debian.org>
Date: Sun, 28 May 2023 10:58:40 +0200
Message-id: <[🔎] 168526432008.148717.8753426811595454053.reportbug@treadstone-71>
Reply-to: Patrick Franz <deltaone@debian.org>, 1036867@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: deltaone@debian.org,debian-qt-kde@lists.debian.org

Please unblock package qt6-base

[ Reason ]
Fixes CVE-2023-33285 that prevents a buffer overflow.

[ Impact ]
Lack of security fixes.

[ Tests ]
Tested by upstream, do not break API/ABI, seems safe.

[ Risks ]
None that I can think of.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock qt6-base/6.4.2+dfsg-10

diffstat for qt6-base-6.4.2+dfsg qt6-base-6.4.2+dfsg

 changelog                   |    7 ++++
 patches/cve-2023-33285.diff |   70 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    3 +
 3 files changed, 79 insertions(+), 1 deletion(-)

diff -Nru qt6-base-6.4.2+dfsg/debian/changelog qt6-base-6.4.2+dfsg/debian/changelog
--- qt6-base-6.4.2+dfsg/debian/changelog	2023-05-22 16:40:45.000000000 +0200
+++ qt6-base-6.4.2+dfsg/debian/changelog	2023-05-28 10:41:24.000000000 +0200
@@ -1,3 +1,10 @@
+qt6-base (6.4.2+dfsg-10) unstable; urgency=medium
+
+  [ Patrick Franz ]
+  * Add patch to fix CVE-2023-33285 (Closes: #1036848).
+
+ -- Patrick Franz <deltaone@debian.org>  Sun, 28 May 2023 10:41:24 +0200
+
 qt6-base (6.4.2+dfsg-9) unstable; urgency=medium
 
   * Team upload.
diff -Nru qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff
--- qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff	1970-01-01 01:00:00.000000000 +0100
+++ qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff	2023-05-28 10:40:55.000000000 +0200
@@ -0,0 +1,70 @@
+diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
+index 75f7c6c440..de0113494f 100644
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+     // responseLength in case of error, we still can extract the
+     // exact error code from the response.
+     HEADER *header = (HEADER*)response;
+-    const int answerCount = ntohs(header->ancount);
+     switch (header->rcode) {
+     case NOERROR:
+         break;
+@@ -226,18 +225,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         return;
+     }
+
+-    // Skip the query host, type (2 bytes) and class (2 bytes).
+     char host[PACKETSZ], answer[PACKETSZ];
+     unsigned char *p = response + sizeof(HEADER);
+-    int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+-    if (status < 0) {
++    int status;
++
++    if (ntohs(header->qdcount) == 1) {
++        // Skip the query host, type (2 bytes) and class (2 bytes).
++        status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
++        if (status < 0) {
++            reply->error = QDnsLookup::InvalidReplyError;
++            reply->errorString = tr("Could not expand domain name");
++            return;
++        }
++        if ((p - response) + status + 4 >= responseLength)
++            header->qdcount = 0xffff;   // invalid reply below
++        else
++            p += status + 4;
++    }
++    if (ntohs(header->qdcount) > 1) {
+         reply->error = QDnsLookup::InvalidReplyError;
+-        reply->errorString = tr("Could not expand domain name");
++        reply->errorString = tr("Invalid reply received");
+         return;
+     }
+-    p += status + 4;
+
+     // Extract results.
++    const int answerCount = ntohs(header->ancount);
+     int answerIndex = 0;
+     while ((p < response + responseLength) && (answerIndex < answerCount)) {
+         status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+@@ -249,6 +261,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         const QString name = QUrl::fromAce(host);
+
+         p += status;
++
++        if ((p - response) + 10 > responseLength) {
++            // probably just a truncated reply, return what we have
++            return;
++        }
+         const quint16 type = (p[0] << 8) | p[1];
+         p += 2; // RR type
+         p += 2; // RR class
+@@ -256,6 +273,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         p += 4;
+         const quint16 size = (p[0] << 8) | p[1];
+         p += 2;
++        if ((p - response) + size > responseLength)
++            return;             // truncated
+
+         if (type == QDnsLookup::A) {
+             if (size != 4) {
diff -Nru qt6-base-6.4.2+dfsg/debian/patches/series qt6-base-6.4.2+dfsg/debian/patches/series
--- qt6-base-6.4.2+dfsg/debian/patches/series	2023-05-22 16:37:22.000000000 +0200
+++ qt6-base-6.4.2+dfsg/debian/patches/series	2023-05-28 10:22:01.000000000 +0200
@@ -1,6 +1,7 @@
-# fixed in 6.5
+# fixed in 6.5.1
 cve-2023-32762.diff
 cve-2023-32763.diff
+cve-2023-33285.diff
 upstream_Add-HPPA-detection.patch
 upstream_Add-M68k-detection.patch

Reply to:

Follow-Ups:
- Re: Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: kwin_5.27.5-3_source.changes ACCEPTED into unstable
Next by Date: Bug#1036848: marked as done (qt6-base: CVE-2023-33285)
Previous by thread: kwin_5.27.5-3_source.changes ACCEPTED into unstable
Next by thread: Re: Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10
Index(es):
- Date
- Thread