Bug#1055280: libqt5sql5-odbc: Patch CVE 2023 24607.diff breaks Unicode support in libqt5sql5-odbc.

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1055280: libqt5sql5-odbc: Patch CVE 2023 24607.diff breaks Unicode support in libqt5sql5-odbc.
From: Viktor Mykrä <viktor.mykra@insta.fi>
Date: Fri, 03 Nov 2023 13:04:46 +0000
Message-id: <[🔎] 169901668636.3738.8171766287110043985.reportbug@LDCSRQV3.insta.fi>
Reply-to: Viktor Mykrä <viktor.mykra@insta.fi>, 1055280@bugs.debian.org

Package: libqt5sql5-odbc
Version: 5.15.8+dfsg-11
Severity: important
X-Debbugs-Cc: viktor.mykra@insta.fi

Dear Maintainer,

Changes introduced in patch CVE-2023-24607.diff break Unicode handling.
I have tested this Microsoft ODBC driver for SQL Server 17 and 18,
using a database from the Docker image 'mcr.microsoft.com/mssql/server:2019-latest'.
The easiest way to reproduce the issue is by calling QSqlDatabase::tables(),
which returns an empty list. Some other database actions work,
but the ODBC log is filled with HY009 (Invalid use of null pointer) error messages.
The same issue was also present in the package libqt6sql6-odbc (version 6.4.2+dfsg-10),
which includes the same patch. Version 5.15.2+dfsg-9 on Bullseye works fine.
The Qt GitHub repository 'qtbase' seems to include multiple Unicode-related commits
that seem to address this issue.

I suggest including such fixes as additional patches in the package. 

Additionally, it seems that the same CVE vulnerability is still present in
Buster and Bullseye packages.

Testing was done using Docker images dabian:bullseye-slim and debian:bookworm-slim.

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 12.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.90.1-microsoft-standard-WSL2 (SMP w/20 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages libqt5sql5-odbc depends on:
ii  libc6                             2.36-9+deb12u3
ii  libodbc2                          2.3.11-2+deb12u1
ii  libqt5core5a [qtbase-abi-5-15-8]  5.15.8+dfsg-11
ii  libqt5sql5                        5.15.8+dfsg-11
ii  libstdc++6                        12.2.0-14

libqt5sql5-odbc recommends no packages.

libqt5sql5-odbc suggests no packages.

-- no debconf information

Reply to:

Follow-Ups:
- Processed: Bug#1055280 marked as pending in qtbase-opensource-src
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: kuserfeedback_1.3.0-1_source.changes ACCEPTED into unstable
Next by Date: Bug#1055295: RM: libqt6opengl6-dev -- ROM; Package is not built anymore
Previous by thread: kuserfeedback_1.3.0-1_source.changes ACCEPTED into unstable
Next by thread: Processed: Bug#1055280 marked as pending in qtbase-opensource-src
Index(es):
- Date
- Thread