[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108831: unblock: qtbase-opensource-src/5.15.15+dfsg-6

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: qtbase-opensource-src@packages.debian.org
Control: affects -1 + src:qtbase-opensource-src
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock package qtbase-opensource-src.

It fixes the same CVE as qt6-base 6.8.2+dfsg-8, so I took the liberty to
copy some wording from qt6-base unblock bug (#1108624).

[ Reason ]
This upload backports a patch fixing CVE-2025-5455 (#1108475).

[ Impact ]
If malformed data is sent and a specific function in the Qt API
(qDecodeDataUrl()) is used, it could result in a denial of service.

[ Tests ]
No manual tests were conducted, but the patch is directly from upstream Qt
where it's been part of the 5.15.19 release and has therefore gone through
the normal QA.

[ Risks ]
I deem the risks to be low. The patch is taken directly from upstream and
has been part of the 5.15.19 release.
The patch in itself is rather simple, just 4 deletions and 5 insertions.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock qtbase-opensource-src/5.15.15+dfsg-6

--
Dmitry Shachnev

--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qtbase-opensource-src (5.15.15+dfsg-6) unstable; urgency=medium
+
+  * Backport upstream patch to fix assertion errors in data: URL parsing
+    (CVE-2025-5455, closes: #1108475).
+
+ -- Dmitry Shachnev <mitya57@debian.org>  Sun, 29 Jun 2025 22:50:45 +0300
+
 qtbase-opensource-src (5.15.15+dfsg-5) unstable; urgency=medium
 
   * Backport upstream patch to add null checks in table iface methods in
--- /dev/null
+++ b/debian/patches/CVE-2025-5455.diff
@@ -0,0 +1,30 @@
+Description: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at()
+ It is a precondition violation to call QByteArrayView::at() with
+ size() as argument. The code used that, though, as an implicit
+ end-of-string check, assuming == ' ' and == '=' would both fail for
+ null bytes. Besides, QByteArrays (but most certainly QByteArrayViews)
+ need not be null-terminated, so this could read even past size().
+ .
+ To fix, use higher-level API (startsWith()), consuming parsed tokens
+ along the way.
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2025-5455-qtbase-5.15.patch
+Last-Update: 2025-06-29
+
+--- a/src/corelib/io/qdataurl.cpp
++++ b/src/corelib/io/qdataurl.cpp
+@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const
+         }
+ 
+         if (data.toLower().startsWith("charset")) {
+-            int i = 7;      // strlen("charset")
+-            while (data.at(i) == ' ')
+-                ++i;
+-            if (data.at(i) == '=')
++            int prefixSize = 7; // strlen("charset")
++            QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize);
++            while (copy.startsWith(QLatin1String(" ")))
++                copy = copy.mid(1);
++            if (copy.startsWith(QLatin1String("=")))
+                 data.prepend("text/plain;");
+         }
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,6 +19,7 @@ revert_statusnotifierhost_checking.diff
 dont_fallback_to_x11_tray_on_non_x11.diff
 check_dbus_tray_availability_every_time.diff
 a11y_null_checks.diff
+CVE-2025-5455.diff
 
 # Debian specific.
 no_htmlinfo_example.diff

Attachment: signature.asc
Description: PGP signature

Reply to: