--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package qt4-x11/4:4.8.6+git64-g5dc8b2b+dfsg-3
- From: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
- Date: Fri, 01 May 2015 16:03:26 -0300
- Message-id: <20150501190326.20697.64145.reportbug@luna.lisandropm.com.ar>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi RT!
I'm attaching a patch against qt4's version in Jessie which solves 3 CVEs.
The fixes are already in sid, and I do expect them to be in Stretch by the
time of the first point release.
Kinds regards, Lisandro.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index eeb3bb0..0c604b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+qt4-x11 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) UNRELEASED; urgency=medium
+
+ [ Lisandro Damián Nicanor Pérez Meyer ]
+ * Add fixes_crash_in_gif_image_decoder.patch and
+ fixes_crash_in_bmp_and_ico_image_decoder.patch to fix CVE-2015-1858,
+ CVE-2015-1859 and CVE-2015-1860 (Closes: #783133).
+
+ -- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Fri, 01 May 2015 15:52:55 -0300
+
qt4-x11 (4:4.8.6+git64-g5dc8b2b+dfsg-3) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/fixes_crash_in_bmp_and_ico_image_decoder.patch b/debian/patches/fixes_crash_in_bmp_and_ico_image_decoder.patch
new file mode 100644
index 0000000..392bb59
--- /dev/null
+++ b/debian/patches/fixes_crash_in_bmp_and_ico_image_decoder.patch
@@ -0,0 +1,56 @@
+From 3e55cd6dc467303a3c35312e9fcb255c2c048b32 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
+Date: Wed, 11 Mar 2015 13:34:01 +0100
+Subject: [PATCH] Fixes crash in bmp and ico image decoding
+
+Fuzzing test revealed that for certain malformed bmp and ico files,
+the handler would segfault.
+
+Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
+(cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078)
+Reviewed-by: Richard J. Moore <rich@kde.org>
+---
+ src/gui/image/qbmphandler.cpp | 13 +++++++------
+ src/plugins/imageformats/ico/qicohandler.cpp | 2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -472,12 +472,6 @@ static bool read_dib_body(QDataStream &s
+ p = data + (h-y-1)*bpl;
+ break;
+ case 2: // delta (jump)
+- // Protection
+- if ((uint)x >= (uint)w)
+- x = w-1;
+- if ((uint)y >= (uint)h)
+- y = h-1;
+-
+ {
+ quint8 tmp;
+ d->getChar((char *)&tmp);
+@@ -485,6 +479,13 @@ static bool read_dib_body(QDataStream &s
+ d->getChar((char *)&tmp);
+ y += tmp;
+ }
++
++ // Protection
++ if ((uint)x >= (uint)w)
++ x = w-1;
++ if ((uint)y >= (uint)h)
++ y = h-1;
++
+ p = data + (h-y-1)*bpl + x;
+ break;
+ default: // absolute mode
+--- a/src/plugins/imageformats/ico/qicohandler.cpp
++++ b/src/plugins/imageformats/ico/qicohandler.cpp
+@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
+ QImage::Format format = QImage::Format_ARGB32;
+ if (icoAttrib.nbits == 24)
+ format = QImage::Format_RGB32;
+- else if (icoAttrib.ncolors == 2)
++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+ format = QImage::Format_Mono;
+ else if (icoAttrib.ncolors > 0)
+ format = QImage::Format_Indexed8;
diff --git a/debian/patches/fixes_crash_in_gif_image_decoder.patch b/debian/patches/fixes_crash_in_gif_image_decoder.patch
new file mode 100644
index 0000000..fed0c78
--- /dev/null
+++ b/debian/patches/fixes_crash_in_gif_image_decoder.patch
@@ -0,0 +1,26 @@
+From a1cf194c54be57d6ab55dfd26b9562a60532208e Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
+Date: Wed, 11 Mar 2015 09:00:41 +0100
+Subject: [PATCH] Fixes crash in gif image decoder
+
+Fuzzing test revealed that for certain malformed gif files,
+qgifhandler would segfault.
+
+Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
+(cherry picked from qtbase/ea2c5417fcd374302f5019e67f72af5facbd29f6)
+Reviewed-by: Richard J. Moore <rich@kde.org>
+---
+ src/gui/image/qgifhandler.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -951,6 +951,8 @@ void QGIFFormat::fillRect(QImage *image,
+
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++ if (out_of_bounds)
++ return;
+ int my;
+ switch (interlace) {
+ case 0: // Non-interlaced
diff --git a/debian/patches/series b/debian/patches/series
index 88ccc32..1a54a0b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,6 +3,8 @@ Add_support_for_QT_USE_DRAG_DISTANCE_env_var.patch
QTBUG-21900_Buttons_in_Qt_applications_not_clickable_when_run_under_gnome-shell.patch
dont_crash_on_broken_gif_images.patch
xmlpatterns_stack_overflow_fix.diff
+fixes_crash_in_bmp_and_ico_image_decoder.patch
+fixes_crash_in_gif_image_decoder.patch
# Patches submitted upstream but still not accepted
aarch64_arm64_fix_arch_detection.patch
--- End Message ---