Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: deltaone@debian.org,debian-qt-kde@lists.debian.org
Please unblock package qt6-base
[ Reason ]
Fixes CVE-2023-33285 that prevents a buffer overflow.
[ Impact ]
Lack of security fixes.
[ Tests ]
Tested by upstream, do not break API/ABI, seems safe.
[ Risks ]
None that I can think of.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock qt6-base/6.4.2+dfsg-10
diffstat for qt6-base-6.4.2+dfsg qt6-base-6.4.2+dfsg
changelog | 7 ++++
patches/cve-2023-33285.diff | 70 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 3 +
3 files changed, 79 insertions(+), 1 deletion(-)
diff -Nru qt6-base-6.4.2+dfsg/debian/changelog qt6-base-6.4.2+dfsg/debian/changelog
--- qt6-base-6.4.2+dfsg/debian/changelog 2023-05-22 16:40:45.000000000 +0200
+++ qt6-base-6.4.2+dfsg/debian/changelog 2023-05-28 10:41:24.000000000 +0200
@@ -1,3 +1,10 @@
+qt6-base (6.4.2+dfsg-10) unstable; urgency=medium
+
+ [ Patrick Franz ]
+ * Add patch to fix CVE-2023-33285 (Closes: #1036848).
+
+ -- Patrick Franz <deltaone@debian.org> Sun, 28 May 2023 10:41:24 +0200
+
qt6-base (6.4.2+dfsg-9) unstable; urgency=medium
* Team upload.
diff -Nru qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff
--- qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff 1970-01-01 01:00:00.000000000 +0100
+++ qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff 2023-05-28 10:40:55.000000000 +0200
@@ -0,0 +1,70 @@
+diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
+index 75f7c6c440..de0113494f 100644
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+ // responseLength in case of error, we still can extract the
+ // exact error code from the response.
+ HEADER *header = (HEADER*)response;
+- const int answerCount = ntohs(header->ancount);
+ switch (header->rcode) {
+ case NOERROR:
+ break;
+@@ -226,18 +225,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+ return;
+ }
+
+- // Skip the query host, type (2 bytes) and class (2 bytes).
+ char host[PACKETSZ], answer[PACKETSZ];
+ unsigned char *p = response + sizeof(HEADER);
+- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+- if (status < 0) {
++ int status;
++
++ if (ntohs(header->qdcount) == 1) {
++ // Skip the query host, type (2 bytes) and class (2 bytes).
++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
++ if (status < 0) {
++ reply->error = QDnsLookup::InvalidReplyError;
++ reply->errorString = tr("Could not expand domain name");
++ return;
++ }
++ if ((p - response) + status + 4 >= responseLength)
++ header->qdcount = 0xffff; // invalid reply below
++ else
++ p += status + 4;
++ }
++ if (ntohs(header->qdcount) > 1) {
+ reply->error = QDnsLookup::InvalidReplyError;
+- reply->errorString = tr("Could not expand domain name");
++ reply->errorString = tr("Invalid reply received");
+ return;
+ }
+- p += status + 4;
+
+ // Extract results.
++ const int answerCount = ntohs(header->ancount);
+ int answerIndex = 0;
+ while ((p < response + responseLength) && (answerIndex < answerCount)) {
+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+@@ -249,6 +261,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+ const QString name = QUrl::fromAce(host);
+
+ p += status;
++
++ if ((p - response) + 10 > responseLength) {
++ // probably just a truncated reply, return what we have
++ return;
++ }
+ const quint16 type = (p[0] << 8) | p[1];
+ p += 2; // RR type
+ p += 2; // RR class
+@@ -256,6 +273,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+ p += 4;
+ const quint16 size = (p[0] << 8) | p[1];
+ p += 2;
++ if ((p - response) + size > responseLength)
++ return; // truncated
+
+ if (type == QDnsLookup::A) {
+ if (size != 4) {
diff -Nru qt6-base-6.4.2+dfsg/debian/patches/series qt6-base-6.4.2+dfsg/debian/patches/series
--- qt6-base-6.4.2+dfsg/debian/patches/series 2023-05-22 16:37:22.000000000 +0200
+++ qt6-base-6.4.2+dfsg/debian/patches/series 2023-05-28 10:22:01.000000000 +0200
@@ -1,6 +1,7 @@
-# fixed in 6.5
+# fixed in 6.5.1
cve-2023-32762.diff
cve-2023-32763.diff
+cve-2023-33285.diff
upstream_Add-HPPA-detection.patch
upstream_Add-M68k-detection.patch
Reply to: