Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: qtbase-opensource-src@packages.debian.org Control: affects -1 + src:qtbase-opensource-src Please unblock package qtbase-opensource-src. [ Reason ] One more CVE was published for qtbase, CVE-2023-33285 [1]. [ Impact ] QDnsLookup has a buffer over-read via a crafted reply from a DNS server. [ Tests ] No automated tests are run for this package. But QDnsLookup is covered by tests which are run as part of upstream CI: tests/auto/network/kernel/qdnslookup/tst_qdnslookup.cpp. [ Risks ] This change passed the upstream tests, so it should be safe. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Also I added DEP-3 headers to the patches from previous upload and renamed them in a consistent way. This will not affect the binary packages in any way. The reported piuparts regression is in piuparts itself [2]. unblock qtbase-opensource-src/5.15.8+dfsg-11 [1]: https://security-tracker.debian.org/tracker/CVE-2023-33285 [2]: https://salsa.debian.org/debian/piuparts/-/merge_requests/42 -- Dmitry Shachnev
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qtbase-opensource-src (5.15.8+dfsg-11) unstable; urgency=medium
+
+ * Rename the patches for consistency and add DEP-3 headers.
+ * Add a patch to fix buffer overflow in QDnsLookup (CVE-2023-33285).
+
+ -- Dmitry Shachnev <mitya57@debian.org> Thu, 25 May 2023 13:45:05 +0300
+
qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium
* Add patches to fix CVE-2023-32762 and CVE-2023-32763.
--- a/debian/patches/CVE-2023-32762.patch
+++ b/debian/patches/CVE-2023-32762.diff
@@ -1,6 +1,7 @@
----
- src/network/access/qhsts.cpp | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
+Description: hsts: match header names case insensitively
+ Header field names are always considered to be case-insensitive.
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff
+Last-Update: 2023-05-22
--- a/src/network/access/qhsts.cpp
+++ b/src/network/access/qhsts.cpp
--- a/debian/patches/cve-2023-32763.diff
+++ b/debian/patches/CVE-2023-32763.diff
@@ -1,7 +1,7 @@
----
- src/gui/painting/qfixed_p.h | 9 +++++++++
- src/gui/text/qtextlayout.cpp | 9 ++++++---
- 2 files changed, 15 insertions(+), 3 deletions(-)
+Description: fix buffer overflow in Qt SVG
+ Adds qAddOverflow and qMulOverflow definitions to QFixed.
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
+Last-Update: 2023-05-22
--- a/src/gui/painting/qfixed_p.h
+++ b/src/gui/painting/qfixed_p.h
--- /dev/null
+++ b/debian/patches/CVE-2023-33285.diff
@@ -0,0 +1,77 @@
+Description: QDnsLookup/Unix: make sure we don't overflow the buffer
+ The DNS Records are variable length and encode their size in 16 bits
+ before the Record Data (RDATA). Ensure that both the RDATA and the
+ Record header fields before it fall inside the buffer we have.
+ .
+ Additionally reject any replies containing more than one query records.
+Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=7dba2c87619d558a
+Last-Update: 2023-05-25
+
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int
+ // responseLength in case of error, we still can extract the
+ // exact error code from the response.
+ HEADER *header = (HEADER*)response;
+- const int answerCount = ntohs(header->ancount);
+ switch (header->rcode) {
+ case NOERROR:
+ break;
+@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int
+ return;
+ }
+
+- // Skip the query host, type (2 bytes) and class (2 bytes).
+ char host[PACKETSZ], answer[PACKETSZ];
+ unsigned char *p = response + sizeof(HEADER);
+- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+- if (status < 0) {
++ int status;
++
++ if (ntohs(header->qdcount) == 1) {
++ // Skip the query host, type (2 bytes) and class (2 bytes).
++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
++ if (status < 0) {
++ reply->error = QDnsLookup::InvalidReplyError;
++ reply->errorString = tr("Could not expand domain name");
++ return;
++ }
++ if ((p - response) + status + 4 >= responseLength)
++ header->qdcount = 0xffff; // invalid reply below
++ else
++ p += status + 4;
++ }
++ if (ntohs(header->qdcount) > 1) {
+ reply->error = QDnsLookup::InvalidReplyError;
+- reply->errorString = tr("Could not expand domain name");
++ reply->errorString = tr("Invalid reply received");
+ return;
+ }
+- p += status + 4;
+
+ // Extract results.
++ const int answerCount = ntohs(header->ancount);
+ int answerIndex = 0;
+ while ((p < response + responseLength) && (answerIndex < answerCount)) {
+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int
+ const QString name = QUrl::fromAce(host);
+
+ p += status;
++
++ if ((p - response) + 10 > responseLength) {
++ // probably just a truncated reply, return what we have
++ return;
++ }
+ const quint16 type = (p[0] << 8) | p[1];
+ p += 2; // RR type
+ p += 2; // RR class
+@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int
+ p += 4;
+ const quint16 size = (p[0] << 8) | p[1];
+ p += 2;
++ if ((p - response) + size > responseLength)
++ return; // truncated
+
+ if (type == QDnsLookup::A) {
+ if (size != 4) {
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,8 +15,9 @@ image_deletion_order.diff
qxcbwindow_set_geometry.diff
CVE-2023-24607.diff
qshapedpixmapwindow_no_tooltip.diff
-cve-2023-32763.diff
-CVE-2023-32762.patch
+CVE-2023-32763.diff
+CVE-2023-32762.diff
+CVE-2023-33285.diff
# Debian specific.
gnukfreebsd.diff
Attachment:
signature.asc
Description: PGP signature